AuditPro Enterprise™

©Network Intelligence India

http://www.niiconsulting.com

Date of Audit : 26/11/2008
Time: 13:12:15
System: linux
Hostname: 192.168.0.201

Legend

Symbol	Description
	This represents the highest possible risk level. Such a vulnerability will in all likelihood allow an attacker partial or complete access to the system. These vulnerabilities must be addressed immediately by either patching the system, or changing the configuration.
	This represents a medium risk vulnerability. Such a vulnerability would typically allow an attacker a limited level of access to the system, but this would not usually be a super user or administrative level of access. These vulnerabilities must be addressed in the short term.
	This represents a low vulnerability. It may not necessarily result in a system compromise by itself. But in conjunction with other medium or high risk vulnerabilities it may allow an attacker considerable access to the system. Such vulnerabilities must be addressed in the short to medium term.
	This sign represents adherence to the security policy. Usually, this is the case if no violations have been found.
	This represents a finding for which no policy match could be found, or it is purely for information purposes. It does not represent a vulnerability. Normally, no action needs to be taken in such cases
WVS	The Weighted Vulnerability Score (WVS) is calculated using the formula: (Low x 1) + (Medium x 2) + (High x 3)

Filesystem Security

     30. Mounted partitions
     31. Disk usage
     32. Rootkit detection

Log Analysis

33. Failed logins
34. Critical system errors

Patch Checking

     35. Apache web server
     36. Squid proxy server
     37. OpenSSH daemon
     38. Kerberos v5 server
     39. Samba daemon
     40. Sendmail daemon
     41. MySQL
     42. proftpd
     43. vsftpd
     44. wu-ftpd

Percentage severity distribution

Weighted score for each probe

General Information

Check : Operating system information

Description:
This is the uname information from the system, identifying the operating system, kernel version, processor type and other related information

CVE Reference No.:

Severity Kernel Name Kernel Version Processor Type Hardware Platform Operating System

Linux 2.6.18-8.el5 i686 i386 GNU/Linux

Solution:
This probe is purely for informational purposes, and no action is required.

Check : Drive information

Description:
This probe identifies the partitions, drive capacity and other related information.

CVE Reference No.:

Severity Drive information

Disk /dev/sda: 200.0 GB, 200049647616 bytes

255 heads, 63 sectors/track, 24321 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

/dev/sda1 * 1 14 112423+ 83 Linux

/dev/sda2 15 275 2096482+ 82 Linux swap / Solaris

/dev/sda3 276 24321 193149495 83 Linux

Solution:
This probe is purely for informational purposes, and no action is required.

Check : CPU information

Description:
This probe displays information about the CPU, such as its speed, vendor, cache size, etc.

CVE Reference No.:

Severity Attribute Value

processor 0

vendor_id GenuineIntel

cpu family 15

model 4

model name Intel(R) Pentium(R) 4 CPU 3.20GHz

stepping 3

cpu MHz 2800.000

cache size 2048 KB

physical id 0

siblings 2

core id 0

cpu cores 1

wp yes

processor 1

vendor_id GenuineIntel

cpu family 15

model 4

model name Intel(R) Pentium(R) 4 CPU 3.20GHz

stepping 3

cpu MHz 2800.000

cache size 2048 KB

physical id 0

siblings 2

core id 0

cpu cores 1

wp yes

Solution:
This probe is purely for informational purposes, and no action is required.

Network Security

Check : Open ports

Description:
This is the list of open ports along with the banners grabbed from the open ports. Any ports that are present in the disallowed list, and are found to be open are marked as high severity violations. Any ports that are in the allowed list and are found to be open are marked as compliance entries. The default disallowed list contains known Trojan and virus ports. The port scan also maps the open ports to known services. A port scan is typically the first stage in the security assessment exercise, and the output will help you determine the network exposure of your system.

CVE Reference No.: CVE-NO-MATCH

Severity Port State Process

2208 LISTEN hpiod

775 LISTEN rpc.statd

904 LISTEN xinetd

111 LISTEN portmap

631 LISTEN cupsd

1241 LISTEN nessusd:

25 LISTEN sendmail:

2207 LISTEN python

N/A LISTEN sshd

N/A LISTEN nessusd:

Solution:
Make sure that only trusted services are keeping ports open. For instance, HTTP ports 80 or 443 should not be found open on a workstation. Ensure that there is a functional justification for keeping the ports open. If you wish to investigate a port, the first step would be to issue a 'netstat -antp' command on the target system, and determine ports that are in 'LISTENING' mode. This will also show the service that is keeping the particular port open. Make sure only known and fully patched services are responsible for the open ports. Also make sure that the services do not reveal the type and version of the software in the banner.

Check : Services

Description:
This probe lists out those services that are started through the /etc/rcx.d scripts at various Unix run-levels. Some of these services, such as 'sendmail' may not be required. You can decided which services should be disabled, and which should be enabled with the policy. Simply enter the name of the service as it shows up in the output of the 'chkconfig' command. Violations and compliance with the policy are shown in the report.

