Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
41424344454647484950
Solaris 9 Security CX-310-301 41
Using the find Command
If you do not have access to a fingerprinting tool, then the find command is the next best utility for
detecting unauthorized access to a system. The find command has several useful options, the relevant ones
for this scenario include:
¾ Checking files owned by the root user
¾ Checking for set-uid and set-gid programs
¾ Looking for recently modified files
The following examples show how to use each of these facilities:
¾ The first example demonstrates how to look for files owned by the root user in a user’s home
directory – somewhere you wouldn’t expect to find them!
# find /export/home/testuser –user root –exec ls –l {} \;
-rw-r--r-- 1 root staff 19084 Apr 8 23:35 /export/home/testuser/ls
The listing has revealed a copy of the ls command residing in the home directory of the testuser user.
Whilst these occurrences might prove to be quite innocent, or accidental, this command highlights items
that should be investigated.
¾ This example shows all of the files in /usr/bin that have the set-uid bit set and executes a long
listing. For this check, you would be looking for unexpected additional set-uid programs that an
attacker might install for later use. The example here shows a listing of a single directory, but you
would normally want to widen the search to include complete file systems.
# find /usr/bin -perm -4000 -exec ls -l {} \;
-r-sr-xr-x 1 root sys 12548 Feb 25 2003 /usr/bin/sparcv7/newtask
-r-sr-xr-x 2 root bin 11248 Apr 7 2002 /usr/bin/sparcv7/uptime
-r-sr-xr-x 2 root bin 11248 Apr 7 2002 /usr/bin/sparcv7/w
-rwsr-xr-x 1 root sys 37824 Dec 13 2002 /usr/bin/at
-rwsr-xr-x 1 root sys 13916 Apr 6 2002 /usr/bin/atq
-rwsr-xr-x 1 root sys 12836 Apr 6 2002 /usr/bin/atrm
-r-sr-xr-x 1 root bin 17180 Aug 7 2003 /usr/bin/crontab
-r-sr-xr-x 1 root bin 14276 Apr 7 2002 /usr/bin/eject
-r-sr-xr-x 1 root bin 25964 Apr 6 2002 /usr/bin/fdformat
-r-sr-xr-x 1 root bin 29492 Apr 6 2002 /usr/bin/login
-rwsr-xr-x 1 root sys 7616 Apr 6 2002 /usr/bin/newgrp
-r-sr-sr-x 1 root sys 21964 Apr 7 2002 /usr/bin/passwd
-r-sr-xr-x 1 root bin 9644 Apr 7 2002 /usr/bin/pfexec
-r-sr-xr-x 1 root sys 22292 Apr 7 2002 /usr/bin/su
-r-s--x--x 1 uucp bin 54740 Apr 7 2002 /usr/bin/tip
-r-sr-xr-x 1 root sys 17432 Feb 25 2003 /usr/bin/sparcv9/newtask