Since its been a while i wrote something in here decided to post some new article.
In this Issue i will tell you how to Audit your System simply with lsat. You don’t need to be
the Super Security uber geek hacker to use this one. But it gives you a good basic overview over
the current security state of your System(s). In the examples i refer only to debian based operating
systems (dpkg) but lsat works as well on redhat (rpm). We will make an initial run of lsat so we get
an overview of the actual state of the System. And we will get an idear of wich modules have to be run
again in further checks.
So the first Step you might want to do on your Debian machine is to install lsat
„sudo apt-get install lsat“ . Thats it lsat will be downloaded and installed to your
system and it also dont need any further configuration its ready to run out of the box.
After the installation process is done you might want to make the initial run to get an idear wich modules
have to be run for your system and wich ones dont make sense (for example running rpm checks on deb plattform dont
makes sense). This is what it looks like when you run lsat the first time:
lsat [sudo] password for dirk: Starting LSAT... Getting system information... Running modules... Running checkpkgs module... Running checkinetd module... Running checkinittab module... Running checklogging module... Running checkset module... Running checkwrite module... Running checkdotfiles module... Running checkpasswd module... Running checkfiles module... Running checkumask module... Running checkftpusers module... Running checkrc module... Running checkkbd module... Running checklimits module... Running checkssh module... Running checkopenfiles module... Running checkissue module... Running checkwww module... Running checkmd5 module... Running checkmodules module... Running checksecuretty module... Running checkrcperms module... find: "/etc/rc.d/init.d/": Datei oder Verzeichnis nicht gefunden Running checknet module... Running checknetforward module... Running checknetpromisc module... Running checkbpass module... Running checkipv4 module... Running checkx module... Running checkftp module... Running checklistening module... Running checkdisk module... Finished. Check lsat.out for details. Don't forget to check your umask or file perms when modifying files on the system.
As you see lsat throws an error that claims it cant find the init.d path. And also there are running a
few modules wich we don’t want to be run each time. So when we look at the man pages it tells us that
the „-x “ Option with „filename“ argument, is usefull to exclude modules from beeing run. So
we gonna create that file unter /etc . Like allready mentioned the file has to contain the names of modules
wich are excluded from beeing run. The module names must be seperated by whitespaces, kommatas or one modulename
for each line. This is what mine exclude file looks like:
cat /etc/lsat.exclude rc perms securetty rpm inetd logging modules forward ftpusers inittab set limits issue write promisc forward
Straight forward isn’t it? And like you allready saw i named the file simply „lsat.exclude“ so next time when you run lsat
just call it with the „-x“ flag linke this:
lsat -x /etc/lsat.excldue
This produces a more clean output in the lsat.out file. You could also run lsat once a Week over some crontab or such but that
is a task you should manage on your own. So thats it for this time you might also want to take a look at the project page, but
be aware that the project is a littlebit outdated. Last update on the Homepage is from 2008, so this post is also more like outdated.
And its more a „just for the fun of it“ post. So i hope you enjoy it some how, anyways untill next time i am outtie!!!
Be aware of the md5sum module of lsat, there are some issues about that. If you want to have something like a HBIDS
i would suggest you something like tripwire or integrid. You might also want to visit the Authors homepage: http://usat.sourceforge.net/