我們可以利用 seccheck 這個套件檢查一些與系統有關的選項
例如可以利用 John and Ripper 檢查密碼強度
檢查是否有 user 的 UID 為 0
或是有哪些目錄是 world writable
首先檢查是否有安裝 seccheck 套件
#zypper search seccheck
如果沒有可以利用 zypper 或是 YaST 安裝套件
#zypper install seccheck安裝完成之後 會透過 cron 定時來執行
#cat /etc/cron.d/seccheck
RUN_FROM_CRON=yes
#
# SuSE Security Checks
#
0 0 * * * root test -x /usr/lib/secchk/security-control.sh && /usr/lib/secchk/security-control.sh daily &
0 1 * * 1 root test -x /usr/lib/secchk/security-control.sh && /usr/lib/secchk/security-control.sh weekly &
0 4 1 * * root test -x /usr/lib/secchk/security-control.sh && /usr/lib/secchk/security-control.sh monthly &
daily, weekly, 以及monthly檢查的項目都不太一樣
要測試的話可以執行 相關的程式, 如以下的範例
# /usr/lib/secchk/security-weekly.sh
Password security checking not possible, package john not installed.
The following files/directories are world writeable and not sticky:
+ /var/lib/smartmontools/smartd.HDS722580VLAT20-VNR21EC2SU7ZWM.ata.state
+ /var/lib/smartmontools/smartd.HDS722580VLAT20-VNR21EC2SU7ZWM.ata.state~
+ /var/lib/smartmontools/smartd.ST320410A-6FG152G8.ata.state
+ /var/lib/smartmontools/smartd.ST320410A-6FG152G8.ata.state~
The following programs have got a different md5 checksum since last week:
+ S.5....T c /etc/gdm/custom.conf
+ S.5....T c /usr/share/fonts/encodings/encodings.dir
另外有個功能也是不錯
# /usr/lib/secchk/checkneverlogin
Warning: user ines has got a password and a valid shell but never logged in.
可以找出有密碼但是沒有登入的使用者
至於如果出現沒有 john and Ripper 就利用 zypper 安裝吧 ^^
# zypper search john
Loading repository data...
Reading installed packages...
S | Name | Summary | Type
--+----------------+-------------------------------------+--------
| john | Detects Weak Passwords | package
| john-wordlists | Word List Files for John the Ripper | package
# zypper install john john-wordlists
Enjoy it ~~
沒有留言:
張貼留言