Re: reporting local security problems for WinNT (Re: Escalation of privileges)

[Tom Perrine <tep () SDSC EDU>]

> > > > > On Thu, 10 Aug 2000 09:49:11 -0600, "William D. Colburn (aka Schlake)" <wcolburn () NMT EDU> said:

    William> Checking permissions at install time isn't sufficient.  They may change
    William> later, and never be caught.  The program should verify the integrity of
    William> the system as often as possible.  Sendmail does a really good job of
    William> checking permissions on everything every time it does something.  It may
    William> slow things down some, but it also finds problems when they happen.

This is what cfengine is all about.  Your infrastructure "heals"
itself ever time cfengine runs.

    William> As an example, I'll use the /etc directory on my mail server.  Someone
    William> here wanted to edit something without having to su to root each time, so
    William> he chmodded /etc to be group writable and owned by our staff group.
    William> Sendmail complained so I chowned/chmodded it to make it safe.  Some time
    William> later he noticed this had happened and chowned/chmodded it back.  Right
    William> away sendmail figured this out, and started complaining again.  If
    William> sendmail had only checked at installation time this could have been
    William> broken for a long time.  As it was, it was only that way for a very
    William> short time until I noticed.

Cfengine can do this for any file for which you have specified the
owner, group, permissions and/or contents.

I wouldn't kill, but I'd hurt someone Real Bad for a cfengine for
Windows with a registry editor....

--tep