Re: Cyberguard FW Silliness

["Green, Art (MED)" <Art.Green () MED GE COM>]

Did you check to see if the files were accessible by an unprivileged
process?  You have to check the MAC levels of each of the
files/directories in addition to the UNIX file security bits.

Now, I'm not a MAC expert, but all but one of these seem quite obvious.
I tried accessing all of these using a unprivileged user and except for
the last item, could not read or write the files.

Here is a follow-up to each one of your concerns:

/etc/security/firewall/cm
- Can't change into a 666 directory unless at SYS_PRIVATE
/etc/security/firewall/cm-defaults
- Can't change into a 666 directory unless at SYS_PRIVATE
/etc/.device.tab.lock
- Held at SYS_PRIVATE
/etc/conf/pack.d/ktrc
- Held at SYS_PRIVATE at conf and pack.d, ktrc is 776
/etc/iaf/cr1/.kmpipe
- Files without a security level can only be seen at SYS_PRIVATE
/etc/scsi/dtab.out
- scsi is held at SYS_PRIVATE
/etc/wsinit.err
- At SYS_PUBLIC, not writeable at NETWORK level
/usr/X/lib/fs/fs-errors
- Files without a security level can only be seen at SYS_PRIVATE (I
think)
/usr/X/desktop/Help_Desk
- Files without a security level can only be seen at SYS_PRIVATE (I
think)
/var/adm/log/routes
- routes held at SYS_PRIVATE
/var/adm/log/qhap.log
- qhap.log held at SYS_PRIVATE
/var/adm/sa/
- everything held as SYS_PRIVATE
/var/adm/spellhist
- Not sure, held at USER_LOGON (I did get a permission denied trying to
read it at NETWORK level)
/var/adm/unixtsa.log
- Files without a security level can only be seen at SYS_PRIVATE (I
think)
/var/sadm/dist
- dist at SYS_PRIVATE
/var/content/*
- At SYS_PUBLIC, not accessible at NETWORK level
- Files without a security level can only be seen at SYS_PRIVATE (I
think)
/var/audit/1018_list
- All audit trail *_list files are at SYS_PRIVATE or SYS_AUDIT
/dev/X/xfont.7000
- Files without a security level can only be seen at SYS_PRIVATE (I
think)
/tmp/.scopty
- Held at SYS_PRIVATE
/opt/QUALha/dev/ifs/*
- This is the only group I'm not sure about.

--
Art Green
Security Engineer
GE Medical Systems
235 N. Executive Drive
Suite 100
Brookfield, WI 53005
--

-----Original Message-----
From: phzy () ANTIPLUR COM [mailto:phzy () ANTIPLUR COM]
Sent: Friday, November 03, 2000 5:24 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Cyberguard FW Silliness


Hey guys,

Not an extremely huge issue, however one I think worth noting.
Cyberguard claims that their FW software runs atop 'hardened'
versions of SCO/Unixware (comes bundled w/ the FW package).
However, on a default installation of
the latest version of the Cyberguard FW on SCO, there are a number
of silly permissions on various critical files/directories:

drw-rw-rw-   /etc/security/firewall/cm
drw-rw-rw-  /etc/security/firewall/cm-defaults
-rw-rw-rw- /etc/.device.tab.lock
drwxrwxrw- /etc/conf/pack.d/ktrc
-rw-rw-rw- /etc/iaf/cr1/.kmpipe
-rw-rw-rw- /etc/scsi/dtab.out
-rw-rw-rw- /etc/wsinit.err
-rw-rw-rw- /usr/X/lib/fs/fs-errors
-rwxrwxrwx /usr/X/desktop/Help_Desk
-rw-rw-rw- /var/adm/log/routes
-rw-rw-rw- /var/adm/log/qhap.log
-rw-rw-rw- /var/adm/sa/*
-rw-rw-rw- /var/adm/spellhist
-rw-rw-rw- /var/adm/unixtsa.log
drwxrwxrwx /var/sadm/dist
drwxrwxrwx /var/content/*
-rw-rw-rw- /var/audit/1018_list
-rw-rw-rw- /dev/X/xfont.7000
-rw-rw-rw- /tmp/.scopty
-rw-rw-rw- /opt/QUALha/dev/ifs/*

Of course, the obvious symlink/race conditions apply w/ the temp files
listed above.

When Cyberguard was notified that their 'hardened' OS is not quite
as 'hardened' as originally thought, they stated that we would be
performing the configuration changes at our own risk and will
discontinue our support due to our 'custom', 'uncertified'
FW installation. However, they would glady
send out a consultant at a cost of $15,000 to audit and certify our
'custom' configuration. HEH!

- phzy



--
Sent with Antiplur webmail: http://webmail.antiplur.com