linux security - Jul 1999 - You got some 'splaininn to do Lucy ;-)

We just had a security application vendor come in.  We asked about Linux
support and he said that putting a security application on top of an
insecure OS was useless.  When I asked what he meant by insecure he replied
that Linux does not have a true Auditing capability - as opposed to HP-UX &
Solaris which they do support.  Can anyone explain to me what he was talking
about?


Thanks,


Marty

[Message from linux-security@redhat.com cc:d to open-source@csl.sri.com also]

Kirwan Marty wrote:
> 
> We just had a security application vendor come in.  We asked about Linux
> support and he said that putting a security application on top of an
> insecure OS was useless.  When I asked what he meant by insecure he replied
> that Linux does not have a true Auditing capability - as opposed to HP-UX
&
> Solaris which they do support.  Can anyone explain to me what he was
talking
> about?
He's probably referring to OS system call auditing - ie the ability to
create
an audit trail of all the system calls that were issued along with anciliary
information (the UID, PID, etc of the caller, the arguments and return code
of the system call, etc).  Having this information is a requirement of the
DOD "Orange Book" criteria for a system to be rated C2 or above.

This information is mostly of value to host based Intrusion Detection systems
which examine the audit trail looking for evidence of break-ins or
misbehaviour.  

AFAIK, there isn't an audit trail for Linux.  Anyone know of any projects to
create one?  How about other free Unix-like systems?

Assuming there isn't, the argument "Our host based IDS cannot work on
Linux
because it doesn't provide any audit data for us to use," is fair
enough.
The argument, "Our <some other kind of security application>
doesn't work on
Linux because the fact that Linux doesn't have an audit trail proves Linux
is
not secure enough" is bull.

Stuart Staniford-Chen

-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart@silicondefense.com
(707) 822-4588                     (707) 826-7571 (FAX)

On Wed, 28 Jul 1999, Kirwan Marty so wrote:
> We just had a security application vendor come in.  We asked about Linux
> support and he said that putting a security application on top of an
> insecure OS was useless.  When I asked what he meant by insecure he replied
> that Linux does not have a true Auditing capability - as opposed to HP-UX
&
> Solaris which they do support.  Can anyone explain to me what he was
talking
> about?
> 
	He's blowing smoke out of his ... Linux is different, and by
default Red Hat installs a bit loose, but I can clamp down a Linux box
just as tight, perhaps tighter than can be done with HP-UX and Solaris. 
The biggest advantage that HP-UX and Solaris have is a lot less users and
a lot less open source - Its called Security by Obscurity and while it is
effective, only a raving lunatic would leave it at that.

	More than likely he bailed out simply because he hasn't figured
out how to compete in the open source market.

	Send him my way...

	Peace be with you,

	Brent Sims

On Wed, Jul 28, 1999 at 01:18:52PM -0400, Kirwan Marty
wrote:
> We just had a security application vendor come in.  We asked about Linux
> support and he said that putting a security application on top of an
> insecure OS was useless.  When I asked what he meant by insecure he replied
> that Linux does not have a true Auditing capability - as opposed to HP-UX
&
> Solaris which they do support.  Can anyone explain to me what he was
talking
> about?
He is talking about audit trail. A subset of (the defunct) POSIX.1e standard.
He is correct that Linux does not support auditing. Then again I've yet
to see many application that make use of audting.
> Thanks,
> 
> 
> Marty
> 
> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe:
>   mail -s unsubscribe linux-security-request@redhat.com < /dev/null
> 
-- 
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

