Bugtraq mailing list archives
Re: Security Hole in Axent ESM
From: mark () ZANG COM (Mark)
Date: Fri, 28 Aug 1998 02:33:14 -0700
ESM does not only look at CRC's to verify if a file is genuine. It also looks at the timestamps; both the m-time and the c-time. m-times are easy to change, c-times are a lot harder and leave a trace.
From a program from 1991:
gettimeofday(&real_tv, (struct timezone *)0); settimeofday(&fake_tv, (struct timezone *)0); if (utime(filename, nflg ? (time_t *)0 : times)) { if (nflg && (errno != EROFS) && (errno != EACCES)) { return (oldtouch(filename, &stbuf)); } (void) fprintf(stderr,"%s: cannot change times on ", prog); perror(filename); return (-1); } settimeofday(&real_tv, (struct timezone *)0); This doesn't leave a trace. There are numerous other programs to completely replace all timestamps as normal, undetected. Technology has come a long way since the above was written.
The bottom line is that ESM is a Policy Management tool. You use ESM to insure that hosts comply with the company's security policy. If you want intrusion detection then you should have their ITA tool, too. It can be set up to watch files in real time and alert you if a file ever changes.
I've been tasked to install and use ESM on customer machines because "that's what head office uses". I regard it as one of the worst types of packages of its genre. Too much time was spent making the tool fit the gui, rather than doing some real design work and then creating a good interface to a useful tool. ESM is good so you can say "we are doing something for security". But from a security point of view you can forget it. After two years of putting up with it's [il]logic I'm pleased not to have to deal with it any more. It sucked. It did very little for real security. I have no hidden agenda. I am not promoting any other tool. I simply do not think ESM is very good at all. I've used a number of other tools and they all have things you love and hate. There was little about ESM to like. Cheers, Mark
Current thread:
- Re: Security Hole in Axent ESM Larry Bassett (Aug 27)
- <Possible follow-ups>
- Re: Security Hole in Axent ESM Dr. Mudge (Aug 27)
- Re: Security Hole in Axent ESM Steve McBride (Aug 27)
- Re: Security Hole in Axent ESM Douglas G Conorich (Aug 27)
- Re: Security Hole in Axent ESM Mark (Aug 28)
- Re: Security Hole in Axent ESM Bert Driehuis (Aug 29)
- Re: Security Hole in Axent ESM Mark (Aug 28)
- Re: Security Hole in Axent ESM Douglas G Conorich (Aug 27)
- Re: Security Hole in Axent ESM Steve Jackson (Aug 28)
- Re: Security Hole in Axent ESM Paul Ashton (Aug 28)
- Re: Security Hole in Axent ESM Andy Church (Aug 29)
- Re: Security Hole in Axent ESM reddog (Aug 30)
- Re: Security Hole in Axent ESM Andy Church (Aug 31)
- Re: Security Hole in Axent ESM Caskey L. Dickson (Aug 31)
- ToolTalk Advisory Security Research Labs (Aug 31)