Re: Tiger warnings - reaction advice requested

To: Johannes Graumann <graumann@its.caltech.edu>
Cc: debian-security@lists.debian.org
Subject: Re: Tiger warnings - reaction advice requested
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Thu, 22 Aug 2002 10:25:06 +0200
Message-id: <[🔎] 20020822082506.GA19521@dat.etsit.upm.es>
In-reply-to: <[🔎] 20020820150950.4f389f9a.graumann@its.caltech.edu>
References: <[🔎] 20020820150950.4f389f9a.graumann@its.caltech.edu>

On Tue, Aug 20, 2002 at 03:09:50PM -0700, Johannes Graumann wrote:

> # Checking accounts from /etc/passwd.
> --WARN-- [acc001w] Login ID nobody is disabled, but still has a valid
> shell (/bin/sh). 

Debian specific. You could probably change the shell to /bin/false

> --WARN-- [acc006w] Login ID mail's home directory (/var/mail) has group
> `mail' write access. 

This is normal in any Debian setup and you should leave it as is.

> --WARN-- [acc006w] Login ID nobody's home directory (/home) has group
> `staff' write access.

This is also normal in Debian setups. However, you can change it if you do
not feel it's appropiate.

For some explanation regarding Tiger's issues see: tigexp.

> 
> I'm new to the business of system administration and not quite shure on
> how to react to this. A 'chmod'-variety for the first and last? Also: what
> is this 'nobody' user? Program/demon specific? Can I, should I get rid of
> it?

As for 

> 
> Tiger also complained that 
> /sbin/bastille-firewall-reset
> /sbin/bastille-firewall-schedule
> /sbin/bastille-ipchains
> /sbin/bastille-netfilter
> are not supposed to be present - but after 'bastille' setup they are
> supposed to be here. How do I teach this to tiger? I suppose it is doable
> with those 'templates'? Have found no documentation on what that is/how
> itworks/how to set it up and would greatly appreciate any hint concerning
> this.

Templates are easy to do, just copy any report from a module (available
under /var/log/tiger) into /etc/tiger (or /var/log/tiger but it's
deprecated) changing the .out prefix to .template. Remove all the lines
that you *want* to be reported about. The lines that are kept in the
template will *never* be reported.

AFAIK This is documented in tiger(8) (but maybe it's only in the 3.0
version in unstable). Also, keep in mind that the default behavior of
Tiger will be to *only* email you the changes after a given module has
been run (like if the previous run was the template for the next). This
makes it easier to detect changes.

Hope you like it!

	Javi

Reply to:

References:
- Tiger warnings - reaction advice requested
  - From: Johannes Graumann <graumann@its.caltech.edu>

Prev by Date: Re: IPSec VPN and Watchguard Firebox 2
Next by Date: Re: VPN between 2 dynamic ip's ?
Previous by thread: Re: Tiger warnings - reaction advice requested
Next by thread: scp fails <sometimes< : ssh works <always>
Index(es):
- Date
- Thread