A Solaris 10 esetén lehetőségünk van a telepítéskor is kiválogatni a csomagokat, amiket fel szeretnénk telepíteni, illetve amiket nem. Sajnos többnyire csak pórul jár az, aki szelektálgat, ugyanis akkor gyakran futhat majd hiányzó libekbe, illetve más állományokba. Sajnos utólag elég körülményes megfejteni milyen csomagot is kellene feltennünk, sok esetben szinte lehetetlen is.

A következő kis lista sokkal inkább alap praktikus dolgokat fog tartalmazni, semmiképp sem tekinthető egy teljes értékű “hardening” ellenörző listának.

Kapcsoljuk ki a grafikus felületet, amennyiben nem használjuk

A leggyakoribb esetben Solaris csak és kizárólag kiszolgálói funkciót lát el. Ehhez viszont a legkevésbé sem szükséges számunkra a grafikus felületet futtatnunk. Az Oracle, és egyéb programok igénylik majd, tehát nem tehetjük meg, hogy nem is telepítjük, viszont ha nem muszáj ne használjuk.

# ps -efl

Ahogy látszik fut az X server, és a hozzá tartozó process-ek. Ahhoz, hogy kiiktassuk elegendő a CDE (Common Desktop Environment) Serviceket kikapcsolni.

# svcs -a|grep cde
# svcadm disable cde-calendar-manager
# svcadm disable cde-ttdbserver
# svcadm disable cde-printinfo
# svcadm disable cde-login
# svcs -a|grep cde

Ezek után természetesen a konzolunkon is megjelenik az egyszerű szöveges üzemmód:

Illetve a process listából is eltűnt néhány tag:
# ps -efl

Természetesen ha X-re lenne szükségünk, tudjuk használni az xhost parancsot, illetve, másik X serverre át tudjuk irányítani ezen server grafikus dolgait ha szükséges.

Kapcsoljuk ki a webconsole-t, ha nem használjuk

A Solaris 10 tartalmaz egy web console-t. Ezen lehet minden féle alkalmazás managementjét beregisztrálva, szépen és okosan, kattingatva csinálni minden félét. Sajnos elég erőforrás igényes, és sok esetben felesleges is, így ha csak nincs okunk rá, hogy fusson kapcsoljuk ki.

# svcs webconsole
# svcadm disable webconsole

El is tűnt a process listából a java alkalmazás, ami annyi memóriát evett:

# ps -efl

Kapcsoljuk ki a felesleges inetd folyamatokat

# inetadm

Amennyiben van felesleges folyamat, ami engedélyezve van azt így tudjuk disable-re tenni:

# inetadm -d [process-neve]

Amennyiben pedig mégis engedélyezni szeretnénk valamit akkor:

# inetadm -d [process-neve]

Ellenőrizzük, hogy milyen portok vannak nyitva a gépen

Ezt meg tehetjük belülről is:

# netstat -an |grep -i listen

Illetve kívülről, egy portscan segítségével. Én most nmap-ot fogok használni:
# /usr/local/bin/nmap -sT 10.0.0.10

Amennyiben tapasztalunk feleslegesen nyitott portot, akkor nekiállhatunk nyomozni mi is használja azt a portot.

Itt egy kis script arra, hogy tudjuk kideríteni melyik process fogja azt a portot:

#!/bin/sh

if [ `/usr/xpg4/bin/id -u` -ne 0 ]; then
echo “ERROR: This script must run as root to access pfiles command.”
exit 1
fi

if [ $# -eq 1 ]; then
port=$1
else
printf “which port?> ”
read port
echo “Searching for processes using port $port…”;
echo
fi

for pid in `ps -ef -o pid | tail +2`
do
foundport=`/usr/proc/bin/pfiles $pid 2>&1 | grep “sockname:” | egrep “port: $port$”`
if [ “$foundport” != “” ];
then
echo “proc: $pid, $foundport”
fi
done

exit 0

Íme, ahogy működik:

./port_tester.sh
which port?> [ITT ADJUK MEG A PORTOT]

SNMP agent kikapcsolása

Amennyiben futna az SNMP agent, úgy érdemes kikapcsolni, ha nem használnánk a gépünk monitorozására a servicet. Amennyiben mégis, bizonyosodjuk meg róla, hogy legalább nem a private és public kulcsszavakat állítottuk be.

# svcs snmpdx

Amennyiben működnie is kellene, akkor a következő konfigurációs állományokat érdemes ellenőrizni:

/etc/snmp/conf/snmpd.conf
/etc/snmp/conf/snmpdx.acl
/etc/sma/snmp/snmpd.conf

SSH beállítások ellenőrzése

Valószínűleg szinte mindenki használ ssh kapcsolatot a serverével. Itt is érdemes figyelni pár alapvető beállításra.

Először is, bizonyosodjunk meg róla, hogy A root bejelentkezése nincs engedélyezve:

# cat /etc/ssh/sshd_config |grep -i permitroot

Másod sorban bizonyosodjunk meg arról, hogy csak a kettes protokollt hajlandó kezelni az SSH deamonünk, az elavult egyeset nem:

# cat /etc/ssh/sshd_config |grep -i protocol

Seccheck – Biztonsági ellenörzés automatikus scriptekkel

Természetesen Solaris-ra is létezik olyan tool, ami átfésüli a rendszerünket, és arról minden féle reportot generál. Én ezt a SunFreeware oldalról szereztem be a csomagot, amúgy hivatalos oldal itt.

A csomagot a szokott módon telepíthetjük:
# gunzip seccheck-0.7.6-sol10-x86-local.gz
# pkgadd -d /tmp/seccheck-0.7.6-sol10-x86-local

Ahogy írtam ez nem is igazi program, csupán egy script gyűjtemény. Modulokból áll, és minden modul más más dolgokat ellenőriz:
# cd /usr/local/seccheck/bin/modules.d/
# ls -lah

Nézzük, hogy is tudjuk elindítani az ellenörzést, és hogyan fut:

# cd /usr/local/seccheck/bin/
# ./seccheck.sh

A következő ellenőrzések fognak lefutni:
[ Checking Services ]
[ Checking RPC Services ]
[ Checking NIS/NIS+ Services ]
[ Checking LDAP Services ]
[ Checking Kerberos/GSS Services ]
[ Checking if dtlogin is running ]
[ Checking Solaris Management Console services ]
[ Checking volmgt Services ]
[ Checking SAMBA Services ]
[ Checking NFS Services ]
[ Checking Automount Services ]
[ Checking Telnet Service ]
[ Checking FTP Service ]
[ Checking Boot Services ]
[ Checking DHCP Service ]
[ Checking DNS Service ]
[ Checking TFTP Service ]
[ Checking Print Services ]
[ Checking Web Services ]
[ Checking SNMP Service ]
[ Checking INETD ]
[ Checking System Accounts ]
[ Checking for Accounts With Empty Passwords ]
[ Checking for Legacy “+” Entries in passwd Files ]
[ Checking for UID 0 Accounts ]
[ Checking UMASK and mesg Settings ]
[ Checking “coreadm” Configuration ]
[ Checking Stack Protection ]
[ Checking NFS Priviledged Port Restrictions ]
[ Checking TCP Sequence Numbers ]
[ Checking Network Parameters ]
[ Checking inetd Tracing ]
[ Checking FTP Logging ]
[ Checking Connection Logging ]
[ Checking syslog AUTH Logging ]
[ Checking logging of failed login attempts ]
[ Checking cron logging ]
[ Checking System Accounting ]
[ Checking System Log File Permissions ]
[ Checking for “login:” Prompts on Serial Ports ]
[ Checking “nobody” Access for Secure RPC ]
[ Checking SSH Daemon Configuration ]
[ Checking for .rhosts Support in /etc/pam.conf ]
[ Checking /etc/ftpd/ftpusers ]
[ Checking That sendmail Only Listens Locally ]
[ Checking That syslogd Will Not Accept Remote Messages ]
[ Checking That TCP Wrappers is Enabled ]
[ Checking crontabs ]
[ Checking cron Facility Access ]
[ Checking That root Can Only Log in on /dev/console ]
[ Checking Account Lockout Policy ]
[ Checking Daemon umask ]
[ Checking rmmount.conf ]
[ Checking passwd Files ]
[ Checking World Writable Directories For Sticky Bit ]
[ Checking for World Writable Files ]
[ Checking for SUID/SGID System Executables ]
[ Checking for Unowned Files and Directories ]
[ Checking for Extended Attributes ]

Alap esetben a kiértékelés eredményét, és a hibákra való javaslatot a képernyőn látjuk, ámbár lehetőségünk van egy könyvtár definiálásával egy file-ba irányítani azt:

# ./seccheck.sh -o ../output/

Ahogy az látszani fog, a tool ahol hibát talál, javaslatot is tesz arra, hogyan javítsuk azt. Ezáltal teljes mértékben meg tudjuk “erősíteni” (hardening) a rendszerünket.

