Weekly Solaris Security Digest
2001/07/15 to 2001/07/22

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html

Subscribe to get FREE security news, commentary, and articles.

• New Solaris vulnerabilities: Telnet.
• New Solaris fixes: none.
• Third-party vulnerabilities: LDAP, CheckPoint VPN-1 and 4 others.
• Solaris patch bundles have been updated and new patches available.
• Interesting Articles: SSL authentication, Snort, DNS security, Crypto-Gram, OpenSSH.
• Discussions summary: Focus-SUN.
• Tip of the Week: A Unix log file auditing utility: logcheck.

New Solaris Vulnerabilities this Week

Multiple vendor Telnet Daemon vulnerability
http://archives.neohapsis.com/archives/bugtraq/2001-07/0351.html
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz

Within most of the current telnet daemons in use today there is a buffer overflow in the telnet option handling.
Severity: Under certain circumstances it may be possible to exploit it to gain root privileges remotely. Solaris 2.x SPARC seems to be vulnerable.
Workaround: Do not use Telnet...

 

Multiple Vulnerabilities in Several Implementations of the Lightweight Directory Access Protocol (LDAP)
http://www.cert.org/advisories/CA-2001-18.html

Several implementations of the Lightweight Directory Access Protocol (LDAP) protocol contain vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both.
Severity: The following implementations are vulnerable: iPlanet Directory Server 5.0 Beta and up to 4.13, certain versions of IBM SecureWay running under Solaris and NT 2000, Lotus Domino R5 Servers (prior to 5.0.7a), Teamware Office for NT and Solaris (prior to 5.3ed1), Qualcomm Eudora WorldMail 2.0 for Windows NT, Microsoft Exchange 5.5 LDAP, NA PGP Keyserver 7.0 (prior to Hotfix 2), Oracle 8i Enterprise Edition, OpenLDAP (1.x prior to 1.2.12 and 2.x prior to 2.0.8). By exploiting this vulnerability, a remote attacker could execute arbitrary code on the system or may remotely crash the affected implementation, resulting in a denial-of-service condition.
Workaround: As a temporary measure, it is possible to limit the scope of these vulnerabilities by blocking access to directory services at the network perimeter (block TCP and UDP ports 389 and 636), but this workaround does not protect vulnerable products from internal attacks. It is recommended to apply the vendor's patch (c.f. the advisory for more information).

 

Check Point Firewall-1/VPN-1 Management Station Format String Vulnerability
http://www.checkpoint.com/techsupport/alerts/format_strings.html

Firewall-1/VPN-1 management station contains a format string vulnerability. The vulnerability is the result of passing client-supplied data to a printf* function as the format string argument. Administrators with limited privileges (such as read-only) may be able to exploit this vulnerability to gain control over the management station.
Severity: All installations of VPN-1/FireWall-1 which allow remote GUI connections should be assumed vulnerable to this exploit. However this vulnerability can only be exploited by a client that has authenticated as an administrator.
Workaround: Restrict remote GUI access for read/only firewall administrators, review list of administrators and authorized GUI clients, and apply the patch, available from http://www.checkpoint.com/techsupport/downloads/downloads.html.

 

Bugtraq Database:

2001-07-17: ID Software Quake Denial of Service Vulnerability
http://www.securityfocus.com/bid/3051

2001-07-15: Interactive Story Directory Traversal Vulnerability
http://www.securityfocus.com/bid/3028

2001-07-13: AdCycle AdLogin.pm Admin Authentication Bypass Vulnerability
http://www.securityfocus.com/bid/3032

2001-07-11: Opera Web Browser Malformed Header Vulnerability
http://www.securityfocus.com/bid/3012

Solaris vulnerabilities pending

Over the last few weeks/months, we reported on several Solaris vulnerabilities. Those which are not yet
covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

Summary: several exploit samples released and patches for ftp, ypbind and kcms are available. If you use NIS/YP, apply the ypbind patch very soon.

libsldap buffer overflow in $LDAP_OPTIONS

Severity: a local user main gain root privileges on Solaris 8. Exploit published.
Workaround:  replace the existing 'libsldap.so' with a 'dummy' version that does not contain the offending code. This may limit or break functionality of some of the utilities
http://archives.neohapsis.com/archives/bugtraq/2001-06/0344.html