CVE Reference No.: CVE-NO-MATCH

Severity Service RunLevel 0 RunLevel 1 RunLevel 2 RunLevel 3 RunLevel 4 RunLevel 5 RunLevel 6

Solution:
Ensure that all the services that are started during system boot are absolutely necessary. Disable unnecessary services by issuing the following command (for Linux):
chkconfig --levels 123456 <service_name> off. Alternatively, you could locate the script that starts this service in /etc/rc{1,2,3,4,5,6}.d directories. Change the name of the script so that it starts with a letter other than an 'S' or a 'K'. Files beginning with S are those that will be executed during system startup and those beginning with a K will be executed during system shutdown.

Check : Network card configuration

Description:
This probe determines the network interfaces connected to the machine. The output gives details of the interface name, IP address, MAC address, subnet mask, broadcast address, MTU and other network parameters associated with all the network devices attached to the server. Ensure that no interfaces are in promiscuous mode.

CVE Reference No.:

Severity Name Options Type IP/CIDR Broadcast Address

lo LOOPBACK,UP,LOWER_UP loopback 127.0.0.1/8 00:00:00:00:00:00

eth0 BROADCAST,MULTICAST,UP,LOWER_UP ether 192.168.0.201/24 192.168.0.255

eth1 BROADCAST,MULTICAST ether N/A ff:ff:ff:ff:ff:ff

sit0 NOARP sit N/A 0.0.0.0

Solution:
Ensure that only the necessary network interface cards are configured and enabled on the system, and that none of them is in Promiscuous mode, unless this is an IDS sensor.

Check : Routing table

Description:
Ensure that there are no unnecessary routes to other networks as this increases the exposure of this system to other users. Unnecessary routing entries also provide additional information to an attacker if the system has been compromised as this system can then be used to compromise other systems. The default gateway should also be checked to see if it's the legitimate gateway and that it has not been modified to some other host, which might be a compromised host on the Internet or network.

CVE Reference No.:

Severity Destination Gateway Netmask Interface

192.168.0.0 * 255.255.255.0 eth0

169.254.0.0 * 255.255.0.0 eth0

default 192.168.0.1 0.0.0.0 eth0

Solution:
Ensure that the information is consistent with your network architecture, and contains the minimum possible information.

Check : Banners

Description:
This probe checks if a login banner with the appropriate content exists in the file /etc/issue. This file does not exist by default.

CVE Reference No.:

Severity General Banner

Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel /r on an /m

Solution:
Recommend that this file be created with a message giving the name of the organization, and warning that all access is monitored and any unauthorized access will be punishable as per the Company's Security Policy, as well as the law of the land pertaining to information systems. Ensure that the warning banner contains the following points:
1. The system is property of your organization.
2. The system is subject to monitoring.
3. Monitoring is authorized in accordance with applicable laws and regulations and conducted for purposes of systems management and protection, protection against improper or unauthorized use or access, and verification of applicable security features or procedures.
4. Use of the system constitutes consent to monitoring.
5. Unauthorized use of this computer may subject the user to criminal prosecution and penalties.

Check : FTP users

Description:
If FTP is enabled, then the /etc/ftpusers file can be used to ensure that users listed in this file are NOT allowed to connect via FTP. This check determines that all the system users and privileged user accounts such as 'root' are entered into this file.

CVE Reference No.: CVE-NO-MATCH

Severity Username

N/A

Solution:
Ensure that all system users on your Unix system as well as the 'root' account and any other sensitive accounts are listed in this file.

Check : Xinetd checks

Description:
The xinetd service is an enhanced version of the older inetd service, with security features that were never included in inetd. It is a super server that assists other network services such as FTP and Telnet. When a client tries to connect to an xineted-based service on the host, like telnet, it connects first to the xinetd daemon. Xinetd receives the connection request and then it starts an instance of the server program appropriate to the specific service. In the case of telnet, it starts in.telnetd. Xinetd provides service specific configuration options, such as access control (which inetd needed TCP Wrappers to provide), logging, resource utilization, binding and redirection.

CVE Reference No.:

Severity Service

vmware-authd

Solution:
Make sure only the necessary services are started by xinetd. If any violations are shown, you need to modify the configuration of that service in the /etc/xinetd.d folder, and then restart the xinetd service.

Check : .rhosts files

Description:
The $HOME/.rhosts (or .rlogin) file defines which remote hosts (computers on a network) can invoke certain commands on the local host without supplying a password. This file is a hidden file in the local user's home directory and must be owned by the local user.The format of the $HOME/.rhosts file is: HostNameField [UserNameField] When a remote command executes, the local host uses the local /etc/hosts.equiv file and the $HOME/.rhosts file of the local user account to validate the remote host and remote user.

CVE Reference No.:

Severity .rhosts files

find: /proc/14997/task/14997/fd/5: No such file or directory

find: /proc/14997/fd/5: No such file or directory

Solution:
Although you can set any permissions for this file, it is recommended that the permissions of the .rhosts file be set to 600 (read and write by owner only). Due to serious problems rlogin was rarely used across untrusted networks (like the public internet) and even in closed deployments it has fallen into relative disuse (with many Unix and Linux distributions no longer including it by default). Many networks which formerly relied on rlogin and telnet have replaced it with SSH and its rlogin-equivalent slogin.

Users and Groups

Check : Generic accounts

Description:
This probe determines the local accounts on the target system. The policy allows you to set regular expression based strings, which should never occur in a account name. These typically consist of generic names such as 'test', 'guest', 'vendor', etc. We strongly recommend you add to this list by including the name of your organization, city, line of business, etc. This probe does case insensitive pattern matching, so it will detect these strings if they occur anywhere in the username.

CVE Reference No.: CVE-NO-MATCH

Severity

Solution:
It is recommended to give unique names to each user account, which positively identifies the actual user. The use of generic names such as 'test' or 'admin', must be strongly prohibited, as it takes away accountability. Investigate any suspicious or generic account names that are marked in the output, and ensure that they are renamed to represent genuine users of the system.

Check : Members of wheel group

Description:
This probe determines the members of the 'wheel' group. It lists out any users that are members, but are not in the 'allowed' list as specified by the Policy. All users in the 'wheel' group have the right to 'su' to root.

CVE Reference No.:

Severity Current members

root

Solution:
Make sure only trusted users are members of the 'wheel' group.

Check : System users having false shell

Description:
All system users must be given false shells to prevent an attacker from trying to create a backdoor by logging in using such account. The list of invalid shells includes /sbin/nologin, /bin/false, and any others that you specify via the policy.

CVE Reference No.: CVE-NO-MATCH

Severity System User Login Shell

adm /sbin/nologin

apache /sbin/nologin

bin /sbin/nologin

daemon /sbin/nologin

ftp /sbin/nologin

games /sbin/nologin

gdm /sbin/nologin

gopher /sbin/nologin

halt /sbin/halt

lp /sbin/nologin

mail /sbin/nologin

mailnull /sbin/nologin

named /sbin/nologin

news N/A

nfsnobody /sbin/nologin

nobody /sbin/nologin

nscd /sbin/nologin

ntp /sbin/nologin

operator /sbin/nologin

pcap /sbin/nologin

rpc /sbin/nologin

rpcuser /sbin/nologin

rpm /sbin/nologin

shutdown /sbin/shutdown

smmsp /sbin/nologin

squid /sbin/nologin

sshd /sbin/nologin

sync /bin/sync

uucp /sbin/nologin

vcsa /sbin/nologin

webalizer /sbin/nologin

xfs /sbin/nologin

Solution:
Ensure that all system accounts (listed as inactive in the output of the 'last' command), have been assigned an invalid shell.

Check : System users are locked out

Description:
This probe checks if system users have been locked out by supplying an invalid password hash in the /etc/shadow file. This will prevent an attacker from using such an account as a backdoor for access the system.

CVE Reference No.: CVE-NO-MATCH

Severity System User Lock Character(s)

adm *

apache !!

bin *

daemon *

ftp *

games *

gdm !!

gopher *

halt *

lp *

mail *

mailnull !!

named !!

news *

nfsnobody !!

nobody *

nscd !!

ntp !!

operator *

pcap !!

rpc !!

rpcuser !!

rpm !!

shutdown *

smmsp !!

squid !!

sshd !!

sync *

uucp *

vcsa !!

webalizer !!

xfs !!

Solution:
Ensure that all system accounts have invalid hash values in their password fields.

Check : Dangerous accounts

Description:
Usually attackers will attempt to leave backdoors on a system that they have compromised. One of the ways in which this is done is by creating new user accounts in the /etc/passwd and /etc/shadow files. This probe determines if specific accounts exist, which may indicate that the server may have been compromised. The account names that are checked for, are those supplied in the policy.

CVE Reference No.:

Severity Username

Solution:
Investigate why and how such account(s) got created in the first place. We recommend a thorough, in-depth forensics investigation bearing in mind, that there is a high likelihood that the server has been compromised.

Check : User ID 0

Description:
A User ID of 0 on the Unix system represents a super-user. This probe determines if there are any users other than root, that have a user ID of 0 in the /etc/passwd file

CVE Reference No.: CVE-NO-MATCH

Severity Username

root

Solution:
If there is a violation of this policy, it must be dealt with immediately. We recommend a detailed forensics investigation to check how and under what circumstances was another account with user ID 0 created on the system. It may be the case, that this system has been completely compromised.

Check : Users without password

Description:
All non-system users on the Unix system must have a valid password. This probe determines if the account has a non-blank entry in the second column of /etc/passwd

CVE Reference No.: CVE-NO-MATCH

Severity Username

Solution:
Ensure that all user accounts have a valid password, subject to password complexity requirements.

Check : Password expiry

Description:
This probe determines if the password expiry parameters in the /etc/shadow file are set as per the policy. The parameters considered are:

CVE Reference No.:

Severity User Min. Days Max. Days Warning Days Days Before Inactive Last Change Expiry

Solution:
Ensure that the password aging parameters are set in accordance with your organizational security policy. For existing users, this can be done by using the 'chage' command, and on a system-wide level this can be done by setting the correct parameters in the /etc/login.defs file. These parameters are:
PASS_MIN_DAYS (number)
The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If not specified, a zero value will be assumed.

