Weekly Solaris Security Digest
2000/10/08 to 2000/10/15

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
To receive this digest via Email, visit http://securityportal.com/subscribe.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

none

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-10-10: Netscape iPlanet iCal 'iplncal.sh' Permissions Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1768

2000-10-10: Netscape iPlanet iCal 'csstart' Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1769

2000-10-10: Netscape iPlanet iCal 'xhost -' Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1767

2000-10-10: Boa Webserver 0.94.2.x File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1770

2000-10-10: Big Brother Arbitrary Shell Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1779

2000-10-09: Evolvable Shambala Server 4.5 DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1778

2000-10-09: Evolvable Shambala Server 4.5 Plaintext Password Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1771

2000-10-09: Extropia WebStore Directory Traversal Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1774%3Fvid%3D1774

2000-10-08: Bytes Interactive Web Shopper Directory Traversal Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1776%3Fvid%3D1776

2000-10-07: PHPix Directory Traversal Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1777%3Fvid%3D1777

2000-10-07: Hassan Consulting Shopping Cart Directory Traversal Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1777%3Fvid%3D1777

2000-10-02: Moreover.com CGI File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1762

Last week a serious weakness in SSH/scp was reported, no patches are yet available.
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1742
• Not vulnerable: OpenSSH 2.1 or later, SSH2.
• Fix: Upgrade to OpenSSH 2.2, or SSH2. SSH1: no patches so far, avoid using scp, especially as root to untrusted servers.


Patches

The latest Solaris Recommended / Security Patch clusters are as follows, changes are marked with a '*':

Solaris 8       Sep/07/00
Solaris 7       Oct/03/00
Solaris 2.6    Oct/09/00*
Solaris 2.5.1 Oct/09/00*


News & Articles

Sunworld

Square one, Paring down your network services, by S. Lee Henry
http://www.sunworld.com/sunworldonline/swol-10-2000/swol-1006-buildingblocks.html

This article examines 'inetd' services, to help decide which ones can be disabled when hardening.

SecurityFocus

Hardening Solaris: Creating a "Diamond in the Rough" Part I, by Hal Flynn
http://www.securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/harden1.html

Commands / tools are examined for recognizing which ports/services are active on an existing machine.

Security Tools News

All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

 

Last week we looked at the new Jassp hardening tool from Sun. I had intended doing more testing this week, but I prefer to wait until release 0.2 comes out, which should be more stable and actually useful for standalone usage. Hopefully the license will be less restrictive by then too. ;)


Mailing Lists

FOCUS-Sun discussions

10/10/00 port number 9611/tcp and 5874/tcp question?
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138661&list=92&end=2000-10-14&fromthread=0&start=2000-10-08&

10/10/00 upcoming Full Disclosure panel discussion
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138738&list=92&end=2000-10-14&fromthread=0&start=2000-10-08&

10/09/00 enabling sudo logging
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138523&list=92&end=2000-10-14&fromthread=0&start=2000-10-08&

10/07/00 Announcement: JumpStart(TM) Architecture and Security Scripts (Toolkit)
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138164&list=92&end=2000-10-07&fromthread=0&start=2000-10-01&

10/07/00 Renewal of your subscription to the FOCUS-SUN list
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138127&list=92&end=2000-10-07&fromthread=0&start=2000-10-01&

10/07/00 port number 9611/tcp and 5874/tcp question?
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138161&list=92&end=2000-10-07&fromthread=0&start=2000-10-01&

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp discussions this week.

FYI: Availability of JASS 0.12
http://www.theorygroup.com/Archive/YASSP/2000/msg00651.html

documentation error
http://www.theorygroup.com/Archive/YASSP/2000/msg00648.html

Re: dmesg broken by our new syslog.conf
http://www.theorygroup.com/Archive/YASSP/2000/msg00646.html

Jass: results of tests
http://www.theorygroup.com/Archive/YASSP/2000/msg00643.html

See also http://www.yassp.org


Tip of the Week: Tuning Syslog

The logging service delivered with UNIX, syslogd, while very useful, is often not understood, badly documented and under-utilized. Here we provide a few tips to allow you use syslog better. Note that Sun's syslog does not quite work like other variants such as Linux (not as good/flexible).

