/usr/lib/tiger/html/linux.html is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 | <HR><PRE>
</PRE><HR>
<CENTER><H2> Documents for linux</H2></CENTER>
<A NAME="lin001w"><P><B>Code [lin001w]</B><P>
A program installed in your system has probably been not installed
by a package of your Linux packaging system. If this binary has
been installed by the administrator note that /usr/local/ is the
place for this files.
<PRE>
</PRE><HR>
<A NAME="lin002i"><P><B>Code [lin002i]</B><P>
Installed processes listening on Internet interfaces must be
tightly controlled since they are the "open doors" to the
outside.
<PRE>
</PRE><HR>
<A NAME="lin003w"><P><B>Code [lin003w]</B><P>
Processes that have not been run by root are listening on
interfaces open to the outside. This processes might have been
run by root and changed uids or might be rogue processes.
Confirm if their presence is necessary.
Notice that sometimes services open sporadic UDP listeners to
receive DNS requests, if you receive reports on open UDP services
that later on are closed this might be a false positive.
<PRE>
</PRE><HR>
<A NAME="lin004i"><P><B>Code [lin004i]</B><P>
Netstat can be used instead of lsof in order to provide information
on listening processes, however it will provide less info since it
cannot determine the process (or PID) associated with the open socket
or the user that runs it.
<PRE>
</PRE><HR>
<A NAME="lin005f"><P><B>Code [lin005f]</B><P>
In Debian systems, checksums are stored in /var/lib/dpkg/info/
if the md5sum of a file differs from the checksum of installed packages
it might be due to changes made by the system administrator (for
example, files in /etc) by everyday use of by a possible intruder
(who might have placed a trojan instead of the checked file)
Be forewarned, an attacker might have modified this info files
(they are not protected against this)
<PRE>
</PRE><HR>
<A NAME="lin006w"><P><B>Code [lin006w]</B><P>
A file installed by a package no longer exists in the system and
cannot be checked for. An administrator should not remove files from
the system, they should be removed uninstalling the packages that
provided them. This is an unusual behavior.
<PRE>
</PRE><HR>
<A NAME="lin007w"><P><B>Code [lin007w]</B><P>
In the default configuration of many GNU/Linux distributions users can
reboot the machine pressing Ctrl+Alt+Delete while in console mode. This can
be considered a security risk if an attacker can easily taken down the
server from console.
You can restrict this feature through the use of the /etc/shutdown.allow
file. In that file is defined, only if a user listed in the file (or
root) are logged in will the system shutdown be initiated.
<PRE>
</PRE><HR>
<A NAME="lin008e"><P><B>Code [lin008e]</B><P>
The /proc pseudo-filesystem is needed to check the network configuration
settings in the kernel and determine insecure setups. /proc is available
when the kernel is compiled with the CONFIG_PROC_FS=Y option (if you want
to modify them you also need to add the CONFIG_SYSCTL=Y option). You also
need to have it mounted, if it's not try: 'mount -t proc proc /proc'.
This is usually done in most distributions per default.
<PRE>
</PRE><HR>
<A NAME="lin009i"><P><B>Code [lin009i]</B><P>
The kernel will answer (per configuration) to ICMP echo requests in any
interface. You might want to configure it to not answer to this requests
and thus make it more "invisible". Do it with:
# sysctl -w net.ipv4.icmp_echo_ignore_all=1
Note, however, that this violates RFCs.
