RootCheck 0.4
xxx.xxx.xxx Scanning Result
Available at: http://www.ossec.net/rootcheck/
By Daniel B. Cid
Scan result info
Date: Fri Dec 5 11:38:26 2003
Operating system: OpenBSD
Logged in as: root
Hostname: xxx.xxx.xxx
Introduction:
RootCheck is a host-based security analysis tool (written in perl+c) that looks for suspicious
activities/files/directories on Unix systems.
All detected information is classified on 4 categories:
- Black - Informational (mis-configuration, strange files,etc
- Green - Ok , no problem detected
- Orange - Potentially serious problem found
- Red - Severe problem found
Content:
Binaries check
top
Ports check
top
Interfaces check
pflog0 Is in Promiscuous Mode!
Checking rl0: 192.168.10.1
Checking xl0: xx.xx.xx.xx
top
Check passwords
top
Check Logs
Log files OK
top
Check process/ps
top
Rootkits Check
top
Check /dev
/dev is OK
top
Check Config Files
Checking exports(NFS): /etc/exports
Checking inetd.conf: /etc/inetd.conf
Checking sshd_config: /etc/ssh/sshd_config
Your sshd_config is well configured.
Checking ssh keys: /etc/ssh/ssh_host_rsa_key
Checking ssh keys: /etc/ssh/ssh_host_key
Checking sudo: /etc/sudoers
Line found: daniel ALL=(ALL) ALL
Checking httpd.conf: /var/www/conf/httpd.conf
>Your httpd.conf is well configured.
top
System Files Check
The following files have "others" write permit:
/var/qmail/queue/lock/trigger
The following files have "others" write permit and owner "exec" mode:
/home/daniel/develop/perl/alert
/var/run/mysql/mysql.sock
The following binaries were the last modified:
1 - /usr/sbin/sendmail -> Wed May 7 18:22:26 2003
2 - /usr/sbin/sysctl -> Mon May 5 18:45:20 2003
3 - /usr/sbin/kadmin -> Sat Mar 29 14:58:26 2003
4 - /usr/sbin/ktutil -> Sat Mar 29 14:58:26 2003
5 - /usr/bin/klist -> Sat Mar 29 14:58:23 2003
The following files need check:
/home/test/rpimp.c
Problem: rpv21 (Reverse Pimpage)
top