League of Professional System Administrators - Operating System

Solaris in.telnetd

alcourt — Tue, 13 Feb 2007 14:09:27 -0800

By now, I'm sure everyone with a Sun system has heard about the widely disseminated vulnerability in Solaris 10's telnetd code. My experiences in managing that issue from early announcement to patch might serve as a warning/aide to others who are looking at security models.

Several lessons were learned as a result of the experience. Some were things that worked well, some were things that I feel would hopefully be improved.

In the event of a zero day disclosure, the vendor is likely to be among the last to admit to the issue. Sun did not issue an alert until they had something more than "shut down telnetd" Alternative means of learning of security vulnerabilities are a must.

NMAP

dklein — Sun, 14 Jan 2007 09:50:04 -0800

Short Description:
Fast enumeration of network services

Home Page:
insecure.org/nmap

Release Date:
Sun, 2007-01-14 10:00

Status:
Active

Long Description:

Nmap is a powerful tool for discovering hosts on a network and enumerating what service they are offering. This can be used to find vulnerable systems, to locate rogue services on your network or simply for a first step in troubleshooting.

sudosh

doug — Wed, 15 Nov 2006 21:15:38 -0800

Short Description:
Sudosh records all keystrokes and output and can play back the session as just like a VCR.

Home Page:
sourceforge.net/projects/sudosh/

Release Date:
Mon, 2004-09-20 19:12

Status:
Stable

Long Description:

sudosh is used with sudo(8) to exec the user's shell specified in /etc/passwd as root. sudosh makes use of the built-in script(5) command to log session data to syslog.

Companies that have a team of system administrators and a large number of servers face a difficult problem: root access.

The most common solution is to distribute the root password to the system administrators and contain them in a wheel group. With the recent requirements of Sarbanes and Oxley this becomes quickly impossible because the root password must be changed every 3 months.

The other option is to use sudo. Sudo works great. It's actually too good. This is why I created sudosh. Sudo doesn't allow you to do shell type things that system administrators are used to. The following example is a real command that is used during an AIX data migration:

Parts of security

alcourt — Fri, 03 Nov 2006 16:52:48 -0800

So I've been working on an internal security review and discovering that the bulk of the issues I run into stem from the fact that the users don't seem to understand the need for an audit trail.

To me, security consists of confidentiality, authenticity, and the auditability. It's easy to explain the need for the first two, or at least, people don't need me to explain why they are a part of security. I get the normal "But we have a firewall, why do we need security?", but that's minor. But when it comes to issues that center around preserving an audit trail, I get blank stares and a complete lack of understanding as if they just don't understand at all what I'm talking about or why a security review would be remotely concerned with maintaining a record of who did what on a system.

SSL Intro for techs; mini OpenSSL CA

syscomet — Sat, 28 Oct 2006 17:44:06 -0700

Sysadmin's Basic Guide to SSL Certificates and Authorities

Intended audience: system administrators who know roughly what SSL/TLS is and can use SSH and OpenPGP products (such as GnuPG) and who now want to know more and perhaps issue local certificates. You should know what public-key cryptography is, but are not expected to be able to follow any math (no equations herein) -- this is about using the stuff, not understanding the underlaying principles. You understand that "encrypt" is scrambling and "decrypt" is descrambling.

rsyslog

doug — Sun, 27 Aug 2006 20:47:42 -0700

Short Description:
Rsyslog is an enhanced multi-threaded syslogd supporting, among others, MySQL, syslog/tcp, RFC 3195, permitted sender lists, fil

Home Page:
www.rsyslog.com

Release Date:
Fri, 2005-09-23 20:00

Status:
Active

Long Description:

Rsyslog is an enhanced multi-threaded syslogd supporting, among others, MySQL, syslog/tcp, RFC 3195, permitted sender lists, filtering on any message part, and fine grain output format control. It is quite compatible to stock sysklogd and can be used as a drop-in replacement. Its advanced features make it suitable for enterprise-class, encryption protected syslog relay chains while at the same time being very easy to setup for the novice user. An optional web interface - phpLogCon - can be used to visualize all data online.

Log Analysis

doug — Tue, 25 Jul 2006 09:29:44 -0700

Short Description:
Web page referencing log analysis tools

Home Page:
loganalysis.org

Release Date:
Fri, 2003-07-25 21:00

Long Description:

"Log Analysis is one of the great overlooked aspects of operational computer security. Many organizations spend hundreds of thousands of dollars on intrusion detection systems (IDS) deployments - but still ignore their firewall logs. Why? Because the tools and knowledge to make use of that data are often not there, or the tools that exist are too inconvenient. You should expect that to change. Right now, IDS vendors are up against the wall with the volumes of data they produce; the next wave in security is to try to usefully correlate and process the contents of multiple logs."