# cat ../output/seccheck-test-20100713-1235.log |more
=====================================================
SCAN STARTED: Tue Jul 13 12:35:58 CEST 2010
=====================================================
[ SECCHECK – Checking all Modules in modules.d ]
=====================================================
=====================================================
[ Checking Services ]
=====================================================
OK: No questionable services found
=====================================================
[ Checking RPC Services ]
=====================================================
WARNING: Service “svc:/network/rpc/bind:default” is [online]
INFO: The following online services are dependent on this service:
online svc:/system/sysidtool:system
online svc:/system/filesystem/autofs:default
online svc:/network/inetd:default
online svc:/network/rpc/gss:default
online svc:/network/rpc/smserver:default
online svc:/system/filesystem/volfs:default
online svc:/system/fmd:default
online svc:/milestone/multi-user:default
INFO: Checking svc:/network/rcp/bind:default for tcpwrappers support
WARNING: svc:/network/rpc/bind:default tcpwrappers support is not enabled
INFO: Consider enabling tcpwrappers support with the following commands:
INFO: /usr/sbin/svccfg -s rpc/bind setprop config/enable_tcpwrappers = true
INFO: /usr/sbin/svcadm refresh rpc/bind
OK: Service “svc:/network/rpc/keyserv:default” is disabled
=====================================================
[ Checking NIS/NIS+ Services ]
=====================================================
OK: All NIS/NIS+ related services disabled
=====================================================
[ Checking LDAP Services ]
=====================================================
OK: LDAP cache manager is disabled
=====================================================
[ Checking Kerberos/GSS Services ]
=====================================================
WARNING: Service “svc:/network/security/ktkt_warn:default” is [online]
WARNING: Service “svc:/network/rpc/gss:default” is [online]
=====================================================
[ Checking if dtlogin is running ]
=====================================================
OK: svc:/network/rpc-100083_1/rpc_tcp:default is not present
OK: dtlogin is not set to start in runlevel 2
=====================================================
[ Checking Solaris Management Console services ]
=====================================================
OK: wbems not set to start in runlevel 2
OK: dtlogin is not set to start in runlevel 2
=====================================================
bash-3.00# cat ../output/seccheck-test-20100713-1235.log
=====================================================
SCAN STARTED: Tue Jul 13 12:35:58 CEST 2010
=====================================================
[ SECCHECK – Checking all Modules in modules.d ]
=====================================================
=====================================================
[ Checking Services ]
=====================================================
OK: No questionable services found
=====================================================
[ Checking RPC Services ]
=====================================================
WARNING: Service “svc:/network/rpc/bind:default” is [online]
INFO: The following online services are dependent on this service:
online svc:/system/sysidtool:system
online svc:/system/filesystem/autofs:default
online svc:/network/inetd:default
online svc:/network/rpc/gss:default
online svc:/network/rpc/smserver:default
online svc:/system/filesystem/volfs:default
online svc:/system/fmd:default
online svc:/milestone/multi-user:default
INFO: Checking svc:/network/rcp/bind:default for tcpwrappers support
WARNING: svc:/network/rpc/bind:default tcpwrappers support is not enabled
INFO: Consider enabling tcpwrappers support with the following commands:
INFO: /usr/sbin/svccfg -s rpc/bind setprop config/enable_tcpwrappers = true
INFO: /usr/sbin/svcadm refresh rpc/bind
OK: Service “svc:/network/rpc/keyserv:default” is disabled
=====================================================
[ Checking NIS/NIS+ Services ]
=====================================================
OK: All NIS/NIS+ related services disabled
=====================================================
[ Checking LDAP Services ]
=====================================================
OK: LDAP cache manager is disabled
=====================================================
[ Checking Kerberos/GSS Services ]
=====================================================
WARNING: Service “svc:/network/security/ktkt_warn:default” is [online]
WARNING: Service “svc:/network/rpc/gss:default” is [online]
=====================================================
[ Checking if dtlogin is running ]
=====================================================
OK: svc:/network/rpc-100083_1/rpc_tcp:default is not present
OK: dtlogin is not set to start in runlevel 2
=====================================================
[ Checking Solaris Management Console services ]
=====================================================
OK: wbems not set to start in runlevel 2
OK: dtlogin is not set to start in runlevel 2
=====================================================
[ Checking volmgt Services ]
=====================================================
WARNING: Service “svc:/network/rpc/smserver:default” is [online]
=====================================================
[ Checking SAMBA Services ]
=====================================================
OK: samba not set to start in runlevel 3
=====================================================
[ Checking NFS Services ]
=====================================================
OK: All NFS related services disabled
=====================================================
[ Checking Automount Services ]
=====================================================
WARNING: Service “svc:/system/filesystem/autofs:default” is [online]
=====================================================
[ Checking Telnet Service ]
=====================================================
OK: Service “svc:/network/telnet:default” is disabled
=====================================================
[ Checking FTP Service ]