Print Protocol Daemon (in.lpd) Remote Buffer Overflow

Severity: a remote user may gain root privileges via an overflow in the in.lpd daemon. No known exploits published, yet.
Patches: No patches available yet, but patches have been announced:
Solaris 8.0_x86: 109321-04 Solaris 8.0:  109320-04 Solaris 7.0_x86: 107116-08 Solaris 7.0: 107115-08 Solaris 2.6_x86:  106236-09 Solaris 2.6:  106235-09
Workaround: either apply network access control to the service (with tcp wrappers) or disable 'in.lpd' (in inetd.conf) or even better, disable inetd. If inetd is enabled and needed, disable ALL services that are not necessary.
http://xforce.iss.net/alerts/advise80.php
http://www.securityfocus.com/bid/2894

/opt/SUNWssp/bin/cb_reset

Severity: a local user may gain root privileges by overflowing by the cb_reset setuid root command in the SUNWssp package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWssp package if not needed, or remove the suid bit from cb_reset. Side effects: only root can use cb_reset.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0265.html
http://www.securityfocus.com/bid/2893

/opt/SUNWvts/bin/ptexec

Severity: a local user may gain root privileges by overflowing by the ptexec setuid root command in the SUNWvts package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWvts package if not needed, or remove the suid bit from ptexec. Side effects: only root can use ptexec.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0282.html
http://www.securityfocus.com/bid/2898

/usr/bin/at language environment overflow

Severity:  A user with a local account may gain root privileges. Exploit published.
Workaround: disable the suid bit. Side effect: only root can use the 'at' command.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.html

/usr/bin/mail $HOME Buffer Overflow Vulnerability

Severity: a user with a local account may gain mail privileges.
Workaround: disable the sgid bit.
http://www.securityfocus.com/vdb/bottom.html?vid=2819

mailtool buffer overflow in $OPENWINHOME

Severity: a user with a local account may gain mail privileges. Exploit released. Sun Bug ID: 4458476.
Workaround: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html

rpc.yppasswdd buffer overflow

Severity: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.

Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php

mailx -F buffer Overflow

Severity: local sgid 'mail' exploit.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610

Xsun $HOME buffer overflow vulnerability

Severity: Local sgid root exploit.
Patches: Recent patches from Sun include 108652-35 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
Workaround: Remove the sgid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561

SNMP to DMI mapper daemon

Severity: Remote root exploit being actively abused. (Sun bug id 4412996).
Patches: 108870-06 SunOS 5.8_x86, 108869-06 SunOS 5.8
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html

kcsSUNWIOsolf.so KCMS_PROFILES environment variable

Severity: Local suid root exploit.
Patches: 107337-02 SunOS 5.7, 111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86.
Workaround: Disable suid, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf

kcms_configure vulnerability

Status: Local suid exploit of command line options.
Patches: 107337-02 SunOS 5.7, 111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86.
Workaround: Disable suid, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605

CDE dtsession LANG environment variable

Severity: Local suid root exploit. Exploit available for Solaris x86.
Workaround: On servers not requiring a GUI, the suid bit can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession

ftpd #1 globbing buffer overflows/core dump shadow password recovery

Severity: A local user might be able to see /etc/shadow contents. Apparently it's not easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow.
Patches: 106301-03 SunOS 5.6, 111607-01 SunOS 5.8_x86, 111606-01 SunOS 5.8.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601

ftpd #2 CWD Username Enumeration

Severity: Remote exploit, low impact (allows an attacker to recognize valid usernames).
Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564

NTP buffer overflow

Severity:  remote root exploit.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One Sun contract customer reports that an "emergency fix" can be had from Sun. Alternatively installed the latest Public Domain ntpd, rather than that distributed with Solaris.
http://securityfocus.com/vdb/bottom.html?vid=2540  

ipcs Timezone buffer overflow vulnerability

Severity: Local suid root exploit.
Workaround: Disable suid, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581

Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
    
2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Jul/17/01:

none

Solaris 2.6, Jul/17/01:

none

Solaris 7, Jul/17/01:

none

Solaris 8, Jul/18/01:

108725-05 SunOS 5.8: st driver patch
108869-06 SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
108987-04 SunOS 5.8: Patch for patchadd and patchrm
109091-04 SunOS 5.8: /usr/lib/fs/ufs/ufsrestore patch
109181-03 SunOS 5.8: /kernel/fs/cachefs patch
109277-01 SunOS 5.8: /usr/bin/iostat patch
109279-13 SunOS 5.8: /kernel/drv/ip patch
109326-05 SunOS 5.8: libresolv.so.2, in.named patch
109470-02 CDE 1.4: Actions Patch
109805-03 SunOS 5.8: pam_krb5.so.1 patch
109898-02 SunOS 5.8: /kernel/drv/arp patch
109951-01 SunOS 5.8: jserver buffer overflow
110075-01 SunOS 5.8: /kernel/drv/devinfo and /kernel/drv/sparcv9/devinfo patch
110387-03 SunOS 5.8: ufssnapshots support, ufsdump patch
110458-02 SunOS 5.8: libcurses patch
110901-01 SunOS 5.8: /kernel/drv/sgen and /kernel/drv/sparcv9/sgen patch
110939-01 SunOS 5.8: /usr/lib/acct/closewtmp patch
110943-01 SunOS 5.8: /usr/bin/tcsh patch
110951-01 SunOS 5.8: /usr/sbin/tar and /usr/sbin/static/tar patch
111071-01 SunOS 5.8: cu patch
111111-01 SunOS 5.8: nawk line length limit corrupts patch dependency checking
108827-10 SunOS 5.8: libthread patch
108875-09 SunOS 5.8: c2audit patch
109324-02 SunOS 5.8: sh/jsh/rsh/pfsh patch
111548-01 SunOS 5.8: catman, man, whatis, apropos and makewhatis patch
111570-01 SunOS 5.8: uucp patch
108652-35 X11 6.4.1 Xsun patch
109742-04 SunOS 5.8: /kernel/drv/icmp patch
110286-02 OpenWindows 3.6.2: Tooltalk patch
111293-03 SunOS 5.8: /usr/lib/libdevinfo.so.1 patch
110383-01 SunOS 5.8: libnvpair patch
108974-11 SunOS 5.8: dada, uata, dad, sd and scsi drivers patch
108977-01 SunOS 5.8: libsmedia patch
108528-09 SunOS 5.8: kernel update patch
108991-13 SunOS 5.8: /usr/lib/libc.so.1 patch
108968-05 SunOS 5.8: vol/vold/rmmount patch
108975-04 SunOS 5.8: /usr/bin/rmformat and /usr/sbin/format patch
110949-01 SunOS 5.8: /usr/sadm/install/bin/pkgremove patch

Solaris 8_x86, Jul/16/01:

109784-01 SunOS 5.8_x86: /usr/lib/nfs/nfsd patch
110454-01 SunOS 5.8_x86: admintool patch
110701-01 SunOS 5.8_x86: automount patch
109884-02 SunOS 5.8_x86: /usr/include/sys/ecppsys.h patch
108726-05 SunOS 5.8_x86: st driver patch
109325-02 SunOS 5.8_x86: sh/jsh/rsh/pfsh patch
110946-01 SunOS 5.8_x86: /usr/sbin/syslogd patch
108978-01 SunOS 5.8_x86: libsmedia patch
111294-03 SunOS 5.8_x86: /usr/lib/libdevinfo.so.1 patch
109588-04 SunOS 5.8_x86: libspmistore patch
108969-05 SunOS 5.8_x86: vol/vold/rmmount patch
108976-04 SunOS 5.8_x86: /usr/bin/rmformat and /usr/sbin/format patch
108529-09 SunOS 5.8_x86: kernel update patch
108992-13 SunOS 5.8_x86: /usr/lib/libc.so.1 patch
110950-01 SunOS 5.8_x86: /usr/sadm/install/bin/pkgremove patch

2. New or updated individual security/recommended patches.

105633-57 OpenWindows 3.6: Xsun patch
111560-01 SunOS 5.6: dmesg security problem

106978-11 SunOS 5.7: sysid patch
107636-08 SunOS 5.7: X Input & Output Method patch

108528-09 SunOS 5.8: kernel update patch
108991-13 SunOS 5.8: /usr/lib/libc.so.1 patch
109234-04 * SunOS 5.8: Apache and NCA patch
109887-08 * SunOS 5.8: smartcard patch
109888-05 * SunOS 5.8: platform drivers patch
109892-03 * SunOS 5.8: /kernel/drv/ecpp driver patch
109896-04 * SunOS 5.8: USB driver patch
110416-02 * SunOS 5.8: ATOK12 patch
110668-01 * SunOS 5.8: /usr/sbin/in.telnetd patch
110670-01 * SunOS 5.8: usr/sbin/static/rcp patch
111548-01 SunOS 5.8: catman, man, whatis, apropos and makewhatis patch
111570-01 SunOS 5.8: uucp patch