<PRE>
</PRE><HR>
<A NAME="lin010f"><P><B>Code [lin010f]</B><P>
The system will answer to ICMP broadcast echo messages. This is considered
a problem since ICMP broadcasts can cause network denial of service as
the same time as giving away the location of the hosts. To remove this do:
# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts = 1
<PRE>
</PRE><HR>
<A NAME="lin011f"><P><B>Code [lin011f]</B><P>
The system is configured to answer to bad formatted ICMP messages. This
behavior is not recommended, please unconfigure it with:
# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses = 1
<PRE>
</PRE><HR>
<A NAME="lin012w"><P><B>Code [lin012w]</B><P>
The system is configured to accept ICMP redirects, this might or might
not be necessary in your network topology. If you have multiple routers
to which connect through to outside locations it might be necessary,
otherwise remove it since an attacker could send bogus ICMP redirection
messages to try to route the outgoing network packets to other systems
(including his own) and thus allowing for man in the middle or
denial of service attacks:
# sysctl -w net.ipv4.conf.all.accept_redirects = 0
and:
# sysctl -w net.ipv4.conf.default.accept_redirects = 0
<PRE>
</PRE><HR>
<A NAME="lin013f"><P><B>Code [lin013f]</B><P>
It is common to protect systems against Denial of Service attacks using
SYN packets (commonly known as "SYN flooding") by activating support
of TCP syncookies. Note, however, that activating this violates some RFCs:
# sysctl -w net.ipv4.tcp_syncookies = 1
<PRE>
</PRE><HR>
<A NAME="lin014f"><P><B>Code [lin014f]</B><P>
It is possible to send IP spoofed packets from this machine. Spoofed
packets are commonly used by trojans that make use of compromised hosts
to deliver denial of service, man in the middle or connection hijacking.
You should consider configuring your kernel to not permit this:
# sysctl -w net.ipv4.conf.all.rp_filter = 2
and:
# sysctl -w net.ipv4.conf.default.rp_filter = 2
<PRE>
</PRE><HR>
<A NAME="lin015w"><P><B>Code [lin015w]</B><P>
IP forwarding is the option that permits the system to act as a router
and thus resend packets from one network interface to another. If your
system is not acting as such this option should be disabled:
# sysctl -w net.ipv4.ip_forward = 0
<PRE>
</PRE><HR>
<A NAME="lin016f"><P><B>Code [lin016f]</B><P>
Source routing might permit an attacker to send packets through your
host (if routing is enabled) to other hosts without following your
network topology setup. It should be enabled only under very special
circumstances or otherwise an attacker could try to bypass the traffic
filtering that is done on the network:
# sysctl -w net.ipv4.conf.all.accept_source_route = 0
and:
# sysctl -w net.ipv4.conf.default.accept_source_route = 0
<PRE>
</PRE><HR>
<A NAME="lin017w"><P><B>Code [lin017w]</B><P>
Suspicious packets received by the kernel should be logged to detect
incoming attacks. To activate this logging capability:
# sysctl -w net.ipv4.conf.all.log_martians = 1
and:
# sysctl -w net.ipv4.conf.default.log_martians = 1
<PRE>
</PRE><HR>
<A NAME="lin018w"><P><B>Code [lin018w]</B><P>
The "weak end host" description in the RFC1122 permits multihomed systems
to receive packets for a network interface from another network interface.
This, as a matter of fact, removes the benefit of configuring services
and binding them to a single IP address (not to all IP addresses).
For 2.2 kernels remove this option with:
# echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden
For 2.4 and later kernels you might need to patch the kernel or configure
your firewalling rules properly (i.e. defining anti-spoofing rules).
<PRE>
</PRE><HR>
<A NAME="lin019f"><P><B>Code [lin019f]</B><P>
The system has no firewalling rules in place to limit access to network
services and protocols. Considering configuring a set of local firewall
rules adapted to your needs. There are multiple firewall generation software
you can use to generate these (such as Bastille, Shorewall, Firestarter,
or Knetfiler).
Local firewall rules can be used to block undesired incoming and outgoing
traffic and can be useful to prevent access to network services that are
listening on all system interfaces, only want to be used from specific
hosts (or interfaces) and lack capabilities to either restrict its
use to specific local network IP addresses or hosts.
If the system is multi-home a local firewall configuration will prevent
spoofing attacks due to "weak end host" issues.
|