Re: Security Hole in Axent ESM

[steve () ZONEOFTRUST COM (Steve McBride)]

Remember that ESM is a security policy enforcement tool, not a security
hole "finder" (for lack of a better word)...  While these two subjects are
for the most part one and the same, all you have to do is tell ESM that,
for instance, your policy gives a umask of 022 as the suggested value, and
it won't tell you to change them.

Look through the product a little more, and take some time to develop a
custom policy, rather than using the generic Phase 1, Phase 2, Phase 3
thing, and I bet you'll find it a much more useful product.

Regards,
Steve McBride

At 07:41 AM 8/27/98 -0400, Larry Bassett wrote:
> Your point about checksums is well taken.  We were externally audited and
> the auditors used Axent ESM.  The Axent ESM is not what I would call a
> great security assessment tool.  It is brain dead in a few places.
>
> It will complain about files and directories that have more secure
> permissions since it only checks to see if files have the permissions it is
> expecting.  It also  complains about the files it installs.
>
> It complained about uninstalled patches.  In our case this was completely
> ridiculous because we already had newer revisions of the patches than the
> ones they suggested we install.
>
> It complained about an HP printer device being world writable.  This
> complaint was pointless since these device files are functionally
> equivalent to /dev/null.
>
> It complained that a umask of 022 was unsafe.  They suggested 027.
>
> There were other questionable findings but it will find misconfigurations
> and stupid mistakes.  However, there are better tools available.