I am sorry for taking so long to get back to this issue, I was on vacation. :-) martinh@paston.co.uk (Martin Hargreaves) wrote: > Diane Davidowicz wrote: > >For instance, Haystack Labs has a really nice ids > >product called stalker which installs on Sun's and HP's, but not SGI's. > >More disturbing was a comment I got from a developer there. He said > >(and I am summerizing) that they have no plans to port to SGI's because > >most SGI customers only buy the Unix systems for the graphics capability > >and are not willing to take the performance hit. > > Maybe they've never seen a Challenge? Some supercomputer centers are going > to move entirely to Challenge and PowerChallenge arrays due to cost reasons Well, in their defense, how many people have an SGI Challenge (other than you and I :) What I really mean to say here is I am willing to bet that their are much more sites which have SGIs without any Challanges then there are that do. But, even the latest versions of SGI workstations really scream, so I didn't get his point. I understand a company needs to see the cost effectiveness of porting to an SGI, I am just not sure if their company really knows what is out there. Maybe we should get an email address for Haystack and send requests to port the code to SGIs. If they get enough of them, the company might change their position. > Any more details on it? What exactly does it do? It sits in the kernal watching all system activities in real time watching for certain events to occur (of your choosing). If they do, actions can be taking such as pagers going off, etc. One such important event to watch for would be when a regular (non-root) user obtains a shell with either a uid or an euid = 0. So such things as race conditions which can give a user a root shell would now be detectable in real time. I kind of like that idea :) Definitely, for more details on the product, you should contact Haystack Labs. > >Diane Davidowicz wrote: > >If you install [tcp_wrappers] using > >the "hard installation" this means you have to change the inetd.conf file > >and in doing so, the sgis will have to be rebooted. :-( It is the > >only platform out of 7 different Unix platforms that I have to deal with > >that exhibits this problem. > > Really? You can't restart the network software from the console? Which > version of IRIX is this? I've used 4.0.5 through 5.3 and those are the only > two revisions I'd recommend... Yes really, and no you can't restart it any other way except to reboot. This is most unfortunate. It affects 4.0.x thru 5.3, especially the 5.3 machines. Wietse Venema, author of tcp_wrappers points this problem out in his README.IRIX file. We have honed in on the problem a little bit more and are putting our facts together for SGI to look at. Unfortunately, like Wieste says, the SGIs are just broken. > I'd go for TIGER over COPS, it's very much more thorough than COPS. Although > I found COPS easier to extend (added a module for HP-UX). Ingeneral I think Yes, I agree with this. I just said "etc", but I should have expanded on that. Tiger is highly portable with its latest release. I don't think Dan Farmer has touched COPS for a couple of years now. Another thing I should have included in my "etc" is creating md5 checksums using something like tripwire. File integrity checking is essential. There is nothing worse than having a hacker in your system and not knowing what they did. I investigated a site that had been compromised for more than 5 months before they knew what was going on. Some would argue that because this site did not secure their systems and monitor them, they deserve it. Well, when they were faced with the crisis statements like that are of no comfort. They had to come to grips with the grim reality that they had no other choice but to reinstall the OS. Recovery time was worsened by the age of the system's hardware and lack of support from the vendor to fix VERY OLD holes. I refer to integrity checking software as "sanity software". We had an instance where a machine kept rebooting for absolutely no apparant reason. What's worse is when the vendor got involved they eventually said they feel it is a hacker in our systems. So I was put to work. I combed through logs, etc and found nothing, but hackers almost always modify your logs to hide their activities, so this can't be trusted. Then I ran checksums on the existing files and compared them against the checksums database of the "clean" system. There was nothing that didn't match its original checksum. After I presented all this information back to the sys admin team, they resumed their technical evaluation of the problem and eventually found what was wrong with the system. That is why its a "sanity" checking package, it helps the admins realize what they are dealing with is a real system problem and not some ghost in the machine :-) Again, my comments thus far are on freeware. Though I have yet to see a freeware product as thorough as a product like Stalker from Haystack Labs, one can still accomplish some very good security strategies through layering of freeware products. Any other experiences out there? Come on, I know more people have been joining this list since Christopher Klaus's released a fairly comprehensive list of security mailing lists. [ They sure have, however this time I knew why there was a flood of subscriber requests - RuF B)] Diane Davidowicz -------------------------------------------------------------------------- Any opinions expressed herein was a mistake; was said under the influence; was stolen; makes no sense whatsoever;.... Indeed, grep is omniscient :) To test for the existence of SATAN: ps -ef | grep -i satan To test for the existence of angels: ps -ef | grep -i gabriel To test for the existence of God: ps -ef | grep -i god --------------------------------------------------------------------------