COPS: Computerized Oracle and Password System

Computer Security and COPS

What is computer security? Computer security is the securing of various computer systems through tools and knowledge. A secure system is any system that assures the secrecy, integrity, and availability of computing systems. Many system administrators do not have access to the tools that help in the securing of their systems. Now there is a tool freely available on the Internet to aid administrators in finding those security holes in their systems that may be difficult to detect. COPS (Computerized Oracle and Password System) is a tool that can be run by an administrator (or any user) to detect if there is a security hole in the system.

COPS is freely available at many ftp sites on the Internet. The URL for the main ftp site is ftp://pilot.net/pub/cops.

COPS checks various known security holes in UNIX. Some of the many things that it checks are:

file, directory, and device permissions/modes
- This will check to make sure that there are no files or directories that are world writable
poor passwords
- This part of COPS checks the /etc/passwd file for any passwords that are easily guessed. It comes with several files that can be used as a dictionary including the one used in the infamous Internet Worm.
content, format, and security of password and group files
- This makes sure that the password and group files have the proper number of fields defined in each one.
the programs and files run in /etc/rc* and cron(tab) files
- This checks to make sure that the programs that are run from the cron file will not cause any security holes.
existence of root-SUID files, their writability, and whether or not they are shell scripts
- You do not want any programs having root equivalent access.
a CRC check against important binaries or key files to report any changes therein
writability of users home directories and startup files (.profile, .cshrc, etc.)
anonymous ftp setup
unrestricted tftp, decode alias in sendmail, SUID uudecode problems, hidden shells inside inetd.conf, rexd running in inetd.conf
miscellaneous root checks -- the current directory in the search path, a + in /etc/host.equiv, unrestricted NFS mounts, ensuring root is in /etc/ftpusers, etc.

The COPS package also includes a few utilities to ensure the security of your site. One of these is to check the dates of CERT advisories vs. key files. This will check the date that various bugs and security holes were reported by CERT against the actual date on the file in question. Another utility included in the COPS distribution is the Kuang expert system. This expert system takes a set of rules and tries to determine if your system can be compromised. None of the COPS programs try to correct any of the potential problems that it finds. Because of this, COPS does not need to be executed from a privileged account. This also means that any user can run COPS to look for possible security holes. Many say that this is a problem with the free distribution of COPS. The other side says that if a system administrator runs it continuously then they don't have to worry if it is in the public domain or not. There are also those that say that computer crackers have had these same types of tools for years. The COPS system was designed by Dan Farmer to help system administrators secure their sites by checking for known bugs and security holes.

In its original distribution, COPS was just a collection of shell scripts. Currently, COPS users have the choice of using the shell scripts or using the slightly more functional and newer Perl port of the software.

COPS only looks for known security holes, it cannot find the ones that are unknown to the security community. This only defeats the crackers that are looking at CERT advisories and trying to break into systems that have those bugs. There are many computer crackers that look for bugs that have not been exploited yet. A systems administrator should not be comforted even if COPS comes back with no security flaws. There may be things that COPS cannot detect. Many system administrators will run COPS daily with cron and become complacent if COPS does not mail them a security breach. System administrators have to be constantly on the lookout for possible security holes.

There are many other tools that are recommended to be used with COPS. One example of these programs would be crack which is a password cracker. It checks the /etc/passwd file for easily guessed passwords. COPS also comes with a program called chkacct, which is short for check account. This will allow the system administrator to check any account or an individual user to check his or her account. COPS can also be used in conjunction with many of the other security tools available to the security community including SATAN, Tripwire, or TCP wrappers.

There are many systems administrators that currently use COPS. I know that UMBC has used it and other system administrators at various Internet service providers are currently using it.

References:

1. Farmer, Daniel, Eugene H. Spafford, The COPS Security Checker System, Purdue University Technical Report CSD-TR-993, 1991.

World Wide Web sites:

http://www.cs.purdue.edu/coast/

http://www.cs.purdue.edu/homes/spaf/hotlists/csec.html

http://www.first.org/

FTP sites

ftp://pilot.net/pub/cops