DataMuseum.dk

Presents historical artifacts from the history of:

DKUUG/EUUG Conference tapes

This is an automatic "excavation" of a thematic subset of
artifacts from Datamuseum.dk's BitArchive.

See our Wiki for more about DKUUG/EUUG Conference tapes

Excavated with: AutoArchaeologist - Free & Open Source Software. 

top - metrics - download
Index: R T

⟦5b79277ee⟧ TextFile

    Length: 4199 (0x1067)
    Types: TextFile
    Names: »README«

Derivation

└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
    └─⟦3da311d67⟧ »./cops/1.04/cops_104.tar.Z« 
        └─⟦6a2577110⟧ 
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
    └─⟦6a2577110⟧ »./cops/1.04/cops_104.tar« 
            └─⟦this⟧ »cops_104/carp/README«

TextFile


CARP (COPS Analysis and Report Program)

  A new idea for cops... at usenix, everyone was griping about big
networks, and how to keep an eye on things, so I thought of a potential
partial solution...

  IMPORTANT!!!  The program described here will *ONLY* work on cops
report files if the report files were created with the "-v" flag to cops!

  Let's assume you use cops (or this won't do you a hell of a lot of
good :-)) on your network.  You use NFS to mount the cops stuff, or
you just mail/copy the report files back to the cops directory;
assume you have something like:

/path/to/cops ----  sun3_subdirectory_with_binaries (and subdirs sun3a,
              \                    sun3b, etc., each holding result files)
               \
                \--  sun4_subdir (+subdirs...)
                 \
                  \-- dec_mips_subdir (+...)
                   \
                    \-- ad nausaeum.

  Here's what happens; carp does a 'find' on the cops dir for all sub-
directories containing the standard "year_month_day" types of cops report
files.  This gives a list of all the subdirs (e.g. hosts) that have cops
reports in them.  I then take the newest one in each directory, scan it for
problems, and then output a summary that looks something like this (a 0 == a
problem that gives instant root access, 1 == a miscellaneous serious problem
(guessed password, whatever), 2 == who knows -- something cops reports
but I can't determine on an arbitrary machine (/etc/foo world writable,
or whatever)):

COPS warning summary, Mon Jan 27 16:47:42 PST 1992

hostname      rep date     crn dev ftp grp hme is pass msc pwd rc  rot usr
===========================================================================
sunshine     1992_Jan_14  |   |   |   |   | 1 | 2 |   |   | 2 | 2 | 2 |   |
rayban       1992_Jan_26  | 1 |   |   | 2 |   | 2 |   |   | 2 | 2 | 2 | 1 |
neuromancer  1992_Jan_27  |   |   | 2 |   | 1 | 2 |   |   | 2 | 2 | 2 |   |
sun          1992_Jan_26  |   |   | 2 | 2 | 1 | 2 |   |   | 2 | 2 |   | 1 |
foo_eng      1992_Jan_26  |   | 2 |   |   |   | 2 |   |   |   | 2 |   |   |
death        1992_Jan_15  |   |   |   | 2 | 1 | 2 |   |   | 2 | 2 | 0 |   |

  This way you can scan your whole net at a glance, and see where the most
serious and/or reoccuring problems are on your net (the number in the
columns gives you the most serious warning of the check in question, of
course.)  The X version ("xcarp") of this program (due out within a
month or so) will do the same thing, plus you'll be able to click on a
host or host problem area and have it pull up the host report(s); click on
a specific problem header, you get the report for that problem (guessed
passwords, whatever.)  Instead of numbers, it uses round circles (filled,
half filled, or empty, corresponding to 0, 1, 2.)

  The key is that all of the numbers are generated by awk filters that
are easily modifiable, and include an exception filter handling device
to delete things you don't want to hear about; for instance, if you run
tftp, know about it, and don't *care* that COPS keeps bitching about it,
you can put a line in the report generating file like:

/tftp is enabled on/ { next }

  That says everytime that (regexp) line is encountered, awk will just
skip over it, so it won't trigger the usual warning on the summary sheet.
Caution, though, this is real awk code, so position is important in the file --
for instance, to check for tftp, the filter has a line like:

/tftp is enabled on/ {print FILENAME, check, "1"; next }

  ("1" is the warning level it prints out.)  If you put the first line
after the second line, then it will never see the second line, since
the "next" says to go to the next line in the cops result file.  "*"'s
and "?"'s and the lot are all cool, of course, since it's all in awk,
but they slow things down, of course.  It's deathly slow right now --
about 10 seconds to process each host on a sparc2, but speed doesn't
matter that much here, IMHO (plus I can optimize it by just moving
around the regexp's in awk (that's what sucks in all the time) and/or
rewriting the code.  Try using [gmn]awk for a bit of speed increase
as well.

  Now you can read the man page :-)