By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
To receive this digest via Email, visit http://securityportal.com/subscribe.html
none
none
2000-10-10: Netscape iPlanet iCal 'iplncal.sh' Permissions Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17682000-10-10: Netscape iPlanet iCal 'csstart' Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17692000-10-10: Netscape iPlanet iCal 'xhost -' Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17672000-10-10: Boa Webserver 0.94.2.x File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17702000-10-10: Big Brother Arbitrary Shell Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17792000-10-09: Evolvable Shambala Server 4.5 DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17782000-10-09: Evolvable Shambala Server 4.5 Plaintext Password Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17712000-10-09: Extropia WebStore Directory Traversal Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1774%3Fvid%3D17742000-10-08: Bytes Interactive Web Shopper Directory Traversal Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1776%3Fvid%3D17762000-10-07: PHPix Directory Traversal Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1777%3Fvid%3D17772000-10-07: Hassan Consulting Shopping Cart Directory Traversal Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1777%3Fvid%3D17772000-10-02: Moreover.com CGI File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1762Last week a serious weakness in SSH/scp was reported, no patches are yet available.
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1742
Not vulnerable: OpenSSH 2.1 or later, SSH2.
Fix: Upgrade to OpenSSH 2.2, or SSH2. SSH1: no patches so far, avoid using scp, especially as root to untrusted servers.
The latest Solaris Recommended / Security Patch clusters are as follows, changes are marked with a '*':
Solaris 8 Sep/07/00
Solaris 7 Oct/03/00
Solaris 2.6 Oct/09/00*
Solaris 2.5.1 Oct/09/00*
Square one, Paring down your network services, by S. Lee Henry
http://www.sunworld.com/sunworldonline/swol-10-2000/swol-1006-buildingblocks.htmlThis article examines 'inetd' services, to help decide which ones can be disabled when hardening.
Hardening Solaris: Creating a "Diamond in the Rough" Part I, by Hal Flynn
http://www.securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/harden1.html
Commands / tools are examined for recognizing which ports/services are active on an existing machine.
All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Last week we looked at the new Jassp hardening tool from Sun. I had intended doing more testing this week, but I prefer to wait until release 0.2 comes out, which should be more stable and actually useful for standalone usage. Hopefully the license will be less restrictive by then too. ;)
10/10/00 port number 9611/tcp and 5874/tcp question?
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138661&list=92&end=2000-10-14&fromthread=0&start=2000-10-08&10/10/00 upcoming Full Disclosure panel discussion
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138738&list=92&end=2000-10-14&fromthread=0&start=2000-10-08&10/09/00 enabling sudo logging
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138523&list=92&end=2000-10-14&fromthread=0&start=2000-10-08&10/07/00 Announcement: JumpStart(TM) Architecture and Security Scripts (Toolkit)
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138164&list=92&end=2000-10-07&fromthread=0&start=2000-10-01&10/07/00 Renewal of your subscription to the FOCUS-SUN list
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138127&list=92&end=2000-10-07&fromthread=0&start=2000-10-01&10/07/00 port number 9611/tcp and 5874/tcp question?
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=138161&list=92&end=2000-10-07&fromthread=0&start=2000-10-01&
Yassp discussions this week.
FYI: Availability of JASS 0.12
http://www.theorygroup.com/Archive/YASSP/2000/msg00651.htmldocumentation error
http://www.theorygroup.com/Archive/YASSP/2000/msg00648.htmlRe: dmesg broken by our new syslog.conf
http://www.theorygroup.com/Archive/YASSP/2000/msg00646.htmlJass: results of tests
http://www.theorygroup.com/Archive/YASSP/2000/msg00643.htmlSee also http://www.yassp.org
The logging service delivered with UNIX, syslogd, while very useful, is often not understood, badly documented and under-utilized. Here we provide a few tips to allow you use syslog better. Note that Sun's syslog does not quite work like other variants such as Linux (not as good/flexible).
The syslog daemon runs by default on Solaris and collects messages from system and
application daemons. Having collected the messages, it then either writes them to a file,
sends them to a user or to a centralised syslog host. You can send messages manually to
syslog via the logger tool (see the logger man page).
The file which determines syslog's behaviour is /etc/syslog.conf. The default configuration (see link below) from Sun is many years old, what does it do?
How can we improve on this?
So how do we change syslog's configuration?
The configuration file is a little quirky, and the man pages are not perfect, so first we look at the key elements.