108529-09 SunOS 5.8_x86: kernel update patch
108774-10 * SunOS 5.8_x86: IIIM and X Input & Output Method patch
108992-13 SunOS 5.8_x86: /usr/lib/libc.so.1 patch
109155-01 * SunOS 5.8_x86: vgatext and terminal-emulator patch
109235-05 * SunOS 5.8_x86: Apache/mod_jserv patch
109897-05 * SunOS 5.8_x86: USB patch
109952-01 * SunOS 5.8_x86: jserver buffer overflow
110076-01 SunOS 5.8_x86: /kernel/drv/devinfo patch
110417-02 * SunOS 5.8_x86: ATOK12 patch
110669-01 * SunOS 5.8_x86: /usr/sbin/in.telnetd patch
110671-01 * SunOS 5.8_x86: usr/sbin/static/rcp patch
111549-01 SunOS 5.8_x86: catman, man, whatis, apropos and makewhatis patch
111571-01 SunOS 5.8_x86: uucp patch

News & Articles

Client Authentication with SSL - Apache Week
http://freebsddiary.org/openssl-client-authentication.php

This basic tutorial shows you how to configure client authentication for an existing Apache+mod_ssl Web server. It only outlines the steps for creating a personal Certificate Authority (CA) and server certificate but you may refer to the links provided for more information.

 

How to write a shell script - Reg Quinton
http://www.ocean.odu.edu/ug/shell_help.html

A shell is a command line interpreter that takes commands and executes them. The Bourne shell is used to create shell scripts. This document gives some basic information on the programming language.

Sun BigAdmin

What does Sun System Configuration Check do for me? - Sun Microsystems, Inc.
http://www.sun.com/service/support/is/info.html

Sun System Configuration Check is an availability maintenance tool designed to improve your system uptime and performance by taking a snapshot of the general health of your Sun System.

 

Using Snort to detect intrusions - Don Kuenz
http://www.elementkjournals.com/sun/0108/sun0181.htm

This article gives an introduction to Snort.

 

Protect yourself with SunScreen Lite - Mark Thacker
http://www.elementkjournals.com/sun/0105/sun0151.htm

This article explains Sun Microsystems' SunScreen Lite product and provides an example of securing a workstation in a corporate network.

Linux Security

DNS and BIND, 4th Edition - DNS Security - Paul Albitz & Cricket Liu
http://www.unixreview.com/articles/books/book19/book19.htm

This article is a link to the contents of DNS Security Chapter of the O'Reilly DNS book.

 

Introduction to Network-Based Intrusion Detection Systems Using Snort - Roberto Nibali
http://www.unixreview.com/articles/2001/0106/0106j/0106j.htm

This article presents a general security framework with suggestions for generating audit trails, anomaly event generation, and central logging over syslog(-ng).

 

Crypto-Gram July 15, 2001 - Bruce Schneier
http://www.counterpane.com/crypto-gram-0107.html

In this issue: Phone Hacking, the next generation, Crypto-Gram Reprints, news, Counterpane Internet security news, monitoring first and comments from Readers

SecurityFocus

Building and Deploying OpenSSH for the Solaris Operating Environment - Jason Reid and Keith Watson
http://www.securityfocus.com/data/library/openSSH.pdf

This article describes how to build and deploy OpenSSH for the Solaris Operating Environment (Solaris OE) to enable secure remote network connections with strong authentication and encryption.

 

InfoSec in the real world: a pragmatic approach to implementing a security policy - Derek Lightfoot
http://securityportal.com/articles/infosec_realworld20010716.html

Information Security policy is getting more attention. This paper examines some of the ground rules needed to ensure that relevant InfoSec information is gathered, presented and acted upon in an effective manner under typical business constraints.

 

Intrusion Detection Systems Terminology, Part Two: H - Z - A. Cliff
http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/idsterms2.html

The terminology associated with IDS is growing at rapidly. This article is intended to introduce readers to some IDS terminology, some of it basic and relatively common, some of it somewhat more obscure.

O'Reilly Net

Tools of the Trade: Part 3 - Carl Constantine
http://linux.oreillynet.com/pub/a/linux/2001/07/13/tools_trade_three.html

A quick overview of syslog and Snort.

 

Mail Filtering with Mail::Audit - Simon Cozens
http://www.perl.com/pub/a/2001/07/17/mailfiltering.html

This article describes how Mail::Audit could be used to create mail filters.

Mailing Lists

Focus-Sun Discussions Threads

07/19/01 Announce: Building and Deploying OpenSSH on the Solaris OE
http://www.securityfocus.com/archive/92/197948

07/18/01 ACL question
http://www.securityfocus.com/archive/92/197671

07/17/01 Primes file in OpenSSH?
http://www.securityfocus.com/archive/92/197625

07/17/01 Cryptocard auth on Solaris8
http://www.securityfocus.com/archive/92/197324

YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org.

No discussions this week.

Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include SSH Secure Shell and Stunnel.

Auditing and Intrusion Monitoring tools include Snort, SARA, NetSaint, Vlad, DEMARC, PortSentry and Log_analysis.

Firewalls for UNIX/Linux/BSD & Cross-platform include GuardDog, PCX Firewall and Astaro Security Linux.

Tools for Linux/Unix/Cross Platform include Ethereal, Hogwash, Stephanie, Lomac, OpenCL, MaraDNS, nPULSE and Inflex.

Tools for Windows include AntiVir Personal Edition and Mailscanner for Postfix.

Tip of the Week: A Unix log file auditing utility: logcheck

logcheck is a Unix log file auditing utility that automatically checks for security violations and unusual activity. It is composed of several files:

• logcheck.sh is the main script that controls all processing and looks at the logs files using simple grep commands. This script is executed on a timed basis from cron. This script also contains a configuration section where parameters can be modified if necessary: the email address of the recipient, the commands path (grep, mail, tail, etc.) and the log files to analyze.
• logtail is a custom executable that remembers the last position of a text file. This program is used by logcheck to parse out information from the last time the log was opened, this prevents reviewing old log entries twice.
• and 4 files containing keywords that are used by grep to identify suspicious log entries. As logcheck is designed to run on different operating systems, versions exist for each operating system. These files are neither exact nor complete: they need to be updated according to needs of the system logcheck is running on.

logcheck uses 4 keywords files to be able to warn the user immediately when something is going wrong and to reduce the risks of false positives. The parsing of the log files is always done in the following order:

1. logcheck greps the log files with the logcheck.hacking keywords file. This file contains keywords that are certifiable attacks on the system. Usually this file is left sparse unless certain patterns of attack have been precisely identified. If a log entry matches any keyword, this log entry is reported directly as an active attack without to be analyzed further by logcheck. A report will be generated and sent with a header "ACTIVE SYSTEM ATTACK".
2. logcheck greps the remaining log entries with the logcheck.violations file. This file contains keywords of system events that are usually seen as negative: words such as "denied", "refused", "su succeeded", etc. If the log entry matches one of the keyword contained in logcheck.violations, the entry will be parsed one more time in step 3. If the log entry does not match any word, the log entry is dropped.
3. logcheck greps the remaining log entries with logcheck.violations.ignore. This file contains words that are reverse searched against the logcheck.violations file. If no words are found in the log entry, that entry is reported as a "Active System Attack Alerts". If one of these words is found in the log entry, that entry is not reported as a "Active System Attack Alerts" but will be parsed one more time in step 4.
4. Finally logcheck greps the remaining log entries with logcheck.ignore. This file is the catch-all file for words to look for in the logs and to not report. Any log entry that does not match what is in this file is reported as "Unusual System Activity.". Log entries matching with one of the keywords contained in that file will be dropped.

The installation is simple:

• download the package from http://www.psionic.com/abacus/logcheck, verify the signature and extract the package.
• Step 1: configure the syslog daemon and secure the log files (check the permissions, e.g. 600). Before setting up logcheck, ensure that the system is configured to log according to the security requirements of the system.
• Step 2: Install logcheck according to the README file (make sun, make install) and check the configuration in logcheck.sh: configure the recipient(s) of the reports, check the path of the commands used by logcheck (mail, grep, tail, etc.) and indicate which log files it will analyze.
• Step 3: Edit the local crontab for root and set logcheck to run at least once per hour. Let logcheck runs and update the logcheck.hacking, logcheck.violations, logcheck.violations.ignore and logcheck.ignore accordingly to false positives received by emails (usually you simply need to add the description of the false positives in logcheck.ignore).
• Once logcheck is fully configured and tuned, it is possible to run it more frequently to detect faster suspicious activity.

If you have tips you'd like to share with others, contact us.

References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

Receive this digest by email!