How do we check whether the system is OS hardened or not.

I am aware of only the following:
- To check whether tcpd(TCP wrapper) is running or not  -> ps
-eaf|grep tcpd
- To check whether JASS packages are installed -> pkginfo|grep -i jass

Are there better alternatives to check it?

[ Post a follow-up to this message ]

In comp.unix.solaris qazmlp1209@rediffmail.com wrote:
> How do we check whether the system is OS hardened or not.
>
> I am aware of only the following:
> - To check whether tcpd(TCP wrapper) is running or not  -> ps
> -eaf|grep tcpd
> - To check whether JASS packages are installed -> pkginfo|grep -i jass
>
> Are there better alternatives to check it?

Endless ones. First of all, make sure you realise that 'hardened' isn't
a binary function: a computer isn't either hardened or not, but rather
is going to be harder than some arbitrary watermark. If you have a standard
in place, then hardened means hardened to that standard. If you don't, then
who knows what's meant by the term?

At any rate, grep for running services in /etc/inetd.conf. nmap the box
from another machine on the same subnet, and see what ports are open.
Look for .rhosts files, check for root console login in /etc/default/login,
see if random packet numbers are enabled. Are unnecessary /etc/rcX.d
services getting started? Is tripwire or aide installed? How about logging--
is stuff being forwarded to a central log server?

You can keep hardening a box until a live network connection isn't even an
access point, but it's probably not a lot of use. The real key to hardening
a box successfully is twofold: (a) define what constitutes hardened, and
(b) defining (and running) the tests against that standard.

Colin

[ Post a follow-up to this message ]

qazmlp1209@rediffmail.com <qazmlp1209@rediffmail.com> wrote:
> I am aware of only the following:
>  - To check whether tcpd(TCP wrapper) is running or not  -> ps
> -eaf|grep tcpd
>  - To check whether JASS packages are installed -> pkginfo|grep -i jass

Those are only examples of how hardening (automagically or manually) can
be approached. You can only determine (part of!) what has been done this
way, but hardly what hasn't been done, or what else has been done.

> Are there better alternatives to check it?

Actually test. Vuln-scanners, etc.
E.g. run nessus - recent version - against it.

Nessus is free but has received one of the best results in a recent test
by the German professional IT rag, iX.

Note that if the computers you do this on, or even the network you test
the attacks over, do not belong to you (I'm not insinuating anything,
but e.g. you might be in a consulting role), you *must* talk this over
with somebody who controls the boxen/infrastructure beforehand.

lg, Bernd
--
When emailing me, excuse my annoing spamfilter - it works for me.

[ Post a follow-up to this message ]