OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: No Security is Bad Security:

Re: No Security is Bad Security:

Russell Fulton (r.fultonAUCKLAND.AC.NZ)
Fri, 5 Feb 1999 09:25:38 +1300

On Wed, 3 Feb 1999 08:33:10 -0800 "Jan B. Koum" <jkbBEST.COM> wrote:

>
> > 1) Don't log in as root on a machine that most likely has been
> > compromised. Bsd things can happen.
>
>         You have to login as root to shutdown the system. You don't
>         want to 'just turn it off' since you can loose data.

I guess the rule should be 'Do the minimum necessary as root'  and be
aware that your normal tools may be trojaned.

>
> > 3) Do *immediately* take the machine offline, and mount the disks on
> > another system for analysis.
>
>         True. Dont' forget to mount rdonly,noexec,nosuid,nodev
> 	(mentioned about and some flags are redundant).

Errr... I must be thick!  how can you take the machine offline and
still have disks mounted on another system?  Do you mean physically
take the diisks and install them in another box or boot up on a CDROM?

For intel based systems you could reboot the system on a floppy with
Trinux or picoBSD.

>
> > 1) we have no firewall nor tcpd running, so there is no effective access
> > control or access logging. We have incredibly primitive router filtering,
> > which eliminates only the most basic of IP-spoofing attacks.
>
> 	You can install ipf if you are on solaris. Or get a FreeBSD with
> 	two nics and use that as your firewall.

We use TAMU's drawbridge.  It seems well adapted to a university
enviroment where things are forever changing.

>
> > 6) we did not purchase or implement any Intrusion Detection Software.
> > [IDS]
>
> 	http://www.l0pht.com/NFR
> 	http://www.nfr.com

Also the SANS CIDER project at http://www.nswc.navy.mil/ISSEC/CID/
and Argus IP audit tool at ftp://ftp.sei.cmu.edu/pub/argus  - this
isn't an intrusion detection system per se, it is an audit tool and I
have written some perl scripts that use it for detecting scans etc.

>
> >
> > Not using tripwire cost us a lot, in that a) we had to rebuild every last
> > GNU program from source, and b) we did not have it available as a means of
> > detecting 'wrongness' on a production system.
>

I have tried using Tripwire but have never managed to overcome the lack
of non writable media storing the executables and database.  Also the
amount of work involved in keeping the data base up to date is non
trivial in our enviroment.

Cheers, Russell.

Computer Security Officer, The University of Auckland, New Zealand.