PASS_MIN_LEN (number)
The minimum number of characters in an acceptable password. An attempt to assign a password with fewer characters will be rejected. A zero value suppresses this check. If not specified, a zero value will be assumed.

PASS_MAX_DAYS (number)
The maximum number of days a password may be used. If the password is older than this, then the account will be locked. If not specified, a large value will be assumed.

PASS_WARN_AGE (number)
The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.

System Environment

Check : Uptime

Description:
Checks for the time for which the target Linux box is running.

CVE Reference No.:

Severity System Uptime and number of currently logged on users

13:16:02 up 3:10, 1 user, load average: 1.66, 0.91, 0.45

Solution:

Check : Last reboots

Description:
It check's when was the linux boz last rebooted.

CVE Reference No.:

Severity Day Month Date Time Relative Time

Wed Nov 26 10:06 (03:09)

Tue Nov 25 09:52 (08:29)

Wed Nov 19 11:06 (5+07:09)

Wed Nov 19 08:31 (02:33)

Tue Nov 18 09:41 (08:54)

Mon Nov 17 09:53 (09:01)

Fri Nov 14 17:17 (01:10)

Fri Nov 14 12:37 (05:50)

Fri Nov 14 10:02 (08:25)

Thu Nov 13 09:51 (08:19)

Wed Nov 12 10:41 (08:11)

Tue Nov 11 09:44 (07:58)

Mon Nov 10 11:28 (22:13)

Mon Nov 10 10:05 (23:36)

Sat Nov 8 10:31 (06:35)

Fri Nov 7 11:37 (06:45)

Wed Nov 5 18:32 (1+16:57)

Tue Nov 4 20:21 (21:29)

Tue Nov 4 07:02 (13:17)

Tue Nov 4 03:54 (03:07)

Sun Nov 2 21:38 (06:43)

Sat Oct 25 02:55 (8+18:29)

Wed Jan 2 03:28 (2487+19:58)

Tue Jan 1 05:31 (08:42)

Thu Oct 23 11:06 (-2486+-20:-

Wed Oct 22 10:25 (09:49)

Sat Oct 18 16:38 (00:07)

Thu Oct 16 17:27 (02:53)

Thu Oct 16 10:23 (09:57)

Wed Oct 15 13:12 (03:39)

Tue Oct 14 17:26 (00:06)

Tue Oct 14 10:39 (06:41)

Mon Oct 13 10:54 (06:39)

Fri Oct 10 20:08 (01:06)

Fri Oct 10 18:12 (01:54)

Fri Oct 10 16:14 (01:30)

Thu Oct 9 18:53 (02:29)

Thu Oct 9 18:11 (03:10)

Thu Oct 9 17:57 (03:25)

Thu Oct 9 17:39 (03:42)

Mon Oct 6 15:41 (3+05:40)

Sat Oct 4 12:00 (04:33)

Fri Oct 3 10:50 (11:59)

Solution:

Check : Currently logged on users

Description:
Checks for currently logged in users to the target linux box.

CVE Reference No.:

Severity User TTY Month Date Time From

Solution:

Check : Remote root logins

Description:
Check if the any user is connected to the target linux box remotely.

CVE Reference No.:

Severity USER TTY FROM DAY MONTH DATE IN-TIME OUT-TIME DURATION

root pts/1 192.168.0.55 Tue Nov 25 14:17 15:32 (01:14)

root pts/1 192.168.0.55 Wed Nov 19 12:18 16:14 (03:56)

root pts/1 192.168.0.55 Wed Jan 2 05:19 08:12 (02:53)

root pts/2 192.168.0.55 Tue Jan 1 11:49 12:19 (00:30)

root pts/2 192.168.0.55 Tue Jan 1 06:33 06:58 (00:24)

root pts/4 192.168.0.55 Wed Oct 8 02:49 05:49 (02:59)

Solution:

Check : Allowed terminals for root login

Description:
Checks for allowed terminal for root logins like telnet,WinSCP etc.

CVE Reference No.:

Severity Allowed Terminals

console

vc/1

vc/2

vc/3

vc/4

vc/5

vc/6

vc/7

vc/8

vc/9

vc/10

vc/11

tty1

tty2

tty3

tty4

tty5

tty6

tty7

tty8

tty9

tty10

tty11

Solution:

Check : Memory status

Description:
This probe displays the free and consumed memory within the system

CVE Reference No.:

Severity Attribute Size

Cached 414824 kB

SwapCached 0 kB

Active 453320 kB

Inactive 263128 kB

HighTotal 122044 kB

HighFree 252 kB

LowTotal 904404 kB

LowFree 100808 kB

SwapTotal 2096472 kB

SwapFree 2096472 kB

Dirty 3096 kB

Writeback 0 kB

AnonPages 187004 kB

Mapped 53192 kB

Slab 139216 kB

PageTables 3948 kB

NFS_Unstable 0 kB

Bounce 0 kB

CommitLimit 2609696 kB

Committed_AS 585664 kB

VmallocTotal 114680 kB

VmallocUsed 5576 kB

VmallocChunk 108660 kB

HugePages_Total 0

HugePages_Free 0

HugePages_Rsvd 0

Hugepagesize 4096 kB

Solution:
Check to see if enough memory is free. If not, check the output in the 'ps' or 'top' commands to determine which processes are consuming maximum memory.

Check : Current processes

Description:
This probe displays the running processes, process IDs, CPU usage, memory usage, and other related information

CVE Reference No.:

Severity PID RUSER EUSER %CPU %MEM DATE ELAPSED_TIME TTY PROCESS

Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ

2 root root 0.0 0.0 10:06 03:10:01 ? [migration/0]

3 root root 0.0 0.0 10:06 03:10:01 ? [ksoftirqd/0]

4 root root 0.0 0.0 10:06 03:10:01 ? [watchdog/0]

5 root root 0.0 0.0 10:06 03:10:01 ? [migration/1]

6 root root 0.0 0.0 10:06 03:10:01 ? [ksoftirqd/1]

7 root root 0.0 0.0 10:06 03:10:01 ? [watchdog/1]

10 root root 0.0 0.0 10:06 03:10:01 ? [khelper]

11 root root 0.0 0.0 10:06 03:10:01 ? [kthread]

15 root root 0.0 0.0 10:06 03:10:01 ? [kblockd/0]

16 root root 0.0 0.0 10:06 03:10:01 ? [kblockd/1]

17 root root 0.0 0.0 10:06 03:10:01 ? [kacpid]

125 root root 0.0 0.0 10:06 03:09:59 ? [cqueue/0]

126 root root 0.0 0.0 10:06 03:09:59 ? [cqueue/1]

129 root root 0.0 0.0 10:06 03:09:59 ? [khubd]

196 root root 0.0 0.0 10:06 03:09:59 ? [pdflush]

198 root root 0.0 0.0 10:06 03:09:59 ? [kswapd0]

199 root root 0.0 0.0 10:06 03:09:59 ? [aio/0]

200 root root 0.0 0.0 10:06 03:09:59 ? [aio/1]

364 root root 0.0 0.0 10:06 03:09:56 ? [kpsmoused]

394 root root 0.0 0.0 10:06 03:09:55 ? [ata/0]

395 root root 0.0 0.0 10:06 03:09:55 ? [ata/1]

396 root root 0.0 0.0 10:06 03:09:55 ? [ata_aux]

401 root root 0.0 0.0 10:06 03:09:55 ? [scsi_eh_1]

430 root root 0.0 0.0 10:06 03:09:49 ? [kauditd]

1329 root root 0.0 0.0 10:06 03:09:46 ? [hda_codec]

1529 root root 0.0 0.0 10:06 03:09:38 ? [kmirrord]

1553 root root 0.0 0.0 10:06 03:09:37 ? [kjournald]

1727 root root 0.0 0.0 10:06 03:09:34 ? cpuspeed

1728 root root 0.0 0.0 10:06 03:09:34 ? cpuspeed

2238 root root 0.0 0.0 10:06 03:09:21 ? irqbalance

2260 rpc rpc 0.0 0.0 10:06 03:09:21 ? portmap

2323 root root 0.0 0.0 10:06 03:09:21 ? rpc.idmapd

2378 root root 0.0 0.0 10:06 03:09:20 ? /usr/bin/vmnet-bridge

2408 root root 0.0 0.0 10:06 03:09:19 ? /usr/sbin/hcid

2414 root root 0.0 0.0 10:06 03:09:19 ? /usr/sbin/sdpd

2439 root root 0.0 0.0 10:06 03:09:19 ? [krfcommd]

2499 root root 0.0 0.0 10:06 03:09:18 ? /usr/bin/hidd

2519 root root 0.0 0.1 10:06 03:09:17 ? automount

2566 root root 0.0 0.0 10:06 03:09:16 ? /usr/sbin/acpid

2578 root root 0.0 0.0 10:06 03:09:16 ? ./hpiod

2595 root root 0.0 0.2 10:06 03:09:15 ? cupsd

2621 root root 0.0 0.0 10:06 03:09:15 ? xinetd

2639 ntp ntp 0.0 0.4 10:06 03:09:09 ? ntpd

2660 root root 0.0 0.1 10:06 03:09:08 ? sendmail:

2668 smmsp smmsp 0.0 0.1 10:06 03:09:08 ? sendmail:

2680 root root 0.0 0.0 10:06 03:09:08 ? gpm

2691 root root 0.0 0.1 10:06 03:09:08 ? crond

2755 root root 0.0 0.0 10:06 03:09:08 ? /usr/sbin/atd

2804 avahi avahi 0.0 0.1 10:06 03:09:03 ? avahi-daemon:

2805 avahi avahi 0.0 0.0 10:07 03:09:01 ? avahi-daemon:

2823 68 68 0.0 0.0 10:07 03:08:58 ? hald-addon-acpi:

2824 root root 0.0 0.1 10:07 03:08:58 ? /usr/libexec/hald-addon-cpufreq

2859 root root 0.0 1.5 10:07 03:08:09 ? nessusd:

