Information Security News mailing list archives

Re: Linux snares security tool


From: InfoSec News <isn () c4i org>
Date: Thu, 15 Nov 2001 01:11:23 -0600 (CST)

Forwarded from: Aj Effin Reznor <aj () reznor com>

[Last post on this message, this topic is dead. - WK]


This horse is beyond beat, but a few points I haven't seen made, or
may have missed.

C2 is a joke.  It's great, for non-networked machines.

Russ Cooper, of NTBugTraq, even had an article on the subject.

Carried on zdnet.

Sidebar:  Does *anyone* on zdnet review even their own archives?

(hint:  it's at:  
http://www.zdnet.com/windows/stories/main/0,4728,2214860,00.html )

Mr. Cooper writes, early in the article (in the second paragraph):
"The assumption is that if you buy a C2 network product, which has
been evaluated against one of these criteria, you can take it out of
the box, install it, and rest assured that its security features are
going to protect you. It's a mistaken belief."

He follows this immediately by saying: "C2 certification is based on
evaluation of products in a very controlled way. This means precise
hardware and software configurations."

As an example of how touchy C2 is, he writes: "Alter the drivers for
your video, and you're system's no longer C2-secure.  Add a network
adapter, and it's no longer C2-secure. Buy the latest Intel Processor,
and it's no longer C2-secure. Get the picture?"


C2 is for *non* networked machines.  Sure, it's great for logging and
auditing, but really, what good is a machine that's unattached?  
Can't get data in or out of it (floppys and NICs are no-no's under C2,
ya know). By and large, a non-connected machine is going to be
slightly (tho barely) more secure than a networked machine.

Now, we can go ahead and say that SNARE isn't meant to be C2.  Thank
gawd for the little things.

Sure, they say the lack of auditing is what's really holding linux
back from mainstream acceptance in the corporate arena.

From http://www.intersectalliance.com/projects/Snare/index.html:

"As long time users of the Linux operating system, we believe that one
of the key missing features that is holding Linux back from deployment
in large organisations, particularly those with significant security
requirements, is the availability of host based intrusion detection
systems - ie: system auditing or event logging facilities."

(How "long" can they have been using Linux, anyways?)

I really disagree with this statement.  NT logs everything, sure. Each
entry says little more than "an unknown event occured", yet it's
widespread acceptance is undisputable.  Can it be the logging?

Eh, no.

The same page goes on to say:

"...InterSect Alliance are proud to release a dynamically loadable
kernel module that will form the basis for a host intrusion detection
facility and C2-style auditing/event logging capability for Linux -
without the need for a kernel recompile."

Hi, I'm interested in Linux security.  And lemme tell ya, there are
TWO things that I want to avoid.  The first is a kernel that utilizes
loadable modules.  If anyone has noticed, most serious linux
intrusions rely on LKMs.  This should be a red flag to anyone who is
practiced within the security community.  Actually, it is.

And, I wonder why "long time users" haven't learned this yet.

LKM for the ability to install without rebooting?  Yee haa.  If secure
logging were nearly as important as it's made out to be in this press
release, then a simple reroll of the kernel and reboot would not make
anyone hesititate.

What's the second thing I avoid like ther plague?

"Due to the nature of Linux modules, the binary versions of the
snare-core package are kernel version specific. Binary packages are
provided for Redhat 7.1 (kernel version 2.4.2). Users with different
kernel versions will need to recompile snare-core from either the
source RPM, or the supplied tar.gz file."

Redhat, of course.  The Crimson Derby has more holes than, well,
pretty much any other linux distro.  If you're going to run Redhat,
then I guess you'd *need* something like SNARE.  Of course, the
dominant holes in RH, the remote root exploits and whatnot, aren't of
issue on a machine without a NIC...

One last kicker....

"However, we recognise that Linux is many things to many people, and
building audit/event logging capabilities directly into the kernel
will only contribute to kernel bloat. The facility may never be used
in some Linux installations."

Maybe I'm just fantasizing again, but I'd expect long term linux users
(at least, ones who have rolled a few kernels in their long term using
time) to be aware that there are a LOT of kernel options which are not
enable by default.  Packing new features into the kernel, ones I don't
use, has never caused me kernel bloat, as I always tune my kernels to
the job the box will be performing; new fluff is never introduced into
my kernels.  I imagine others employing linux in the corporate arena
do the same thing, also.

So, keeping with form, I need to ask:

Who's smoking all the crack?

Can we offer up more buzzwords?

Can journos research topics, even from their own pub, before going to
press malinformed?




As promised in my initial e-mail, I have looked into this matter
and spoken with experts who actually have day-to-day experience
and working knowledge of Linux and in particular, Linux security.
They

Are these self-professed experts?  Was one named "Kimble" ?

have advised me to rework my article slightly to include reference
to C2-compliance--which is the most distinguishing factor of the
new tool. I have run a proof by them and they are happy with the
amendments, which I will be posting on our site now.

See above.  Have they outlined the *specific* hardware for running a
SNAREd machine?

Also, will this be Redbook C2 or Orangebook C2?

http://www.radium.ncsc.mil/tpep/library/rainbow/



Although I strongly disagree with your personal attacks against
me, that is another matter and one which will be addressed
--especially due to the fact that you have yet to remove or
apologise for your slanderous comments.

Can I at least ask (again) why you didn't put much effort into
researching these topics (to the point of comprehension) beyond
talking to unnamed "experts" ?


As for the infosec news list readers you have approached, please
pass on to them my sincere thanks for their feedback and the
notice of my amendment. It is interesting to note that in a
community such as Linux, which is fighting daily against
oppression from proprietary systems, members of this community
would personally and professionally attack any journalist that
gives weight to their fight, and attempts to expose brilliance in
the ranks, rather than mistakes and vulnerabilities.

Any journalist that "gives weight" through misinformation and
misreresentation is a much a threat as any monolith that would happen
to reside in, say, Redmond.

Or do you think that false praise is as good as real praise?

Consider these "attacks" as opportunities to improve your own
technical knowledgebase so you can better understand topics, and
therefore report on them more accurately.  Or, consider than an
indicator of shortcomings.

Your choice.



It is surprising that such a community is not applauding its
members who are attempting to make a difference rather than
shooting down the messengers.

Flap.  C2 is all flap.  By and large useless in a production
environment.

Designing it around the most flawed and feeble linux distro... not a
smart move, either.

Want applause?  I'll applaud the NSA for attempting to build it
(linux) secure from the ground up, rather than trying to log
inevitable intrusions in a known security-deficient distro.

I'll applaud anyone that "attacks" products (and the manufacturers)
and points out shortcomings in said products.  If you (anyone) feel I
should explain the reasoning behind this... hell.... nevermind.


Nicole

I've since lost the url for the original PR piece, but has anyone
remember that Argus had their Pitbull system for Solaris, similar to
this?



-aj.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.


Current thread: