ISS Safesuite Network Scanner

Evaluation Completed : Aug 8th, 1997

Name

The ISS Safesuite Security Scanner (S3)

Release Information

Support

Functionality

Evaluates system vulnerabilities from the host operating system's perspective. S3 assesses file permissions, file ownership, network service configurations, account setup, program authenticity and common user related security weaknesses such as guessable passwords.

Requirements

Supported for the following Unix flavours

• SunOS 4.1.3
• 4.1.4 Sun Solaris (SPARC) 2.3 to 2.5
• IBM AIX 3.2 and 4.1
• HP-UX 9.05
• Linux 1.2.13

However my chat with the developer stated that they are encountering some problems with HP-UX.

Documentation

The User Manual ,Man pages and README.

Installing S3

1. Log in as root or use sudo
2. cp s3.tar to a local drive
3. Unpack the archive in that drive
4. Change the working directory to s3
5. Run the script sudo ./install.s3

Problems Faced

1. Do not install s3 in your home directory. sudo gives root access only for the local system and not for your user directory which is mounted in batman. sudo creates non root owned files in your home directory and s3 cannot be properly as non root.

Starting S3

1. Log in as root
2. Change working directory to s3
3. Run the command sudo ./xs3

Problems Faced

1. Always set the display environment variable to local host ie setenv DISPLAY :0.0
2. Cannot run the tool without the license key. This key is machine specific and has to be present in the s3 directory. It can be ordered from ISS at 1-770-395-0150 or keys@iss.net
3. Ignore the error "cannot detect browser" and type the command sudo ./xs3

Configuring S3

1. In the Environment Configuration Window, specify the HTML Browser path as  /usr/local/netscape/netscape
2. In the Risk Assesment Configuration Window, click on the Passwords column and specify your own dictionary for a more comprehensive scan. The default dictionary is limited. You can specify the Unix dictionary /usr/share/lib/dict/words

Evaluation Details

The Good News :

1. Good User Interface
2. Generates Fix Scripts and Unfix Scripts to fix and unfix the errors. (But does not work at all in some cases)
3. Generates a baseline of the local file system and traps differences to this baseline
4. Prepares a very good ascii, html or Comma Seperated Value (CSV) reports. The last can be used for importing into database applications
5. Very comprehensive check
6. Details vulnerabilities with an explanation on what it is and the way to fix the problem

The Bad News :

1. The scan halts prematurely when it tries to perform the .netrc check on our systems in the users section of the vulnerability check. Thus a complete vulnerability assesment can never be performed. I have contacted the developer at ISS and he has informed me that it will be fixed at the earliest. Waiting to hear from him.
2. Rebooted my system when I conducted a sanity check on it by allowing it to run overnight.
3. Currently does not scan the password file in the NIS. Can only scan the local /etc/passwd file. Developer told me that it should scan both.
4. Does not generate the fix/unfix scripts in most cases
5. Could have better user documentation
6. System hangs while generating Database Baseline
7. Takes about 10 minutes for a limited scan on Localhost Risk Assesment and this time fluctuates.
8. Takes a long time for creating the Assesment Display
9. Some of the vulnerabilities have no risk level indication
10. No way of stopping/halting an existing action which seems to take an unusually long time. eg. On starting a File Database Baseline Check, there is no way to stop the action
11. Assesment Report takes too long to be generated.
12. Windows totally blankout while scanning.
13. Does not generate the reports in some cases

Features

The features can be classified into

• Current Configuration Checks (to identify aspects of the configuration that potentially allow intruders or users to gain unauthorised access)
• System Configuration Checks
• Software Version Checks
• File Ownership and Permission Checks
• SUID/SGID checks
• Anamalous file checks
• User Account checks
• Group Setup Checks
• Password Checks
• System Compromise Checks (to examine if an intruder has achieved unauthorised access.)
• File Baseline Comparison Checks
• Account Setup Modification Checks
• Hacker Signature Checks
• Graphical User Interface
• Distributed Assesment
• Assesment Reports

Conclusion

S3 is a good tool and does a very comprehensive system vulnerability check (much better that COPS, Tiger and other vulnerability checkers ). However it can be recommended only if the bug in the users netrc check is resolved. The Developer's have assured me that it will be fixed at the earliest. I am waiting to hear from them.

Recommendation

The tool cannot be recommended in its present form. If ISS can fix at least the following problems, it can be recommended :

• no halting while performing .netrc check
• total assesment of the system should go uninterrupted
• scan of the NIS password file should be possible
• Generation of fix/unfix scripts or all cases

Overall a very good tool if all the features that are supposed to work, work. Until then it would be better to wait a while until these problems have been resolved and the tool has matured a bit.

This review was written by Jai Sundar Balasubramaniyan <balasujs@cs.purdue.edu> during the summer of 1997. The opinions expressed are for purposes of critical review, and do not represent any official recommendation or endorsement by COAST or Purdue University.