|
In the trenchesInformation gleaned from the 1996 SANS conference |
We interrupt your normally scheduled security column for an update from the SANS '96 conference. The conference featured interesting talks by Gene Spafford, Matt Bishop, and many other known and becoming-known security aficionados. Here you'll find coverage of the best talks and pointers to important information shared at SANS '96.Also in Pete's Wicked World this month: NIS+ and lockd/statd security holes in the bug-of-the-month-club. In the bookstore this month is a review of the second edition of Garfinkle and Spafford's Practical Unix & Internet Security. (2,500 words)
Mail this article to a friend |
SANS '96 was the 5th Annual Unix System Administration, Networking & Security conference, held in Washington D.C. during the week of May 12th. Aside from the usual (high quality) tutorials, there was also 32 invited and refereed papers and panels. Many of them had interesting information about security, but some of the most illuminating discussion happened in the hallways and bars surrounding the conference. A sure sign of a good conference.
More ways to secure Solaris
First, we'll provide an update to the previous two security columns. I
gave a talk at the conference, entitled "Securing Solaris" and based on
the April and May security columns in this space. It was well accepted and
resulted in a lot of interesting feedback. Here are some more tidbits
for ensuring that your Solaris machine is secure:
sendmail
version 8.7.5 fixes the newest DNS
vulnerability, and is the current recommend version. Remember to
evaluate smrsh
, which accompanies the BSD sendmail
release, to further insulate your machines from sendmail
. (As
an aside, few people seem to be using smrsh
. If you are
using it successfully, please drop me an e-mail, I'd like to hear about
your experiences.)
sendmail
, but others (predictably)
pointed out that MMDF has its own share of problems.
noshell
shell for accounts that are not to be used, as we
recommended in the last column, there you use a program called
noshell
that displays a message to the user explaining the
situation and logs the fact that it was invoked. This is useful
information. Unfortunately, the README file for
noshell
says it has been ported to SunOS but no word on Solaris. (If you do use
noshell
on Solaris please let us know the details.)
crontab
files, you may
want to use the cron.allow
feature to disable the use of cron
from all accounts.
ps
to view processes on the system to
verify that all unnecessary facilities are disabled, use netstat
-af inet
to view all UDP and TCP networking ports that are being
serviced. On an unsecured machine, this list is quite extensive. On a
secured machine it should be limited to just those services that you
have determined that you need.
chmod u-s
and chmod g-s
commands.
|
|
|
|
SAINT
Diego Zamboni described a new tool he wrote, called
SAINT
.
SAINT
is not a security tool per se. Rather, it's a
tool to gather the output of security tools and evaluate the results.
For instance, it can look at the tcp_wrapper
logs on multiple
systems and alert you that a systematic attempt to break in to your
site is occurring. SAINT
is modular and extensible, so you can
add your own rules or support log files not in SAINT
's
repertoire.
SAINT
uses a cycle of:
The artificial intelligence component does not need to be very sophisticated to note patterns in the events, which means it has a reasonable chance of working well.
SAINT
is written in Perl V5. Unfortunately, its output is
in Spanish only today. Diego is continuing development of the
tool though, and other languages will be supported eventually.
xswatch
swatch
is a well known sysadmin and security tool. It
allows for automated parsing and alerting based on system log
contents. There are several similar tools as well, including
watcher
, xtail
, and EventServer
.
A new tool tries to combine the best features of all of these (and then
some), while being easily extensible. It's written in Perl and allows
any arbitrary set of pattern-match/action pairs, allowing it to be used
to match and act upon arbitrary strings in arbitrary logfiles. Ken
Mayer (kmayer@synopsys.com) is the author of the program. A
0.010 release
is currently available. There are also two mailing lists that discuss
xswatch
: xswatch-users@lists.best.com
for
users, developers, and discussion, and
xswatch-announce@lists.best.com
for releases and other
announcements.
Incidents & peppermints
Moira J. West-Brown from CERT provided insight into current security
incident trends. She said that the current typical network attack
scenario is:
The 1995 Intrusion Profile includes:
They also see Internet infrastructure attacks aimed at reconfiguring routers, using weaknesses in DNS to break root name servers, and the abuse of FTP servers. In 1996 they expect to see more Java and CGI-related break-ins.
Moira also discussed some astounding 1995 CERT statistics: there were 2,412 incidents handled involving 32,084 e-mail messages and 3,428 hotline calls.
This explains why there has been some grumbling about the new CERT operations. Word is that CERT only works to resolve security issues for sites if they are paying customers. Otherwise they gather information and provide pointers to their advisories and summaries. If you've had good or bad experiences with CERT, feel free to send me an e-mail.
The good news is that the rate of incident growth has decreased, either due to incident response teams or improved security at sites in general. Of course, the crackers can be getting more sophisticated and going unnoticed more frequently.
The state of security education
Gene "Spaff" Spafford gave a compelling talk about "A Different
Perspective on Incident Response." He pointed out that there are only
two dedicated University-based security and incident response research
programs in the U.S. This lack of educational foundation leads to the
current helter-skelter security knowledge base, as well as the lack of
progress in the areas of detection and prevention of security incidents.
His points are well taken. Until agencies (be they public or private)
put more emphasis on security education, funding more research into its
causes, effects, and prevention, there will be no solutions for the
current problems facing computer installations and their security
administrators.