The syslog daemon runs by default on Solaris and collects messages from system and application daemons. Having collected the messages, it then either writes them to a file, sends them to a user or to a centralised syslog host. You can send messages manually to syslog via the logger tool (see the logger man page).

The file which determines syslog's behaviour is /etc/syslog.conf. The default configuration (see link below) from Sun is many years old,  what does it do?

How can we improve on this?

So how do we change syslog's configuration?

The configuration file is a little quirky, and the man pages are not perfect, so first we look at the key elements.

Each line in syslog.conf is an instruction to send specific types of messages to a certain destination. The type of messages depends on the facility and priority.

The facility corresponds basically to the type/name of the application, there are 19 allowed values: kern, user, mail, daemon, auth, syslog, lpr, mark, news, uucp, cron, local0... local7. As you can see, many of the names correspond to typical UNIX daemons. The kern facility corresponds to the Solaris kernel, and we find the boot messages there. The 8 facilities local0 to local7 have no special applications and can be attributed as desired. The facility used by most applications is the daemon facility. The mark facility is use to add regular timestamps.
Tip: an asterisk "*" can be used to denote all facilities.

The message priority can be emerg, crit, err, warning, notice, info, debug or none. The least urgent / most verbose is debug and conversely emerg is reserved for very urgent messages.

The destination can be a filename (starts with a slash), a remote host (starts with an @), one or more usernames (separated by comma, or "*" to indicate all logged in users).

So an entry like  'auth.info   /var/mylog' would mean all authentication messages of priority 'information' or higher should be written to the file /var/mylog.

Gotchas

Debugging tips

start syslogd with "-d", it will show a matrix of what messages will be sent to what destinations. Then use the logger tool to send message with different facilities and priorities.

Security

Syslog uses udp transport, so message delivery is not guaranteed to remote loghosts, although if dedicated hosts are used inside critical zone, it should pose little problem. You may wish to keep a local copy of certain logs, even if a central log server exists. It is not advised to have you syslog port open to the Internet, an attacker may decide to fill your logs with junk.

By default syslog sits on the network, listens for messages from anywhere (local or remote) and processes them. This is fine for a syslog server, but the typical workstation/server does not need to receive messages. In Solaris 8, syslogd can be started with the '-t' option, which indicate that it should not listen to messages from remote hosts.

So now you've been introduced to syslog, how about a few sample configurations?

Our starting point is Sun's default:
http://www.boran.com/security/sp/solaris/syslog_sun.conf

Custom config #1: This example is a configuration I've used for 7 years with many machines. It's also used in Yassp beta9 to beta11.
http://www.boran.com/security/sp/solaris/syslog.conf   
Function: If a loghost is defined, catch all messages and send to the log server - otherwise split messages to separate files per facility (I prefer not to have DNS messages mixed with SSH and POP messages) and copy all alert or higher messages into a separate file.

Disadvantages:

  1. Since /var/adm/message is replaced by many individual files, some users/administrators won't be able to find the logs
  2. The 'dmesg' command will not work, since it examines /var/adm/messages.  Some people will rely on dmesg. I only found this out after using the configuration for 7 years!
  3. It's more complex and hence more difficult to understand.

Give the above disadvantages, I now tend to recommend this configuration for central log server, or large servers with many different applications and expert administrators.

Custom #2: for small servers and workstations.
Use /var/adm/messages rather that separate files per facility.
http://www.boran.com/security/sp/solaris/syslog_2.conf   

All messages of priority 'info' or higher are sent to the loghost or logged to /var/adm/messages. Minimal messages are sent to the console and users.

By uncommenting 'section 5' in this example, a local log of "errors, authentication and system boot messages" will be kept, even if all messages are forwarded to a cental loghost.

We've covered syslog in quite a bit of detail and presented several examples that should help you get the best from your system logging. One more detail to note is that there are other implementations of syslog available. These offer either better security, or improved functionality. I've not yet tested them however and can't make recommendations

syslog-ng  (tcp connections, content filtering, encryption, authentication)
http://www.balabit.hu/products/syslog-ng  

secure syslog   (encryption and authentication of a trusted auditors machine)
http://www.core-sdi.com/english/slogging/ssyslog.html

Nsyslogd (tcp connections & SSL)
http://coombs.anu.edu.au/~avalon/nsyslog.html  

 

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.


References and Resources

For brevity, the list of Solaris resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 12 October, 2000