Re: Security Hole in Axent ESM

[mark () ZANG COM (Mark)]

> ESM does not only look at CRC's to verify if a file is genuine.  It also looks
> at the timestamps; both the m-time and the c-time.  m-times are easy to change,
> c-times are a lot harder and leave a trace.

> From a program from 1991:

    gettimeofday(&real_tv, (struct timezone *)0);
    settimeofday(&fake_tv, (struct timezone *)0);
    if (utime(filename, nflg ? (time_t *)0 : times)) {
        if (nflg && (errno != EROFS) && (errno != EACCES)) {
            return (oldtouch(filename, &stbuf));
        }
        (void) fprintf(stderr,"%s: cannot change times on ", prog);
        perror(filename);
        return (-1);
    }
    settimeofday(&real_tv, (struct timezone *)0);

This doesn't leave a trace. There are numerous other programs to completely
replace all timestamps as normal, undetected. Technology has come a long way
since the above was written.

> The bottom line is that ESM is a Policy Management tool.  You use ESM to insure
> that hosts comply with the company's security policy.  If you want intrusion
> detection then you should have their ITA tool, too.  It can be set up to watch
> files in real time and alert you if a file ever changes.

I've been tasked to install and use ESM on customer machines because "that's
what head office uses". I regard it as one of the worst types of packages of
its genre. Too much time was spent making the tool fit the gui, rather than
doing some real design work and then creating a good interface to a useful
tool. ESM is good so you can say "we are doing something for security". But
from a security point of view you can forget it. After two years of
putting up with it's [il]logic I'm pleased not to have to deal with it any
more. It sucked. It did very little for real security.

I have no hidden agenda. I am not promoting any other tool. I simply do not
think ESM is very good at all. I've used a number of other tools and they
all have things you love and hate. There was little about ESM to like.

Cheers,
Mark