VULNERABILITY CHECKING PLUG-IN DESCRIPTION Currently, about 80 plug-ins have been implemented. The release of Ferret as a freely available open source program should encourage the security community to develop plug-ins and thus rapidly increase the number of available plug-ins. The first group of plug-ins checks whether or not certain critical system files or directories (e.g., /bin, /.cshrc, /dev, /etc/group, /etc/passwd, /etc, /.login, /.profile, /.rhosts, /usr/etc) are owned by root. These files are generally run by root, and thus should be owned by root. If any ownership has been changed deliberately, then the system administrator is made aware of the change, as the aim of the Ferret tool is just to report a potential vulnerability and not to correct it. The second group of plug-ins checks if the permissions of critical system directories (e.g., /, /bin, /usr/adm, /etc, /dev) are world-writable. Having any of these directories world-writable makes it easy for intruders to gain root privilege. For example, the directory /etc contains information about groups, users, and passwords. An attacker could put some commands in /etc/rc*, /etc/init.d/*, and other files in the /etc directory to create a back door into the system each time the system is rebooted. Therefore, all the files in the /etc directory should be kept non-writable by any user other than root. Similarly, the /bin directory stores shells for the system. An attacker can possibly put a Trojan Horse in any of the files to become root. It is therefore important to safeguard these critical directories. However, for specific files within the directory, Ferret leaves it up to the system administrator to decide what exactly the permission set should be. For example, although the majority of the devices listed in the /dev directory should be non-readable and non-writable, some of the files, such as /dev/null, /dev/tty and, /dev/console need to be world-writable. The third group of plug-ins checks for the paths and filenames inside the root start-up files (e.g., /.login, /.cshrc, /.profile) for world-writability. Also, the path variable in those startup files is checked to ensure that a "." is not in the path variable. An attacker could place a Trojan Horse in various directories with the hope that someone with "." in his or her path will execute the program. The fourth group of plug-ins checks the umask settings in login initialization files (e.g., /.login, /.cshrc, /.profile, /etc/profile). The umask is a four-digit octal number that Unix uses to determine the file permissions for newly created files. Umask settings often have a default value of 022 to make it easier for users to share files with other users. Unfortunately, a user may inadvertently set the umask to be world-readable while creating a new file, which would allow anyone to read the files. The fifth group of plug-ins focuses on configuration issues for certain files of each user's home directory. More specifically, these plug-ins check whether permissions on certain important files (e.g., .Xdefaults, .Xresources, .bashrc, .cshrc, .defaults, .emacs, .emacsrc, .forward, .fvcmd, .kshrc, .login, .logout, .netrc, .profile, .rhosts, .screenrc, .tcshrc, .xinitrc) of any user's home directory are set to group- or world-writable. This group of plug-ins can avoid many situations in which a user can snatch another user's rights easily, even by placing a simple Trojan Horse. For example, the .login and .profile files are executed each time a user logs in. Commands within these files are executed by the user's shell. Even making such files group-writable makes them susceptible to potential attackers writing commands that are executable each time the user logs in. However, to accommodate special situations in which rights or permissions have been deliberately given, the discretion of the system administrator and the user of the home directory are final. In Unix systems, the SUID bit allows a file to being run as the user that owns the file, even if it is run by someone other than that user. A SUID file that is writable can easily be used to compromise the user account of the owner, including the case when the owner is root. While certain files on any system need to be SUID root, it is critical that those files not be writable by anyone other than root. The sixth group of plug-ins is designed to search for all the files on the target system that have the SUID bit enabled. Plug-ins of this type find all the SUID programs on a system and check to see if they have group-writable permissions or world-writable permissions, or if they are owned by the user root (UID 0). The seventh group of plug-ins focuses on the different fields of the password file. The structure of the password file is similar for all Unix systems. However, certain fields may take different formats. For example, the password field may contain an asterisk (*), an exclamation (!), or encrypted password characters. Different types of vulnerabilities, like a blank password field, non-root accounts with UID set to zero, or an invalid home directory, can cause a security flaw in the system. For example, if the password field is blank then the particular user account does not need a password to log in. Depending on the operating system and and its version, the encrypted password is stored in a ghost file, like the /etc/security/passwd or /etc/shadow file. A ghost file like /etc/shadow gives the encrypted password a more secure structure, and such files are not readable by ordinary users. The eighth group of plug-ins focuses on system file permissions. Some of the plug-ins developed in this family target the /etc/exports file, and others target the /etc/fstab file. More specifically, some plug-ins check whether or not files exported in /etc/exports have been given explicit access control. They also check whether there is any use of wildcards, or if any write access for root has been given. Note that wherever possible files, should be mounted as read-only. Other plug-ins check whether the resources that are mounted in the file /etc/fstab are not set as world- or group- writable. The /etc/fstab or /etc/vfstab (for Solaris) file makes it possible to automate the mounting of certain file systems, especially at system start-up. It contains a series of lines describing the filesystems, their mount points, and other options. Several plug-ins check whether the resources mounted in the /etc/fstab or /etc/vfstab (for Solaris) file are not set as world- or group- writable. The ninth group of plug-ins checks the .rhosts file to see if any unreasonable permission is given to remote users and machines. The .rhosts file resides in the user's home directory. The file defines which remote hosts can invoke certain commands on the local host without supplying any password. If the .rhosts file is writable by others, then any host included in the file can get access to run commands on the system without supplying a password. Also, if a user has his username in another user's .rhosts file on the same system, then the user can get access to the other user's account without supplying a password. Thus it becomes important to check both the content of the .rhosts file and the permission of the file.