****************************************************************************** PT-74 October 1994 ****************************************************************************** 1. Product Description: The Computer Oracle and Password System (COPS) is a set of programs to automate security checks for UNIX. This product test evaluates version 1.04. 2. Product Acquisition: COPS is a freeware package available from several anonymous ftp sites on the Internet. Dan Farmer wrote and compiled COPS under the direction and sponsorship of Professor Gene Spafford, Purdue University. Mr. Farmer incorporated material from other authors, and provides the appropriate citation where necessary. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. I obtained my initial copy of COPS from the Computer Emergency Response Team (CERT) anonymous ftp site at Carnegie Mellon. That initial copy was version 1.02. I later downloaded version 1.04, and have tested it over the last two years on a variety of UNIX platforms, to include AT&T, Pyramid, Sun and Unisys systems running various releases of System V. b. The documentation identifies these major components. (1) cops The shell script for most of the programs (2) suid.chk Checks for changes in SUID status (3) makefile Makefile for the programs (4) chk_strings Checks for writable paths/files in a file (5) cron.chk Checks for writable paths/files in /usr/lib/crontab (6) dev.chk Checks /dev/*mem and all devs listed by /etc/fstab command for world read/writability and checks a small group of files for non- world readability (7) dir.chk Checks directories for writability (8) file.chk Checks files for writability (9) group.chk Checks /etc/group for non-unique groups, invalid fields, non-numeric group ids, etc. (10) home.chk.c Checks all users home directories listed in /etc/passwd for bad modes (i.e., basically world writability, strangeness) (11) rc.chk Checks all commands and paths listed in /etc/rc* for writability (12) reconfig Changes the paths for COPS programs, if required (13) is_readable Checks a file/directory and determines readability (14) is_writable Checks a file/directory and determines writability (15) kuang Checks to see if a given user (by default root) is compromisible, given that certain rules are true (16) passwd.chk Checks /etc/passwd for poor password selection (17) user_chk.c Checks all users listed in /etc/passwd for modes (i.e., basically world writability, strangeness) (18) bug.chk Checks a program date against the date of a CERT advisory date or a patch date for an identified vulnerability (19) checkacct Checks a subset of conditions to determine the account security of an individual user (20) carp COPS Analysis and Report Program looks at COPS output from several machines and then weights the results c. The installation and configuration of COPS is generally a simple procedure. The author provides approximately one page of instructions on running COPS for the first time. As mentioned several times in the documentation, the major problem which one might encounter is that the paths listed in the COPS shell scripts will not agree with those on your system. The author provides "reconfig" to hopefully automate the process. My experience has been that in most cases "reconfig" will work. But I have still had to manually change paths on at least one system. d. It is essential that one read all of the documentation before running the program. The author has included several papers to describe the strengths and weaknesses of individual modules. Similarly, since the author has incorporated the work of many other programers, a user will need to know something about the individual modules to appreciate what each is attempting to do as well as to adequately evaluate the results. e. The following observations arise from over sixty executions of the program on production systems. 2 (1) COPS clearly identifies problems which could affect the overall security of a system. (2) The warning messages associated with potential problems are generally straightforward. In certain instances, however, a user will have to be knowledgeable about Unix and/or about the systems's specific configuration to interpret the results and to evaluate the significance. (3) The U-Kuang analysis remains the most difficult concept to understand and the most difficult results to resolve. (4) The overwhelming number of problems discoverd by COPS was in the management of the /etc/passwd file and in the setting of permissions on critical directories and files. My experience has been that even the so-called experienced Unix system administrator continually makes elementary mistakes in these areas. (5) COPS must be run on a recurring basis, particularly where there are multiple system administrators. One administrator may introduce a problem after a COPS run which may go undetected until a subsequent execution. f. The following is a list of the most common security warning messages which might occur, minus those that might be received from the Kuang analysis and from the SUID checker. I have placed an asterisk * after the description to indicate those messages which I have received in my executions of the program. (1) File is World writable, file is group readable * (2) File is World writable, file in /etc/rc* is World writable * (3) Directory is World writable * (4) Directory is World writable and in roots path (5) Duplicate Group(s) found * (6) Group has duplicate user(s) (7) Group file, line xyz, non-numeric group id * (8) Group file, line xyz, is blank * (9) Group file, line xyz, nonalphanumeric user id * (10) Group file, line xyz, group has password (11) Password Problem: Guessed: (12) Password Problem: no password * 3 (13) Duplicate uid(s) found * (14) Password file, line xyz, user has uid = 0 and is not root * (15) Password file, line xyz, nonalphanumeric login (16) Password file, line xyz, invalid login directory (17) Password file, line xyz, nonnumeric group id * (18) Password file, line xyz, negative user id (19) Password file, line xyz, does not have 7 fields (20) Password file, line xyz, is blank (21) NFS file system exported with no restrictions (22) Root's umask set to xyz (23) "." (or current directory) is in roots path (24) User's home directory is mode xyz * (25) User .bar (one of the user's initialization files) is mode xyz 5. Product Advantages: a. COPS is a free tool which automates a diverse group of checks to monitor and/or to verify the security features in a Unix environment. b. The configuration of the programs is generally painless for the moderately skilled user. c. Documentation is extensive with interesting technical and philosophical discussions on what it means to be "secure" on a Unix platform. d. With few exceptions one can execute the modules without "root" or system administrator privileges. This affords individual users the opportunity to examine the security of their own accounts independent of a system administrator. e. Version 1.04 offers a collection of additional programs which more experienced users will find attractive, to include an entire directory "extra_src". 6. Product Disadvantages: a. The author's intention to develop "future versions of COPS" has not materialized. The tool has essentially been static since March 1992. 4 b. The presence of a security warning message does not in every case mean that an actual vulnerability or weakness exists. The requirement for an experienced and knowledgeable system administrator to interpret the results cannot be overlooked. c. If any user without "root" privileges can execute the substantial part of the COPS modules, then the potential for insider attacks may be increased. The advantages and disadvantages of the author's approach in this respect could be the subject of a book. d. There is still a reluctance, if not antipathy, on the part of many enterprises to use a "free" tool. Corporate and government policies may preclude the utilization of COPS. 7. Comments: As an advocate of the use of automated security tools, I strongly endorse COPS. If one understands its strengths and its limitations, it can become a significant component in an overall information systems security program. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 5