Each line in syslog.conf is an instruction to send specific types of messages to a certain destination. The type of messages depends on the facility and priority.
The facility corresponds basically to the type/name of the application, there are 19 allowed values: kern, user, mail, daemon, auth, syslog, lpr, mark, news, uucp, cron, local0... local7. As you can see, many of the names correspond to typical UNIX daemons. The kern facility corresponds to the Solaris kernel, and we find the boot messages there. The 8 facilities local0 to local7 have no special applications and can be attributed as desired. The facility used by most applications is the daemon facility. The mark facility is use to add regular timestamps.
Tip: an asterisk "*" can be used to denote all facilities.The message priority can be emerg, crit, err, warning, notice, info, debug or none. The least urgent / most verbose is debug and conversely emerg is reserved for very urgent messages.
The destination can be a filename (starts with a slash), a remote host (starts with an @), one or more usernames (separated by comma, or "*" to indicate all logged in users).
So an entry like 'auth.info /var/mylog' would mean all authentication messages of priority 'information' or higher should be written to the file /var/mylog.
Gotchas
- 'mail.info' logs all mail messages of priority 'info' OR HIGHER (i.e. not just priority 'info')
- you can do *.priority but not facility.*
- "kern,mail.info" logs kernel and mail messages of priority info or higher. The same for other combinations.
- use tabs (not spaces) between message type and destination
- maximum 20 (non comment) lines are allowed, the rest are silently ignored.
- long lines don't work (from experience)
- if the destination is a file, the file must exist and be writeable.
- Send a HUP signal, or restart syslogd after changing the configuration.
Debugging tips
start syslogd with "-d", it will show a matrix of what messages will be sent to what destinations. Then use the logger tool to send message with different facilities and priorities.
Security
Syslog uses udp transport, so message delivery is not guaranteed to remote loghosts, although if dedicated hosts are used inside critical zone, it should pose little problem. You may wish to keep a local copy of certain logs, even if a central log server exists. It is not advised to have you syslog port open to the Internet, an attacker may decide to fill your logs with junk.
By default syslog sits on the network, listens for messages from anywhere (local or remote) and processes them. This is fine for a syslog server, but the typical workstation/server does not need to receive messages. In Solaris 8, syslogd can be started with the '-t' option, which indicate that it should not listen to messages from remote hosts.
So now you've been introduced to syslog, how about a few sample configurations?
Our starting point is Sun's default:
http://www.boran.com/security/sp/solaris/syslog_sun.confCustom config #1: This example is a configuration I've used for 7 years with many machines. It's also used in Yassp beta9 to beta11.
http://www.boran.com/security/sp/solaris/syslog.conf
Function: If a loghost is defined, catch all messages and send to the log server - otherwise split messages to separate files per facility (I prefer not to have DNS messages mixed with SSH and POP messages) and copy all alert or higher messages into a separate file.Disadvantages:
- Since /var/adm/message is replaced by many individual files, some users/administrators won't be able to find the logs
- The 'dmesg' command will not work, since it examines /var/adm/messages. Some people will rely on dmesg. I only found this out after using the configuration for 7 years!
- It's more complex and hence more difficult to understand.
Give the above disadvantages, I now tend to recommend this configuration for central log server, or large servers with many different applications and expert administrators.
Custom #2: for small servers and workstations.
Use /var/adm/messages rather that separate files per facility.
http://www.boran.com/security/sp/solaris/syslog_2.confAll messages of priority 'info' or higher are sent to the loghost or logged to /var/adm/messages. Minimal messages are sent to the console and users.
By uncommenting 'section 5' in this example, a local log of "errors, authentication and system boot messages" will be kept, even if all messages are forwarded to a cental loghost.
We've covered syslog in quite a bit of detail and presented several examples that should help you get the best from your system logging. One more detail to note is that there are other implementations of syslog available. These offer either better security, or improved functionality. I've not yet tested them however and can't make recommendations
syslog-ng (tcp connections, content filtering, encryption, authentication)
http://www.balabit.hu/products/syslog-ngsecure syslog (encryption and authentication of a trusted auditors machine)
http://www.core-sdi.com/english/slogging/ssyslog.htmlNsyslogd (tcp connections & SSL)
http://coombs.anu.edu.au/~avalon/nsyslog.html
If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.
For brevity, the list of Solaris resources and references is kept in a separate
document:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 12 October, 2000
|