Spaff likened the current state of computer security to life in the old West. It was a free-for-all, every man (and woman) for himself. He sees the natural evolution to private security then (Wells Fargo, Pinkerton) to the transition happening today in computer security, with many companies providing security tools and services for a fee (CERT, IBM, AT&T, BBN, and so on). The question is, will the evolution be able to continue to the point where system administrators don't need to carry holsters full of security tools? Time and improved training will tell.
In passing
Several useful security points were brought up in conversations, usually
over a beer. The ones that stuck in memory include:
There's more to life than security
Strange though it may seem, there are other interesting aspects of Sun
machines than their security. At the conference, several talks about
system administration and networking were high quality and had important
content. Given that this space is dedicated to security, though, I'll
be brief.
Overall, the conference was very interesting. There were many other talks, by industry favorites like Matt Bishop, Rob Kolstad, Marcus Ranum, Hal Pomeraz, Dan Geer, Gene Schultz, and Michele Crabb. Unfortunately, many of the talks didn't have papers in the proceedings and aren't (currently) available on line. Next year you'll just have to attend...
The bookstore
This is the month a lot of security-conscience folks have been waiting
for. The new version of the Garfinkle and Spafford
Practical Unix & Internet Security
is out. It's been expanded to a mammoth 971 pages. And the good news
is, many of those new pages are useful. It covers many version of unix
now (including SunOS and Solaris). It also include up-to-date
information on security holes, cracking techniques, security tools, and
security information (Web sites, mailing lists). The Appendices contain
a valuable Unix Security Checklist, plus a table of Import Files, Paper
Sources and Electronic Sources of security information, information
about security Organizations, and a table listing IP services,
including their port, protocol, name, use, and suggested firewall
handling. Worth the price of admission.
Unfortunately, there are a few aspects of the book that are wanting. There is a real need for authoritative coverage of security tools, including what they do, how much work they are to build, how useful they are, and so on. Practical Unix & Internet Security contains little of this information. In fact, some useful tools (Argus for instance) are barely mentioned. S/Key and Java coverage are likewise scant. There are some typos that I'm sure will be snuffed out in the next printing. Finally, I realize that indexing is an art more than a science, but such a large (and useful) book needs a very extensive one. The current version is adequate but not extensive.
But on the whole the book is very solid. FTP, backups (and their security issues), policies, cryptography, network wrappers, and NFS are covered very well. And readers can gain at least a passing understanding of almost all aspects of security by studying this book. Recommended.
Practical Unix & Internet Security also includes a few network resources that we haven't yet discussed here. For your edification:
Bug of the Month Club
This month there are (again) a couple of important security holes to
report. Just because you've installed NIS+ does not mean you've
improved your security. In fact, a NIS+
CERT advisory
details a problem with the default Solaris 2.5 installation
permissions. If the permissions on the password table within NIS+ are
set incorrectly, users are able to gain root access. This appears to
be the case when NIS+ is installed from scratch on a Solaris 2.5
system. To determine if your system is vulnerable, view the
permissions with the command: niscat -o passwd.org_dir
The details of the expected output are given in the advisory, but the important permissions are those of the name, password, and uid fields ("columns" in NIS+ lingo). They should look like:
[0] Name : name Attributes : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE) Access Rights : r--------------- [1] Name : passwd Attributes : (TEXTUAL DATA) Access Rights : -----m---------- [2] Name : uid Attributes : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE) Access Rights : r---------------The access rights for these columns allow anyone to read the name and uid of the entry, but only the owner can modify the password.
Another potentially damaging security hole involves lockd and statd on SunOS and Solaris. It is not known to be actively exploited, but it has the potential to allow any user to remove or create any file that root could do the same to. This information is in Sun Security Bulletin #135, CERT advisory CA-96.09, and CIAC bulletin G-25.
Patches that fix the bug are available. Use this table to select the proper one:
OS version Patch ID ---------- --------- SunOS 5.3 102932-02 SunOS 5.4 102769-03 SunOS 5.4_X86 102770-03 SunOS 5.5 103468-01 SunOS 5.5_X86 103469-01 OS version Patch ID ---------- --------- 4.1.3 100988-05 SunOS 4.1.3_U1 101592-07 SunOS 4.1.4 102516-04 For SunOS 4.1.x, the fix is supplied in a new version of the "UFS file system and NFS locking" jumbo patch.
Next Month, on "As Pete's Wicked World Turns"
Next month we'll look at a new tool which can enable enterprise-wide
security.
|
Resources
noshell
http://ftp.umbc.edu/htmlftp/ftpcoast/toolsunixnoshellsrc.html
SAINT
ftp://ftp.super.unam.mx/pub/security/tools/
About the author
Peter Galvin is Chief Technologist for Corporate Technologies, Inc., a Systems Integrator and VAR. He is also Adjunct System Planner for the Computer Science Department at Brown University, a member of the Board of Directors of the Sun User Group, and has been Program Chair for the last four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook.
Reach Peter at peter.galvin@sunworld.com.
If you have technical problems with this magazine, contact webmaster@sunworld.com
URL: http://www.sunworld.com/swol-06-1996/swol-06-security.html
Last modified: