ncops
A quick and easy file security scanner for HP-UX, Solaris and Linux
News
 |
|
Version 2.02 is released on March 28th 2006.
|
Overview
ncops uses a recursive algorithm that scans the entire
filesystem and reports all files and directories that are world-writable on a UNIX server.
It can be easily automated. Exclusions can be made using a pre-defined list.
It can run in a limited fashion by non-root users, although only root can
do a complete scan.
The reports can be generated in plain text, HTML, or in MIME email format.
ncops replaces Daniel Farmer and Gene Spafford's
is_able and suid checks that come with their well-known
COPS security software, published at USENIX in 1990. As opposed to the way
COPS was designed, the check is exclusive rather than inclusive; this makes
it ideal to scan a system without knowing what's on it as you're sure you won't
be missing anything.
Screenshots
HTML Report:
 |
|
ASCII Report:
 |
Suggested uses
ncops can be used in the following situations:
- Day to day scan of a normal system;
- Scanning a bastion host prior to installing it on an unsecure network;
- One-time security check of any system (good tool for consultants);
Supported platforms
ncops has been developped on HP-UX but they were successfully tested on these
systems with their own implementation of ksh88 or pdksh:
HP-UX 11.0
HP-UX 11.11
Solaris 9 (limited testing)
Linux 2.x
It should be easy to port it to other unices.
ncops is a Korn Shell script and it relies on a few external utilities:
- A working ksh, pdksh or POSIX shell
- modebits, which is an external C program which is used as a co-process to determine the
mode bits of files or directories (included with ncops)
- GNU find,
which makes ncops portable to many unices without worrying about your vendor's
implementation of find. GNU find also has a lot more command-line options and
some of them are used by ncops.
Licence
ncops is released under the GPL.
Download, install and run instructions
Download
Grab the source here: ncops-2.02.tar.gz
Install
- First of all, get a working copy of GNU find as I do not include it
with my package. It comes as the stock find on Linu, but on other platforms, if you
don't have GNU find, you should be able to download it in the findutils package
on Sunfreeware.com or the
HP-UX Porting Center.
- Extract the tar file. The archive will be untarred in ./ncops, so you can move
it where you want afterwards. I suggest you move it in /opt directly.
$ gunzip ncops-2.0.tar.gz
$ tar xvf ncops-2.0.tar
$ mv ./ncops /opt
- Compile /opt/ncops/src/modebits.c using your favorite ANSI C compiler,
then move it in /opt/ncops/bin. For example, with GCC one would type:
$ cd /opt/ncops/src
$ gcc -o modebits -O3 modebits.c
$ mv modebits /opt/ncops/bin
- Run modebits on a file to be sure it actually works. It will return the 4 mode bits of
your file. For example, running it on /tmp might return 1777.
$ /opt/ncops/bin/modebits /tmp
1777
- Once ncops depot is installed and the modebits binary works, open
/opt/ncops/etc/ncops.config with a text editor and edit the values for your platform.
Everything is commented in the file.
$ vi /opt/ncops/etc/ncops.config
Run
To run ncops, simply type in "/opt/ncops/bin/ncops.ksh" and it should start scanning
your filesystem. By default, it will not use any exclude file. If you want to use one,
you can edit the file ncops.exclude.example and either set it as the default
file directly in the script's configuration values or using the -excluded_list option.
Many command-line options are available, simply type "ncops.ksh -help" to see them.
Known bugs and limits
Largefiles are not supported by modebits
modebits will return an error when trying to check the mode of files that are bigger
than 2Gb. Such files are becoming more and more common so I will fix this eventually.
However, there doesn't seem to be a POSIXized stat64() function call, so I will not
be able to make any guarantees on portability.
Limited recursive calls
ksh88 can do up to 128 recursive calls. So you are limited to a directory depth of 128.
Beyond that the script stops scanning and goes back to the parent directory. However,
directories deeply nested more than 128 times are extremely rare (never seen any in my
career yet) and it shouldn't be a problem on your server.
Limited open files
A pipe is opened for each recursive call, so the limit of open files also imposes a limit
on the directory depth. If this causes you problems, you will have to increase the
maximum number of opened files on your system to around 128.
Files with funky names
Some files that have funky characters might cause problems, but the script should not abort; it will simply not check them. It seems to work with names such as spaces, "*" and
such, but I haven't pushed my testing as far as checking it with control characters.
Rename these files if you can.
FAQ
Can I use this with something else than the vendor's ksh88?
- Bash can't work because it doesn't support co-processes. And running
it without using modebits as a co-process makes it do one fork for each file on the system. This is way too slow. There might be a workaround, but I won't spend time on it. If anyone finds one, please let me know. Using bash would be great because bash has been ported to many different platforms
and reduces any porting effort.
- The current version of ksh93 (as of March 2003) does not seem to work well
with deep recursion. But I suggest you give it a try, it is twice as faster than ksh88.
- The POSIX shell works as well as ksh88.
- I did some limited testing with pdksh and it seems to work well.
My system does not have GNU find installed! How do I install it?
It is beyond the scope of this page to explain you how, but basically
you can download them on GNU's site and compile them yourself, or get them in
pre-compiled packages from your favorite porting center. The package containing
GNU find is named findutils.
Doesn't this script make a zillion of forks?
Actually, no, as it uses modebits as a co-process, which limits the number of
forks to a minimum. It runs fairly fast considering it's not a perl script.
Olivier S. Masse 
Last update: October 20th 2006
Back to index dot html