Experiences (was Re: prfile)
Diane Davidowicz (diane_d@sun1.wwb.noaa.gov)
Thu, 31 Aug 95 13:57:09 EDT
I am sorry for taking so long to get back to this issue, I was on
vacation. :-)
martinh@paston.co.uk (Martin Hargreaves) wrote:
> Diane Davidowicz wrote:
> >For instance, Haystack Labs has a really nice ids
> >product called stalker which installs on Sun's and HP's, but not SGI's.
> >More disturbing was a comment I got from a developer there. He said
> >(and I am summerizing) that they have no plans to port to SGI's because
> >most SGI customers only buy the Unix systems for the graphics capability
> >and are not willing to take the performance hit.
>
> Maybe they've never seen a Challenge? Some supercomputer centers are going
> to move entirely to Challenge and PowerChallenge arrays due to cost reasons
Well, in their defense, how many people have an SGI Challenge (other than
you and I :) What I really mean to say here is I am willing to bet that their
are much more sites which have SGIs without any Challanges then there are that
do.
But, even the latest versions of SGI workstations really scream, so I didn't
get his point. I understand a company needs to see the cost effectiveness of
porting to an SGI, I am just not sure if their company really knows what is
out there.
Maybe we should get an email address for Haystack and send requests to
port the code to SGIs. If they get enough of them, the company might change
their position.
> Any more details on it? What exactly does it do?
It sits in the kernal watching all system activities in real time watching
for certain events to occur (of your choosing). If they do, actions can be
taking such as pagers going off, etc. One such important event to watch for
would be when a regular (non-root) user obtains a shell with either a uid or
an euid = 0. So such things as race conditions which can give a user a root
shell would now be detectable in real time. I kind of like that idea :)
Definitely, for more details on the product, you should contact Haystack Labs.
> >Diane Davidowicz wrote:
> >If you install [tcp_wrappers] using
> >the "hard installation" this means you have to change the inetd.conf file
> >and in doing so, the sgis will have to be rebooted. :-( It is the
> >only platform out of 7 different Unix platforms that I have to deal with
> >that exhibits this problem.
>
> Really? You can't restart the network software from the console? Which
> version of IRIX is this? I've used 4.0.5 through 5.3 and those are the only
> two revisions I'd recommend...
Yes really, and no you can't restart it any other way except to reboot.
This is most unfortunate. It affects 4.0.x thru 5.3, especially
the 5.3 machines. Wietse Venema, author of tcp_wrappers points this problem
out in his README.IRIX file. We have honed in on the problem a little bit
more and are putting our facts together for SGI to look at. Unfortunately,
like Wieste says, the SGIs are just broken.
> I'd go for TIGER over COPS, it's very much more thorough than COPS. Although
> I found COPS easier to extend (added a module for HP-UX). Ingeneral I think
Yes, I agree with this. I just said "etc", but I should have expanded on that.
Tiger is highly portable with its latest release. I don't think Dan Farmer
has touched COPS for a couple of years now.
Another thing I should have included in my "etc" is creating md5 checksums
using something like tripwire. File integrity checking is essential.
There is nothing worse than having a hacker in your system and not knowing
what they did. I investigated a site that had been compromised for
more than 5 months before they knew what was going on. Some would argue
that because this site did not secure their systems and monitor them, they
deserve it. Well, when they were faced with the crisis statements like
that are of no comfort. They had to come to grips with the grim reality that
they had no other choice but to reinstall the OS. Recovery time was worsened
by the age of the system's hardware and lack of support from the vendor to
fix VERY OLD holes.
I refer to integrity checking software as "sanity software". We had an
instance where a machine kept rebooting for absolutely no apparant reason.
What's worse is when the vendor got involved they eventually said they
feel it is a hacker in our systems. So I was put to work. I combed through
logs, etc and found nothing, but hackers almost always modify your logs
to hide their activities, so this can't be trusted. Then I ran checksums
on the existing files and compared them against the checksums database of
the "clean" system. There was nothing that didn't match its original
checksum. After I presented all this information back to the sys admin
team, they resumed their technical evaluation of the problem and eventually
found what was wrong with the system. That is why its a "sanity" checking
package, it helps the admins realize what they are dealing with is a real
system problem and not some ghost in the machine :-)
Again, my comments thus far are on freeware. Though I have yet to see a
freeware product as thorough as a product like Stalker from Haystack Labs,
one can still accomplish some very good security strategies through
layering of freeware products.
Any other experiences out there? Come on, I know more people have been
joining this list since Christopher Klaus's released a fairly
comprehensive list of security mailing lists.
[ They sure have, however this time I knew why there was a flood of
subscriber requests - RuF B)]
Diane Davidowicz
--------------------------------------------------------------------------
Any opinions expressed herein was a mistake; was said under the influence;
was stolen; makes no sense whatsoever;....
Indeed, grep is omniscient :)
To test for the existence of SATAN:
ps -ef | grep -i satan
To test for the existence of angels:
ps -ef | grep -i gabriel
To test for the existence of God:
ps -ef | grep -i god
--------------------------------------------------------------------------