=====================================================
OK: Service “svc:/network/ftp:default” is disabled
=====================================================
[ Checking Boot Services ]
=====================================================
OK: All Boot services are disabled
=====================================================
[ Checking DHCP Service ]
=====================================================
OK: Service “svc:/network/dhcp-server:default” is disabled
=====================================================
[ Checking DNS Service ]
=====================================================
OK: Service “svc:/network/dns/server:default” is disabled
=====================================================
[ Checking TFTP Service ]
=====================================================
OK: No TFTP Services Installed
=====================================================
[ Checking Print Services ]
=====================================================
OK: All Print Services are disabled
=====================================================
[ Checking Web Services ]
=====================================================
OK: Service “svc:/network/http:apache2” is disabled
WARNING: apache is set to start in runlevel 3
INFO: mv /etc/rc3.d/S50apache /etc/rc3.d/.NOS50apache and reboot
WARNING: ncakmod is set to start in runlevel 2
INFO: mv /etc/rc2.d/S42ncakmod /etc/rc2.d/.NOS42ncakmod and reboot
WARNING: ncalogd is set to start in runlevel 2
INFO: mv /etc/rc2.d/S94ncalogd /etc/rc2.d/.NOS94ncalogd and reboot
=====================================================
[ Checking SNMP Service ]
=====================================================
OK: initsma not set to start in runlevel 3
=====================================================
[ Checking INETD ]
=====================================================
WARNING: Service “svc:/network/inetd:default” is [online]
=====================================================
=====================================================
[ Checking System Accounts ]
=====================================================
WARNING: Account bin’s password is state [NL]
INFO: Consider locking with “passwd -l bin”
WARNING: Account bin’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null bin
WARNING: Account nuucp’s password is state [NL]
INFO: Consider locking with “passwd -l nuucp”
WARNING: Account nuucp’s shell is [/usr/lib/uucp/uucico]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null nuucp
WARNING: Account smmsp’s password is state [NL]
INFO: Consider locking with “passwd -l smmsp”
WARNING: Account smmsp’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null smmsp
WARNING: Account listen’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null listen
WARNING: Account gdm’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null gdm
OK: System user webserverd not present
WARNING: Account nobody’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null nobody
WARNING: Account noaccess’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null noaccess
WARNING: Account nobody4’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null nobody4
WARNING: Account sys’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null sys
WARNING: Account adm’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null adm
WARNING: Account lp’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null lp
WARNING: Account uucp’s shell is [/sbin/sh]
INFO: Consider changing to /dev/null or /bin/false with:
INFO: passmgmt -m -s /dev/null uucp
=====================================================
[ Checking for Accounts With Empty Passwords ]
=====================================================
OK: No accounts have empty passwords
=====================================================
[ Checking for Legacy “+” Entries in passwd Files ]
=====================================================
OK: No legacy “+” entries found
=====================================================
[ Checking for UID 0 Accounts ]
=====================================================
OK: Only “root” has UID 0
=====================================================
[ Checking UMASK and mesg Settings ]
=====================================================
WARNING: UMASK should be more restrictive in /etc/default/login
INFO: Execute the following commands to implement this:
INFO: cd /etc/default
INFO: sed ‘s/^[#]\{0,1\}UMASK=.*$/UMASK=077/’ login > login.new
INFO: mv login.new login
INFO: pkgchk -f -n -p /etc/default/login
WARNING: umask not set correctly in /etc/profile
WARNING: mesg not set correctly in /etc/profile
WARNING: umask not set correctly in /etc/.login
WARNING: mesg not set correctly in /etc/.login
=====================================================
=====================================================
[ Checking “coreadm” Configuration ]
=====================================================
WARNING: Incorrect global core file pattern
WARNING: Incorrect global core file content
WARNING: Incorrect init core file pattern
WARNING: Incorrect init core file content
WARNING: Per-process core dumps are enabled
WARNING: Global SETUID core dumps are disabled
WARNING: Global core dump logging is disabled
WARNING: One or more issues found whilst parsing _optimum_ coreadm settings
INFO: To configure “recommended” coreadm settings, issue the following commands:
INFO: mkdir -p /var/core
INFO: chown root:root /var/core
INFO: chmod 700 /var/core
INFO: coreadm -g /var/core/core_%n_%f_%u_%g_%t_%p -e log -e global \
INFO: -e global-setid -d process -d proc-setid
=====================================================
[ Checking Stack Protection ]
=====================================================
WARNING: noexec_user_stack not set to 1 in /etc/system
WARNING: noexec_user_stack_log not set to 1 in /etc/system
=====================================================
[ Checking NFS Priviledged Port Restrictions ]
=====================================================
WARNING: nfssrv:nfs_portmon not set to 1 in /etc/system
=====================================================
[ Checking TCP Sequence Numbers ]
=====================================================
WARNING: Not using RFC 1948 for TCP initial sequence number generation
=====================================================
[ Checking Network Parameters ]
=====================================================
WARNING: tcp_conn_req_max_q0 set incorrectly
INFO: run: “ndd -set /dev/tcp tcp_conn_req_max_q0 4096” on startup
WARNING: tcp_conn_req_max_q set incorrectly
INFO: run: “ndd -set /dev/tcp tcp_conn_req_max_q 1024” on startup
WARNING: ip_respond_to_echo_broadcast set incorrectly
INFO: run: “ndd -set /dev/ip ip_respond_to_echo_broadcast 0” on startup
WARNING: arp_cleanup_interval set incorrectly
INFO: run: “ndd -set /dev/arp arp_cleanup_interval 60000” on startup
WARNING: ip_ire_arp_interval set incorrectly
INFO: run: “ndd -set /dev/ip ip_ire_arp_interval 60000” on startup
WARNING: ip_ignore_redirect set incorrectly
INFO: run: “ndd -set /dev/ip ip_ignore_redirect 1” on startup
WARNING: ip6_ignore_redirect set incorrectly
INFO: run: “ndd -set /dev/ip ip6_ignore_redirect 1” on startup
WARNING: ip_strict_dst_multihoming set incorrectly
INFO: run: “ndd -set /dev/ip ip_strict_dst_multihoming 1” on startup
INFO: The next parameters flagged (if any) should only be modified if this
INFO: server will not be performing routing
WARNING: ip6_strict_dst_multihoming set incorrectly
INFO: run: “ndd -set /dev/ip ip6_strict_dst_multihoming 1” on startup
WARNING: ip_send_redirects set incorrectly
INFO: run: “ndd -set /dev/ip ip_send_redirects 0” on startup
WARNING: ip6_send_redirects set incorrectly
INFO: run: “ndd -set /dev/ip ip6_send_redirects 0” on startup
WARNING: IP forwarding is enabled on this server
INFO: To disable, execute the following command:
INFO: /usr/sbin/routeadm -d ipv4-forwarding -d ipv6-forwarding
WARNING: Network Parameters not optimally configured
INFO: Create a script to automatically set the correct parameters at boot time
=====================================================
[ Checking inetd Tracing ]
=====================================================
WARNING: inetd tracing is not enabled
INFO: Consider turning this on with the following command:
INFO: /usr/sbin/inetadm -M tcp_trace=true
INFO: or, for individual services
INFO: /usr/sbin/inetadm -m tcp_trace=true
=====================================================
[ Checking FTP Logging ]
=====================================================
OK: FTP disabled, not installed, or broken
=====================================================
[ Checking Connection Logging ]
=====================================================
INFO: Checking whether we are logging daemon.debug to a connection log
WARNING: Not logging daemon.debug to /var/log/connlog
INFO: It is recommended that you execute the following commands
INFO: to instate a connection log: (use an echo that supports -e)
INFO: printf “daemon.debug\t\t\t/var/log/connlog\n” >> /etc/syslog.conf
INFO: touch /var/log/connlog
INFO: chown root:root /var/log/connlog
INFO: chmod 600 /var/log/connlog
INFO: logadm -w connlog -C 13 -a ‘pkill -HUP syslogd’ /var/log/connlog
=====================================================
[ Checking syslog AUTH Logging ]
=====================================================
WARNING: Not logging auth.info to /var/log/authlog
INFO: It is recommended that you execute the following commands
INFO: to capture messages sent to the syslog AUTH facility:
INFO: printf “auth.info\t\t\t/var/log/authlog\n” >> /etc/syslog.conf
INFO: touch /var/log/authlog
INFO: chown root:root /var/log/authlog
INFO: chmod 600 /var/log/authlog
INFO: logadm -w authlog -C 13 -a ‘pkill -HUP syslogd’ /var/log/authlog
=====================================================
[ Checking logging of failed login attempts ]
=====================================================
WARNING: SYSLOG_FAILED_LOGINS not set to 0 in /etc/default/login
INFO: It is recommended that you execute the following commands
INFO: to log all failed logins to /var/adm/loginlog:
INFO: touch /var/adm/loginlog
INFO: chown root:sys /var/adm/loginlog
INFO: chmod 600 /var/adm/loginlog
INFO: cd /etc/default
INFO: sed ‘s/^[#]\{0,1\}SYSLOG_FAILED_LOGINS=.*$/SYSLOG_FAILED_LOGINS=0/’ login > login.new
INFO: mv login.new login
INFO: pkgchk -f -n -p /etc/default/login
INFO: logadm -w loginlog -C 13 /var/adm/loginlog
=====================================================
[ Checking cron logging ]
=====================================================
OK: cron logging is enabled
=====================================================
[ Checking System Accounting ]
=====================================================
WARNING: Service svc:/system/sar:default is [disabled]
WARNING: One or more System Accounting entries in crontab for user “sys”
WARNING: not present or incorrect. Ensure the following entries are present:
INFO: 0,20,40 * * * * /usr/lib/sa/sa1
INFO: 45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A
=====================================================
[ Checking System Log File Permissions ]
=====================================================
INFO: Will now check /var/log/syslog, /var/log/authlog, /var/adm/utmpx, /var/adm/wtmpx
INFO: with pkgchk. Review output (if any) for inconsistencies.
OK: No errors found
=====================================================
=====================================================
[ Checking for “login:” Prompts on Serial Ports ]
=====================================================
WARNING: login: prompt enabled on serial port ttya
INFO: To disable, execute the following command:
INFO: pmadm -d -p zsmon -s ttya
WARNING: login: prompt enabled on serial port ttyb
INFO: To disable, execute the following command:
INFO: pmadm -d -p zsmon -s ttyb
=====================================================
[ Checking “nobody” Access for Secure RPC ]
=====================================================
WARNING: “nobody” access to Secure RPC not explicitly disabled in /etc/default/keyserv
INFO: Execute the following commands to disable:
INFO: cd /etc/default
INFO: sed ‘s/^[#]\{0,1\}ENABLE_NOBODY_KEYS=.*$/ENABLE_NOBODY_KEYS=NO/’ keyserv > keyserv.new
INFO: mv keyserv.new keyserv
INFO: pkgchk -f -n -p /etc/default/keyserv
=====================================================
[ Checking SSH Daemon Configuration ]
=====================================================
INFO: Where warnings are found whilst parsing /etc/ssh/sshd_config, either
INFO: uncomment and/or fix the entries contained therein
OK: “Protocol” set to “2” in /etc/ssh/sshd_config
OK: “X11Forwarding” set to “yes” in /etc/ssh/sshd_config
WARNING: “MaxAuthTries” not set to “5” in /etc/ssh/sshd_config
WARNING: “MaxAuthTriesLog” not set to “0” in /etc/ssh/sshd_config
OK: “RhostsAuthentication” set to “no” in /etc/ssh/sshd_config
OK: “RhostsRSAAuthentication” set to “no” in /etc/ssh/sshd_config
OK: “PermitRootLogin” set to “no” in /etc/ssh/sshd_config
OK: “PermitEmptyPasswords” set to “no” in /etc/ssh/sshd_config
WARNING: “Banner” not set to “/etc/issue” in /etc/ssh/sshd_config
=====================================================
[ Checking for .rhosts Support in /etc/pam.conf ]
=====================================================
WARNING: .rhosts support exists in /etc/pam.conf
INFO: It is recommended that you remove .rhosts support in /etc/pam.conf
INFO: Execute the following commands to do this:
INFO: cd /etc
INFO: grep -v “pam_rhosts_auth\.so\.1” pam.conf > pam.conf.new
INFO: mv pam.conf.new pam.conf
INFO: pkgchk -f -n -p /etc/pam.conf
=====================================================
[ Checking /etc/ftpd/ftpusers ]
=====================================================
OK: Service “svc:/network/ftp:default” is disabled
=====================================================
[ Checking That sendmail Only Listens Locally ]
=====================================================
INFO: Checking is sendmail is disabled from listening on external interfaces
INFO: Obviously if this is a mail server, ignore these test results
WARNING: sendmail not configured to listen locally only on port 25
INFO: To configure, execute the following commands:
INFO: sed ‘s/^\(O DaemonPortOptions.*inet\)$/\1, Addr=127.0.0.1/’ /etc/mail/sendmail.cf > /etc/mail/sendmail.cf.new
INFO: mv /etc/mail/sendmail.cf.new /etc/mail/sendmail.cf
INFO: svcadm refresh svc:/network/smtp:sendmail
WARNING: sendmail configured to listen on IPv6 addresses
INFO: Unless you use IPv6 at your site, this isn’t required
INFO: To disable sendmail on IPv6 addresses, enter the following commands:
INFO: sed ‘s/^\(O DaemonPortOptions.*inet6.*\)$/#\1/’ /etc/mail/sendmail.cf > /etc/mail/sendmail.cf.new
INFO: mv /etc/mail/sendmail.cf.new /etc/mail/sendmail.cf
INFO: svcadm refresh svc:/network/smtp:sendmail
=====================================================
[ Checking That syslogd Will Not Accept Remote Messages ]
=====================================================
WARNING: syslogd not configured to reject remote messages
INFO: It is recommended that you do not allow syslogd to listen for
INFO: messages from other systems, unless this server is a log server
INFO: To disable, execute the following commands:
INFO: cd /etc/default
INFO: sed ‘s/^[#]\{0,1\}LOG_FROM_REMOTE=.*$/LOG_FROM_REMOTE=NO/’ syslogd > syslogd.new
INFO: mv syslogd.new syslogd
INFO: svcadm refresh svc:/system/system-log:default
=====================================================
[ Checking That TCP Wrappers is Enabled ]
=====================================================
WARNING: /etc/hosts.allow does not exist
WARNING: /etc/hosts.deny does not exist
WARNING: Global TCP Wrappers configuration not enabled
INFO: To enable, execute the following command:
INFO: inetadm -M tcp_wrappers=TRUE
=====================================================
[ Checking crontabs ]
=====================================================
INFO: The crontab [/var/spool/cron/crontabs/adm] is empty – consider removing it
INFO: with “crontab -r adm”
WARNING: /var/spool/cron/crontabs/adm is not mode 400. Execute the following command to fix it:
INFO: chmod 400 /var/spool/cron/crontabs/adm
WARNING: /var/spool/cron/crontabs/dim is not owned by group sys. Execute the following command to fix it:
INFO: chgrp sys /var/spool/cron/crontabs/dim
WARNING: /var/spool/cron/crontabs/dim is not mode 400. Execute the following command to fix it:
INFO: chmod 400 /var/spool/cron/crontabs/dim
WARNING: /var/spool/cron/crontabs/lp is not owned by group sys. Execute the following command to fix it:
INFO: chgrp sys /var/spool/cron/crontabs/lp
WARNING: /var/spool/cron/crontabs/root is not mode 400. Execute the following command to fix it:
INFO: chmod 400 /var/spool/cron/crontabs/root
INFO: The crontab [/var/spool/cron/crontabs/sys] is empty – consider removing it
INFO: with “crontab -r sys”
WARNING: /var/spool/cron/crontabs/sys is not mode 400. Execute the following command to fix it:
INFO: chmod 400 /var/spool/cron/crontabs/sys
INFO: The crontab [/var/spool/cron/crontabs/uucp] is empty – consider removing it
INFO: with “crontab -r uucp”
=====================================================
[ Checking cron Facility Access ]
=====================================================
WARNING: /etc/cron.d/cron.allow does not exist
WARNING: /etc/cron.d/at.allow does not exist
WARNING: No need for /etc/cron.d/cron.deny ( if /etc/cron.d/cron.allow exists )
WARNING: No need for /etc/cron.d/at.deny ( if /etc/cron.d/at.allow exists )
=====================================================
[ Checking That root Can Only Log in on /dev/console ]
=====================================================
OK: CONSOLE variable correctly configured in /etc/default/login
=====================================================
[ Checking Account Lockout Policy ]
=====================================================
WARNING: Bad login attempt retry limit not set to 5 (or less) in /etc/default/login
INFO: To force reconnection after 5 bad login attempts, execute the following commands:
INFO: cd /etc/default
INFO: sed ‘s/^[#]\{0,1\}RETRIES=.*$/RETRIES=5/’ login > login.new
INFO: mv login.new login
INFO: pkgchk -f -n -p /etc/default/login
WARNING: Accounts not set to lock after RETRIES limit reached
INFO: To lock accounts after RETRIES limit reached, execute the following commands:
INFO: cd /etc/security
INFO: sed ‘s/^[#]\{0,1\}LOCK_AFTER_RETRIES=.*$/LOCK_AFTER_RETRIES=YES/’ policy.conf > policy.conf.new
INFO: mv policy.conf.new policy.conf
INFO: pkgchk -f -n -p /etc/security/policy.conf
INFO: You can then disable lockout for particular users with:
INFO: usermod -K lock_after_retries=no username
=====================================================
=====================================================
[ Checking Daemon umask ]
=====================================================
OK: CMASK set correctly in /etc/default/init
=====================================================
[ Checking rmmount.conf ]
=====================================================
OK: Line: “mount * hsfs udfs ufs -o nosuid” in /etc/rmmount.conf has nosuid option set
=====================================================
[ Checking passwd Files ]
=====================================================
INFO: /etc/passwd, /etc/group and /etc/shadow will now be checked with pkgchk.
INFO: Review the output (if any) and take corrective action as required
ERROR: /etc/passwd
modtime <08/25/08 05:44:51 PM> expected <07/06/10 02:40:00 PM> actual
file size <672> expected <767> actual
file cksum <56039> expected <64080> actual
ERROR: /etc/group
modtime <08/25/08 05:44:50 PM> expected <07/06/10 02:39:57 PM> actual
file size <289> expected <299> actual
file cksum <23837> expected <24480> actual
ERROR: /etc/shadow
modtime <08/25/08 05:44:51 PM> expected <07/06/10 02:40:00 PM> actual
file size <338> expected <402> actual
file cksum <23267> expected <28033> actual
=====================================================
[ Checking World Writable Directories For Sticky Bit ]
=====================================================
INFO: Preparing a list of directories that are world-writable and DO NOT
INFO: have their sticky bit set – review and correct if necessary
drwxrwxrwx 2 root nobody 182 Jul 12 13:30 /tmp/.removable
=====================================================
[ Checking for World Writable Files ]
=====================================================
INFO: Preparing a list of files that are world-writable review and correct if necessary
-rw-rw-rw- 1 root bin 0 Aug 25 2008 /var/adm/spellhist
-rw-rw-rw- 1 root root 8 Dec 21 2001 /var/dt/dtpower/_current_scheme
-rw–w–w- 1 bin bin 0 Jan 22 2005 /usr/oasys/tmp/TERRLOG
-rw-rw-rw- 1 root root 0 Jul 12 13:30 /proc/1/fd/254
-rw-rw-rw- 1 root root 0 Jul 12 13:30 /proc/1/fd/255
-rw-rw-rw- 1 root root 0 Jul 12 13:30 /proc/392/fd/11
-rw-rw-rw- 1 root root 0 Jul 12 13:30 /proc/504/fd/7
-rw-rw-rw- 1 root root 0 Jul 12 13:30 /system/contract/process/template
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/1/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/1/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/4/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/4/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/5/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/5/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/20/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/20/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/21/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/21/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/24/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/24/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/27/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/27/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/28/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/28/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/36/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/36/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/42/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/42/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/43/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/43/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/44/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/44/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/48/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/48/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/49/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/49/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/50/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/50/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/51/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/51/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/53/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/53/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/55/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/55/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/56/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/56/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/58/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/58/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/65/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/65/status
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/74/ctl
–w–w–w- 1 root root 0 Jul 12 13:30 /system/contract/process/74/status
–w–w–w- 1 root root 0 Jul 12 13:46 /system/contract/process/86/ctl
–w–w–w- 1 root root 0 Jul 12 13:46 /system/contract/process/86/status
–w–w–w- 1 root root 0 Jul 12 17:06 /system/contract/process/91/ctl
–w–w–w- 1 root root 0 Jul 12 17:06 /system/contract/process/91/status
–w–w–w- 1 root root 0 Jul 12 18:37 /system/contract/process/95/ctl
–w–w–w- 1 root root 0 Jul 12 18:37 /system/contract/process/95/status
–w–w–w- 1 root root 0 Jul 13 03:30 /system/contract/process/98/ctl
–w–w–w- 1 root root 0 Jul 13 03:30 /system/contract/process/98/status
=====================================================
[ Checking for SUID/SGID System Executables ]
=====================================================
INFO: Preparing a list of files that are SUID/SGID and executable
-r-xr-sr-x 1 root sys 14716 Jan 8 2007 /usr/platform/i86pc/sbin/eeprom
-r-sr-xr-x 1 root sys 23968 Jan 23 2005 /usr/bin/amd64/newtask
-r-sr-xr-x 2 root bin 15584 Jan 23 2005 /usr/bin/amd64/uptime
-r-sr-xr-x 2 root bin 15584 Jan 23 2005 /usr/bin/amd64/w
-r-sr-xr-x 1 root sys 14372 Jan 23 2005 /usr/bin/i86/newtask
-r-sr-xr-x 2 root bin 14200 Jan 23 2005 /usr/bin/i86/uptime
-r-sr-xr-x 2 root bin 14200 Jan 23 2005 /usr/bin/i86/w
-rwsr-xr-x 1 root sys 36560 Jul 3 2008 /usr/bin/at
-rwsr-xr-x 1 root sys 14652 Jul 3 2008 /usr/bin/atq
-rwsr-xr-x 1 root sys 14592 Jul 3 2008 /usr/bin/atrm
-r-sr-xr-x 1 root bin 15708 Jul 3 2008 /usr/bin/crontab
-r-sr-xr-x 1 root bin 14468 Jan 23 2005 /usr/bin/eject
-r-sr-xr-x 1 root bin 27116 Jan 23 2005 /usr/bin/fdformat
-r-sr-xr-x 1 root bin 30540 Jan 23 2005 /usr/bin/login
-r-x–s–x 1 root mail 58872 Jan 25 2008 /usr/bin/mail
-r-x–s–x 1 root mail 109192 Oct 11 2007 /usr/bin/mailx
-rwsr-xr-x 1 root sys 10324 Jan 23 2005 /usr/bin/newgrp
-r-sr-sr-x 1 root sys 22628 Aug 14 2007 /usr/bin/passwd
-r-sr-xr-x 1 root bin 14300 Jan 23 2005 /usr/bin/pfexec
-r-sr-xr-x 1 root sys 25144 May 25 2005 /usr/bin/su
-r-s–x–x 1 uucp bin 51408 Jan 5 2007 /usr/bin/tip
-r-xr-sr-x 1 root tty 14208 Jan 23 2005 /usr/bin/write
-r-sr-xr-x 1 root bin 40948 Mar 19 2008 /usr/bin/rcp
-r-sr-xr-x 1 root bin 67616 Mar 19 2008 /usr/bin/rdist
-r-sr-xr-x 1 root bin 31672 Mar 19 2008 /usr/bin/rlogin
-r-sr-xr-x 1 root bin 27044 Mar 19 2008 /usr/bin/rsh
-rwsr-xr-x 1 svctag daemon 102752 May 28 2008 /usr/bin/stclient
-rwsr-xr-x 1 root other 165192 Nov 8 2006 /usr/bin/tsoljdslabel
-r-s–x–x 1 root uucp 60516 Feb 20 2008 /usr/bin/ct
-r-s–x–x 1 uucp uucp 75800 Feb 20 2008 /usr/bin/cu
-r-s–x–x 1 uucp uucp 60292 Jan 23 2005 /usr/bin/uucp
-r-s–x–x 1 uucp uucp 23868 Jan 23 2005 /usr/bin/uuglist
-r-s–x–x 1 uucp uucp 21036 Jan 23 2005 /usr/bin/uuname
-r-s–x–x 1 uucp uucp 55404 Jan 23 2005 /usr/bin/uustat
-r-s–x–x 1 uucp uucp 64488 Jan 23 2005 /usr/bin/uux
-r-sr-xr-x 1 root bin 52368 Jan 8 2007 /usr/bin/rmformat
-r-sr-xr-x 1 root bin 14280 Jan 23 2005 /usr/bin/volrmmount
-rwsr-xr-x 1 root bin 55660 May 22 2008 /usr/bin/cdrw
-r-s–x–x 1 root lp 10060 Mar 19 2008 /usr/bin/lpset
-r-sr-xr-x 1 root sys 43872 Aug 14 2007 /usr/bin/chkey
-r-sr-xr-x 1 root bin 195212 Aug 14 2007 /usr/bin/pppd
-r-sr-xr-x 1 root bin 5844 Jan 25 2008 /usr/bin/mailq
-r-sr-xr-x 1 root bin 14496 Jan 23 2005 /usr/lib/fs/ufs/quota
-r-sr-xr-x 1 root bin 80644 Oct 3 2008 /usr/lib/fs/ufs/ufsdump
-r-sr-xr-x 1 root bin 86716 Oct 3 2008 /usr/lib/fs/ufs/ufsrestore
-r-s–x–x 1 root bin 5776 Jan 8 2007 /usr/lib/pt_chmod
-r-sr-xr-x 1 root bin 9972 Jan 23 2005 /usr/lib/utmp_update
-r-s–x–x 1 root sys 51748 Jul 13 2008 /usr/lib/cacao/lib/tools/cacaocsc
-r-s–x–x 1 root bin 19008 Mar 19 2008 /usr/lib/lp/bin/netpr
-rwsr-xr-x 1 root adm 5772 Jan 23 2005 /usr/lib/acct/accton
-r-sr-xr-x 1 root sys 20548 Jun 14 2007 /usr/lib/webconsole/pamverifier
-r-s–x–x 1 uucp uucp 6032 Jan 23 2005 /usr/lib/uucp/remote.unknown
-r-s–x–x 1 uucp uucp 142840 Feb 20 2008 /usr/lib/uucp/uucico
-r-s–x–x 1 uucp uucp 33184 Jan 23 2005 /usr/lib/uucp/uusched
-r-s–x–x 1 uucp uucp 78448 Jan 23 2005 /usr/lib/uucp/uuxqt
-r-s–x–x 1 root bin 45220 Mar 19 2008 /usr/lib/print/lpd-port
-r-xr-sr-x 1 root smmsp 837860 Jan 25 2008 /usr/lib/sendmail
-r-sr-xr-x 1 root bin 138416 Oct 3 2008 /usr/lib/ssh/ssh-keysign
-rws–x–x 1 root other 10684 Dec 16 2004 /usr/lib/gnome-suspend
-rwxr-sr-x 1 root root 1612028 Jul 23 2008 /usr/openwin/bin/Xprt
-rwsr-xr-x 1 root bin 1408716 Jul 23 2008 /usr/openwin/bin/Xsun
-rwxr-sr-x 1 root root 305652 Jul 23 2008 /usr/openwin/bin/lbxproxy
-rwsr-xr-x 1 root bin 73220 Jan 23 2005 /usr/openwin/bin/xlock
-r-sr-xr-x 1 root bin 37996 Mar 28 2007 /usr/openwin/bin/sys-suspend
-rwsr-xr-x 1 root bin 327232 Jun 11 2008 /usr/openwin/bin/xscreensaver
-r-xr-sr-x 1 root sys 40104 Jan 8 2007 /usr/sbin/amd64/prtconf
-r-xr-sr-x 1 root sys 15496 Oct 3 2008 /usr/sbin/amd64/swap
-r-xr-sr-x 1 root sys 24032 Jan 23 2005 /usr/sbin/amd64/sysdef
-r-sr-xr-x 1 root bin 15568 Jan 23 2005 /usr/sbin/amd64/whodo
-r-xr-sr-x 1 root sys 30352 Jan 8 2007 /usr/sbin/i86/prtconf
-r-xr-sr-x 1 root sys 14052 Oct 3 2008 /usr/sbin/i86/swap
-r-xr-sr-x 1 root sys 18608 Jan 23 2005 /usr/sbin/i86/sysdef
-r-sr-xr-x 1 root bin 14216 Jan 23 2005 /usr/sbin/i86/whodo
-r-sr-xr-x 3 root bin 31516 Mar 19 2008 /usr/sbin/allocate
-rwsr-xr-x 1 root sys 24276 Jan 23 2005 /usr/sbin/sacadm
-r-sr-xr-x 1 root bin 35752 Jun 30 2006 /usr/sbin/traceroute
-r-xr-sr-x 1 root tty 10592 Jan 23 2005 /usr/sbin/wall
-r-sr-xr-x 3 root bin 31516 Mar 19 2008 /usr/sbin/deallocate
-r-sr-xr-x 3 root bin 31516 Mar 19 2008 /usr/sbin/list_devices
-r-sr-xr-x 1 root bin 45016 Apr 26 2005 /usr/sbin/ping
-r-sr-xr-x 1 root bin 21272 Jun 12 2008 /usr/sbin/pmconfig
-r-sr-xr-x 1 root bin 216440 Aug 8 2007 /usr/sbin/smpatch
-rwsr-xr-x 1 root sys 36580 Jul 3 2008 /usr/xpg4/bin/at
-r-sr-xr-x 1 root bin 15724 Jul 3 2008 /usr/xpg4/bin/crontab
-r-sr-sr-x 1 root sys 23124 Sep 29 2006 /usr/dt/bin/dtaction
-r-sr-xr-x 1 root bin 33116 Jan 23 2005 /usr/dt/bin/dtappgather
-r-sr-sr-x 1 root daemon 267768 Jan 23 2005 /usr/dt/bin/sdtcm_convert
-r-sr-xr-x 1 root bin 590140 Sep 29 2006 /usr/dt/bin/dtfile
-r-xr-sr-x 1 root mail 1376940 Sep 14 2006 /usr/dt/bin/dtmail
-r-xr-sr-x 1 root mail 409664 Jan 23 2005 /usr/dt/bin/dtmailpr
-r-sr-xr-x 1 root bin 327012 Jan 23 2005 /usr/dt/bin/dtprintinfo
-r-sr-xr-x 1 root bin 154584 Nov 8 2007 /usr/dt/bin/dtsession
-r-sr-xr-x 1 root bin 32068 Jul 18 2008 /usr/dt/bin/tsoldtlabel
-r-sr-xr-x 1 root bin 59696 Jul 18 2008 /usr/dt/bin/tsolxagent
-r-sr-xr-x 1 root bin 2374712 Jul 23 2008 /usr/X11/bin/amd64/Xorg
-r-sr-xr-x 1 root bin 2120536 Jul 23 2008 /usr/X11/bin/Xorg
-r-xr-sr-x 1 root root 4005000 Jul 23 2008 /usr/X11/bin/Xvnc
-r-sr-xr-x 1 root bin 15724 Jul 3 2008 /usr/xpg6/bin/crontab
-r-sr-sr-x 1 bin bin 10080 Jan 23 2005 /usr/vmsys/bin/chkperm
-rwxr-sr-x 1 root sys 214240 Jul 11 2008 /usr/local/bin/amd64/lsof
-rwxr-sr-x 1 root sys 183724 Jul 11 2008 /usr/local/bin/i386/lsof
-r-xr-sr-x 1 root sys 5816 Jul 11 2008 /usr/local/bin/lsof
-r-sr-xr-x 1 root lp 203 Jan 10 2005 /etc/lp/alerts/printer
-r-xr-sr-x 1 root smmsp 837860 Jan 25 2008 /proc/685/object/a.out
-r-xr-sr-x 1 root smmsp 837860 Jan 25 2008 /proc/684/object/a.out
=====================================================
[ Checking for Unowned Files and Directories ]
=====================================================
INFO: Checking for “unowned” files and directories
=====================================================
[ Checking for Extended Attributes ]
=====================================================
INFO: Checking for files and directories with exteneded attributes
=====================================================
SCAN FINISHED: Tue Jul 13 12:43:17 CEST 2010
=====================================================