Bugtraq mailing list archives
Re: Cyberguard FW Silliness
From: "Green, Art (MED)" <Art.Green () MED GE COM>
Date: Sun, 5 Nov 2000 14:36:31 -0600
Did you check to see if the files were accessible by an unprivileged process? You have to check the MAC levels of each of the files/directories in addition to the UNIX file security bits. Now, I'm not a MAC expert, but all but one of these seem quite obvious. I tried accessing all of these using a unprivileged user and except for the last item, could not read or write the files. Here is a follow-up to each one of your concerns: /etc/security/firewall/cm - Can't change into a 666 directory unless at SYS_PRIVATE /etc/security/firewall/cm-defaults - Can't change into a 666 directory unless at SYS_PRIVATE /etc/.device.tab.lock - Held at SYS_PRIVATE /etc/conf/pack.d/ktrc - Held at SYS_PRIVATE at conf and pack.d, ktrc is 776 /etc/iaf/cr1/.kmpipe - Files without a security level can only be seen at SYS_PRIVATE /etc/scsi/dtab.out - scsi is held at SYS_PRIVATE /etc/wsinit.err - At SYS_PUBLIC, not writeable at NETWORK level /usr/X/lib/fs/fs-errors - Files without a security level can only be seen at SYS_PRIVATE (I think) /usr/X/desktop/Help_Desk - Files without a security level can only be seen at SYS_PRIVATE (I think) /var/adm/log/routes - routes held at SYS_PRIVATE /var/adm/log/qhap.log - qhap.log held at SYS_PRIVATE /var/adm/sa/ - everything held as SYS_PRIVATE /var/adm/spellhist - Not sure, held at USER_LOGON (I did get a permission denied trying to read it at NETWORK level) /var/adm/unixtsa.log - Files without a security level can only be seen at SYS_PRIVATE (I think) /var/sadm/dist - dist at SYS_PRIVATE /var/content/* - At SYS_PUBLIC, not accessible at NETWORK level - Files without a security level can only be seen at SYS_PRIVATE (I think) /var/audit/1018_list - All audit trail *_list files are at SYS_PRIVATE or SYS_AUDIT /dev/X/xfont.7000 - Files without a security level can only be seen at SYS_PRIVATE (I think) /tmp/.scopty - Held at SYS_PRIVATE /opt/QUALha/dev/ifs/* - This is the only group I'm not sure about. -- Art Green Security Engineer GE Medical Systems 235 N. Executive Drive Suite 100 Brookfield, WI 53005 -- -----Original Message----- From: phzy () ANTIPLUR COM [mailto:phzy () ANTIPLUR COM] Sent: Friday, November 03, 2000 5:24 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Cyberguard FW Silliness Hey guys, Not an extremely huge issue, however one I think worth noting. Cyberguard claims that their FW software runs atop 'hardened' versions of SCO/Unixware (comes bundled w/ the FW package). However, on a default installation of the latest version of the Cyberguard FW on SCO, there are a number of silly permissions on various critical files/directories: drw-rw-rw- /etc/security/firewall/cm drw-rw-rw- /etc/security/firewall/cm-defaults -rw-rw-rw- /etc/.device.tab.lock drwxrwxrw- /etc/conf/pack.d/ktrc -rw-rw-rw- /etc/iaf/cr1/.kmpipe -rw-rw-rw- /etc/scsi/dtab.out -rw-rw-rw- /etc/wsinit.err -rw-rw-rw- /usr/X/lib/fs/fs-errors -rwxrwxrwx /usr/X/desktop/Help_Desk -rw-rw-rw- /var/adm/log/routes -rw-rw-rw- /var/adm/log/qhap.log -rw-rw-rw- /var/adm/sa/* -rw-rw-rw- /var/adm/spellhist -rw-rw-rw- /var/adm/unixtsa.log drwxrwxrwx /var/sadm/dist drwxrwxrwx /var/content/* -rw-rw-rw- /var/audit/1018_list -rw-rw-rw- /dev/X/xfont.7000 -rw-rw-rw- /tmp/.scopty -rw-rw-rw- /opt/QUALha/dev/ifs/* Of course, the obvious symlink/race conditions apply w/ the temp files listed above. When Cyberguard was notified that their 'hardened' OS is not quite as 'hardened' as originally thought, they stated that we would be performing the configuration changes at our own risk and will discontinue our support due to our 'custom', 'uncertified' FW installation. However, they would glady send out a consultant at a cost of $15,000 to audit and certify our 'custom' configuration. HEH! - phzy -- Sent with Antiplur webmail: http://webmail.antiplur.com
Current thread:
- Cyberguard FW Silliness phzy (Nov 04)
- <Possible follow-ups>
- Re: Cyberguard FW Silliness phzy (Nov 06)
- Re: Cyberguard FW Silliness Green, Art (MED) (Nov 06)
- Re: Cyberguard FW silliness phzy (Nov 07)