> We just had a security application vendor come in.  We asked about Linux
> support and he said that putting a security application on top of an
> insecure OS was useless.
Its interesting that the application vendor assumes linux is an insecure
OS, did the vendor explain the basis for their assumption? It is also
interesting that they support putting the security application on Solaris
if the vendor has issues with insecure OS's. I guess what I am getting at
is that very few operating systems are secure in their default
configuration, with the exception of A and B TSEC rated systems. Putting a
default Solaris, HP-UX and linux box on a hostile network like the
Internet will find all of them comprimised rather quickly. I think
commercial OS's suck, for security especially and generally they don't
give away source without requiring a NDA.  Again I personally think that
having the source code to an operating system is great!  It allows me to
find, report and force willing post fixes to any problems I encounter. I
know the source versus no source argument has taken place on the firewall
wizards list and it saddens me that the man who coined the term "bastion
host" has said that source may not be such a good idea in todays highly
competative security arena, but I have to respectfully disagree.  Not
making source code available seems to me to be security through obscurity,
yes it works for a time but wouldn't you rather have a better mouse trap
then simply the least well known (and even if it is the best how do you
show that without source)?
> When I asked what he meant by insecure he replied that Linux does not
> have a true Auditing capability - as opposed to HP-UX & Solaris which
> they do support.
Strange that the vendor felt that linux doesn't have a "true Auditing
capability" when linux in fact has auditd, that monitors and logs specific
system calls. It can be found at ftp://ftp.hert.org/pub/linux/auditd/ if
interested. What auditing was this vendor reffering to on Solaris &
HP-UX, both can be configured to do increased logging but this also
true of linux.

I think your best course of action is to put the question you have raised
to your application vendor. They should be responsive enough to explain
in more depth what they meant and may be able to give exapmles. As
well they might be able to give you a more defined statement as what
they require to qualify as a secure os. Having worked as a consultant I
would never want to leave clients with unaddressed concerns, so they
should be happy to help clear things up for you.

Cheers,
Cohen

--
I want to publish zines and rage against machines.
                                        - Harvey Danger

There are several sorts of access control Linux does not have, and quite
probbaly should *not* have. A web site I found some back documented various
sorts of controls that could stop crackers with root doing things. Extra
things include adding classification levels to the systmem and only allowing
reading below and writng above (MLS), contexts which restrict what you can do
(MAC), etc. I think the people propsoed adding MACs to linux :-)

System call auditing is only the beginning---at least some aspect of this
would be nice, for example all the detials of attempted access violations (not
just useful for detecting cracker probes, think fixing access problems). In
the meantime we could think about capabilities required for doing things
normal users are allowed to do---in particular exec, unlink, rename and open
capabilities could protect services which do not need them. Naturally you
could keep file descriptors and use them after dropping open capability but
never create any more.
--
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

On Sat, 31 Jul 1999, Erik Espinoza wrote:
> Compiling your setuid root programs (or programs that run as root) with
> stackguard and using the Solar Design secure-linux patch can greatly add to
> your system. Making buffer overflows extremely hard, if possible, to do.
> That combined with tripwire can be a hard to beat solution. Caveat: Solar
> Design''s patch only works with latest 2.0.x kernel.
stackguard, and the non-executable stack kernel patch, are effective
deterrents, but should not be relied upon.  i''m not personally familiar
with stackguard, however i know that the kernel patch is not too hard to
defeat .. i''ve seen various exploits in use that include code to get
around it.

while doing things such as recompiling suid progs with stackguard would
probably be very good for helping to stop suid intrusions, and tripwire
can catch the rootkit kiddies in a heartbeat, this still doesn''t help
with
the great number of admins out there who install redhat, ftp in html
files for a website, and assume it''s ready to go on the internet.  or,
worse, the ones who monkey with things and end up reducing security, often
in trying to make things easier for themselves (e.g. rhosts, netrc, etc.)

if a portscan was done on every static box on the internet, i imagine the
windows boxes would have the least open ports, the solaris/bsd boxes would
come in second, and linux boxes would come in last.

ah well .. perhaps it''d be helpful if something were added to the
install
routine, when configuring a network interface, a "readme.security"
file be
brought up, notifying the user that he/she *really* should read through
it, and modify inetd.conf, hosts.deny, consider installing sshd, etc.

*clink clink crash*  (2 cents, and a solaris manual)

-macker, patiently awaiting the flood of ''unable to
deliver''/''hi, i''m on
vacation'' messages. :)