2928 root root 0.0 0.0 10:07 03:08:08 ? /usr/sbin/smartd

2933 root root 0.0 0.0 10:07 03:08:08 tty1 /sbin/mingetty

2934 root root 0.0 0.0 10:07 03:08:08 tty2 /sbin/mingetty

2937 root root 0.0 0.0 10:07 03:08:08 tty3 /sbin/mingetty

2957 root root 0.0 0.0 10:07 03:08:08 tty4 /sbin/mingetty

2970 root root 0.0 0.0 10:07 03:08:08 tty5 /sbin/mingetty

2973 root root 0.0 0.0 10:07 03:08:08 tty6 /sbin/mingetty

3041 root root 0.0 0.1 10:07 03:08:07 ? /usr/sbin/gdm-binary

3441 vikash vikash 0.0 0.0 10:20 02:55:53 ? /usr/bin/ssh-agent

3444 vikash vikash 0.0 0.0 10:20 02:55:53 ? /usr/bin/dbus-launch

3454 vikash vikash 0.0 0.0 10:20 02:55:53 ? /usr/bin/gnome-keyring-daemon

3516 vikash root 0.0 0.0 10:20 02:55:52 ? /sbin/pam_timestamp_check

3517 vikash vikash 0.0 0.2 10:20 02:55:52 ? ./escd

3528 vikash vikash 0.0 0.1 10:20 02:55:52 ? /usr/libexec/gam_server

3544 vikash vikash 0.0 0.0 10:20 02:55:51 ? /usr/libexec/mapping-daemon

4581 vikash vikash 0.0 0.1 12:35 40:20 ? /bin/sh

4595 vikash vikash 0.0 0.1 12:35 40:20 ? /bin/sh

4679 vikash vikash 0.0 0.0 12:47 28:18 ? gnome-pty-helper

4747 root root 0.0 0.1 12:59 16:45 pts/1 su

4795 root root 0.0 0.1 13:02 13:18 pts/1 vi

4870 root root 0.0 0.0 13:08 07:22 ? /usr/sbin/sshd

14949 root root 0.0 0.1 13:14 01:57 ? bash

14966 root root 0.0 0.0 13:14 01:57 ? ./AUDITPRO

131 root root 0.0 0.0 10:06 03:09:59 ? [kseriod]

400 root root 0.0 0.0 10:06 03:09:55 ? [scsi_eh_0]

2226 root root 0.0 0.0 10:06 03:09:21 ? klogd

2289 root root 0.0 0.0 10:06 03:09:21 ? rpc.statd

2583 root root 0.0 0.4 10:06 03:09:15 ? python

2724 xfs xfs 0.0 0.1 10:06 03:09:08 ? xfs

3480 vikash vikash 0.0 0.4 10:20 02:55:52 ? gnome-volume-manager

2817 root root 0.0 0.0 10:07 03:08:59 ? hald-runner

3484 vikash vikash 0.0 0.2 10:20 02:55:52 ? /usr/libexec/gnome-vfs-daemon

3507 vikash vikash 0.0 0.4 10:20 02:55:52 ? pam-panel-icon

8 root root 0.0 0.0 10:06 03:10:01 ? [events/0]

9 root root 0.0 0.0 10:06 03:10:01 ? [events/1]

2860 root root 0.0 1.6 10:07 03:08:09 ? nessusd:

3037 root root 0.0 0.2 10:07 03:08:07 ? /usr/sbin/gdm-binary

2976 root root 0.0 0.3 10:07 03:08:08 ? /usr/sbin/gdm-binary

3493 vikash vikash 0.0 0.4 10:20 02:55:52 ? bt-applet

197 root root 0.0 0.0 10:06 03:09:59 ? [pdflush]

3445 vikash vikash 0.0 0.0 10:20 02:55:53 ? /bin/dbus-daemon

2223 root root 0.0 0.0 10:06 03:09:22 ? syslogd

2207 root root 0.0 0.0 10:06 03:09:22 ? auditd

3482 vikash vikash 0.0 0.7 10:20 02:55:52 ? eggcups

3548 vikash vikash 0.0 0.7 10:20 02:55:51 ? /usr/libexec/notification-area-applet

2827 68 68 0.0 0.0 10:07 03:08:56 ? hald-addon-keyboard:

3550 vikash vikash 0.0 0.9 10:20 02:55:51 ? /usr/libexec/clock-applet

2209 root root 0.0 0.3 10:06 03:09:22 ? python

2478 root root 0.0 0.1 10:06 03:09:18 ? pcscd

3382 vikash vikash 0.0 0.6 10:20 02:55:54 ? /usr/bin/gnome-session

3534 vikash vikash 0.0 0.8 10:20 02:55:52 ? /usr/libexec/trashapplet

3505 vikash vikash 0.0 0.9 10:20 02:55:52 ? nm-applet

3486 vikash vikash 0.0 0.2 10:20 02:55:52 ? /usr/libexec/bonobo-activation-server

3546 vikash vikash 0.0 1.0 10:20 02:55:51 ? /usr/libexec/mixer_applet2

402 root root 0.0 0.0 10:06 03:09:51 ? [kjournald]

3501 vikash vikash 0.0 1.2 10:20 02:55:52 ? /usr/bin/python

3513 vikash vikash 0.0 0.5 10:20 02:55:52 ? gnome-power-manager

3451 vikash vikash 0.0 0.3 10:20 02:55:53 ? /usr/libexec/gconfd-2

464 root root 0.0 0.0 10:06 03:09:48 ? /sbin/udevd

1 root root 0.0 0.0 10:06 03:10:01 ? init

4750 root root 0.0 0.1 12:59 16:45 pts/1 -bash

2839 root root 0.0 0.0 10:07 03:08:56 ? hald-addon-storage:

4680 vikash vikash 0.0 0.1 12:47 28:18 pts/1 bash

3542 vikash vikash 0.0 2.1 10:20 02:55:51 ? /usr/bin/python

2397 dbus dbus 0.0 0.0 10:06 03:09:19 ? dbus-daemon

3477 vikash vikash 0.0 1.5 10:20 02:55:53 ? nautilus

3456 vikash vikash 0.0 0.7 10:20 02:55:53 ? /usr/libexec/gnome-settings-daemon

2384 root root 0.0 1.3 10:06 03:09:19 ? /usr/sbin/vmware-serverd

2792 root root 0.0 1.2 10:06 03:09:03 ? /usr/bin/python

3600 vikash vikash 0.0 0.4 10:20 02:55:28 ? gnome-screensaver

2816 68 68 0.0 0.3 10:07 03:08:59 ? hald

3475 vikash vikash 0.0 1.4 10:20 02:55:53 ? gnome-panel

14947 root root 0.0 0.2 13:14 01:58 ? sshd:

3532 vikash vikash 0.0 1.0 10:20 02:55:52 ? /usr/libexec/wnck-applet

3471 vikash vikash 0.0 0.8 10:20 02:55:53 ? metacity

4676 vikash vikash 0.0 1.1 12:47 28:18 ? gnome-terminal

3355 root root 1.4 2.1 10:19 02:56:22 tty7 /usr/bin/Xorg

4600 vikash vikash 3.8 7.9 12:35 40:20 ? /usr/local/firefox/firefox-bin

Solution:
Ensure that no single process is hogging maximum CPU or memory.

Check : Single user boot protection

Description:

CVE Reference No.:

Severity Status

Single User boot mode is not password protected through 'sulogin'

Solution:
Set a strong password for Single User boot mode.

Check : PATH environment variable check

Description:
Checks for the value of the PATH environment variable

CVE Reference No.:

Severity Status

No period at end of the path environment variable for 'root'

Root directory (/) not found in path environment variable for 'root'

Double colon (::) not found in path environment variable for 'root'

Solution:

Check : Root shell IFS

Description:
Checks for Installable File System (IFS)

CVE Reference No.:

Severity Status

Forward slash(/) not present in IFS environment variable for 'root'

Solution:

Filesystem Security

Check : Mounted partitions

Description:
This probe determines the mounted partitions and their parameters

CVE Reference No.:

Severity Filesystem Mounted On Type Mode

/dev/sda3 / ext3 (rw)

proc /proc proc (rw)

sysfs /sys sysfs (rw)

devpts /dev/pts devpts (rw,gid=5,mode=620)

/dev/sda1 /boot ext3 (rw)

tmpfs /dev/shm tmpfs (rw)

none /proc/sys/fs/binfmt_misc binfmt_misc (rw)

sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs (rw)

Solution:
This is an informational probe, and usually does not require any fix to be applied

Check : Disk usage

Description:
This probe determines if disk usage has crossed a preset limit as defined in the policy.

CVE Reference No.:

Severity Filesystem 1K-blocks Used Available Use% Mounted on

/dev/sda3 187099416 22547488 154894456 13% /

/dev/sda1 108865 10125 93119 10% /boot

tmpfs 513224 0 513224 0% /dev/shm

Solution:
Empty the disk space by backing up and cleaning your log files, and unnecessary packages, etc. If the disk usage is very high it could slow down the system or even bring it to a complete halt.

Check : Rootkit detection

Description:
This probe checks for the presence of rootkits on the system. It check for both normal as well as LKM rootkits using information about open network connections, processes, and other parameters that could indicate the presence of a rootkit.

CVE Reference No.:

Severity chkrootkit results

Solution:
We do sincerely hope that the output from this tool is an all-clear. If it is not, you need to carry out a full forensics examination of the system. Some of the tools that may be used are 'lsof' to list all open files and network connections for various processes. Use the 'stat' command to check the last modification and creation times of system utilities such as 'netstat', 'ps', 'strings', etc. Do bear in mind that it is likely that these utilities and commands could have been Trojaned. So run them from a write-protected media such as a CD-ROM.

Log Analysis

Check : Failed logins

Description:
This probe parses the /var/log/secure file and looks for strings matching 'Failed' or 'Illegal', or those that are specified via the Policy Editor. This probe determines security log entries that are related to failed login attempts. Although, such events are typical on a large network, repeated entries from the same workstation might indicate something malicious.

CVE Reference No.:

Severity Logged event

Oct 14 10:39:53 pt sshd[2362]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Oct 14 17:26:53 pt sshd[2395]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Oct 15 13:12:57 pt sshd[2364]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Oct 16 10:23:24 pt sshd[2570]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Oct 16 17:27:26 pt sshd[2637]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Oct 18 16:39:19 pt sshd[2581]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Oct 22 10:25:56 pt sshd[2579]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Oct 23 11:07:11 pt sshd[2583]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Jan 1 05:31:54 pt sshd[2438]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Jan 2 04:58:45 pt sshd[2410]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Oct 25 04:26:01 pt sshd[2615]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 2 23:09:07 pt sshd[2609]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 4 05:24:26 pt sshd[2610]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 4 08:33:02 pt sshd[2603]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 4 21:51:56 pt sshd[2606]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 5 20:02:43 pt sshd[2599]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 7 11:38:06 pt sshd[2605]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 8 10:31:37 pt sshd[2607]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 10 10:05:52 pt sshd[2608]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 10 11:28:33 pt sshd[2628]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 11 09:44:43 pt sshd[2610]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 12 10:41:34 pt sshd[2607]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 13 09:52:09 pt sshd[2602]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 14 10:02:49 pt sshd[2607]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 14 12:37:52 pt sshd[2630]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 14 17:17:54 pt sshd[2626]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 17 09:54:15 pt sshd[2606]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 17 14:17:05 pt unix_chkpwd[13123]: password check failed for user (vikash)

Nov 18 09:41:21 pt sshd[2602]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 19 08:31:33 pt sshd[2606]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 19 11:02:27 pt unix_chkpwd[5183]: password check failed for user (vikash)

Nov 19 11:02:29 pt unix_chkpwd[5186]: password check failed for user (vikash)

Nov 19 11:06:27 pt sshd[2605]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 19 16:13:03 pt unix_chkpwd[4120]: password check failed for user (vikash)

Nov 20 13:39:23 pt unix_chkpwd[9261]: password check failed for user (vikash)

Nov 20 13:39:25 pt unix_chkpwd[9263]: password check failed for user (vikash)

Nov 20 15:54:04 pt unix_chkpwd[9864]: password check failed for user (vikash)

Nov 20 16:26:53 pt sshd[10024]: fatal: Write failed: Connection reset by peer

Nov 20 17:28:07 pt unix_chkpwd[10243]: password check failed for user (vikash)

Nov 21 10:15:01 pt unix_chkpwd[13203]: password check failed for user (vikash)

Nov 21 10:15:03 pt unix_chkpwd[13205]: password check failed for user (vikash)

Nov 21 10:15:05 pt unix_chkpwd[13207]: password check failed for user (vikash)

Nov 21 10:15:09 pt unix_chkpwd[13209]: password check failed for user (vikash)

Nov 21 10:15:11 pt unix_chkpwd[13211]: password check failed for user (vikash)

Nov 21 10:15:20 pt unix_chkpwd[13213]: password check failed for user (vikash)

Nov 21 10:15:22 pt unix_chkpwd[13215]: password check failed for user (vikash)

Nov 21 10:15:47 pt unix_chkpwd[13217]: password check failed for user (vikash)

Nov 21 10:15:50 pt unix_chkpwd[13219]: password check failed for user (vikash)

Nov 21 10:15:51 pt unix_chkpwd[13221]: password check failed for user (vikash)

Nov 21 10:15:53 pt unix_chkpwd[13223]: password check failed for user (vikash)

Nov 21 16:58:07 pt unix_chkpwd[15415]: password check failed for user (vikash)

Nov 24 17:05:02 pt unix_chkpwd[7354]: password check failed for user (vikash)

Nov 25 09:53:04 pt sshd[2606]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 25 10:50:05 pt sshd[3480]: Failed password for root from 192.168.0.55 port 4726 ssh2

Nov 25 18:21:31 pt unix_chkpwd[5225]: password check failed for user (vikash)

Nov 26 10:06:48 pt sshd[2609]: error: Bind to port 30 on 0.0.0.0 failed: Address already in use.

Nov 26 13:08:40 pt sshd[4870]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

Solution:
We recommend that you analyze the entries shown in this probe to determine if there were repeated failed login attempts from the same workstation, with the same or differing user names, within a short span of time. This type of activity typically indicates malicious attempts to brute-force the system login. Typically, most of the entries for failed logins consist of genuine users mistakenly entering their passwords. However, these entries would be limited to 4 or 5 failed login attempts, after which a normal user would typically contact a system administrator or his account would be locked out.

Check : Critical system errors

Description:

CVE Reference No.:

Severity

Solution:

Patch Checking

Check : Apache web server

Description:
Apache is the most widely used HTTP-server in the world today. It surpasses all free and commercial competitors on the market, and provides a myriad of features; more than the nearest cmpetitor could give you on a UNIX variant. It is also the most used web server for a Linux system. A web server like Apache, in its simplest function, is software that displays and serves HTML pages hosted on a server to a client browser that understands the HTML code. Mixed with third party modules and programs, it can become powerful software, which will provide strong and useful services to a client browser.