Re: Followup: Syslog
Quoting Micah Anderson [EMAIL PROTECTED]: One additional tweak which falls into line with the security setups, that I think is a good idea is to made the log files in /var/log to be chattr +a (append only) so logfiles cannot be modified or removed altogether to cover up tracks. This isn't the the biggest security trick because all it does is make it if you don't know about chattr then you can't install a trojan. If you've got root then removing the immutability flags is trivial, but only if you know how to, or even know they exist. But it has kept the lower-level admins at a site I work at from modifying the logfiles, which is against policy. Not every filesystem that Linux works with supports the append-only flag. If append-only is attempted, it must be able to cope with this absence. (I'm sure I'm not the only one that has /var/log symlinked to /mnt/floppy ;) -- Andrew Stribblehill [EMAIL PROTECTED] Systems programmer, IT Service, University of Durham, England -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Followup: Syslog
from the secret journal of Micah Anderson ([EMAIL PROTECTED]): One additional tweak which falls into line with the security setups, that I think is a good idea is to made the log files in /var/log to be chattr +a (append only) so logfiles cannot be modified or removed altogether to cover up tracks. This isn't the the biggest security trick because all it does is make it if you don't know about chattr then you can't install a trojan. If you've got root then removing the immutability flags is trivial, but only if you know how to, or even know they exist. But it has kept the lower-level admins at a site I work at from modifying the logfiles, which is against policy. That's exactly right, append-only mode is useless. This is only mean for situations where non-root users must be able to write to a file, but not modify it. If syslog is running as root, there is zero point to this excersize. And as someone else pointed out, not every linux filesystem (or possibly even the hurd's implimentation of ext2) supports this. Just because a feature exists, doesn't mean that it should be used. -- Jacob Kuntz [EMAIL PROTECTED] http://underworld.net/~jake -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Followup: Syslog
On Wed, Apr 18, 2001 at 01:57:33PM +0100, Andrew Stribblehill wrote: Not every filesystem that Linux works with supports the append-only flag. If append-only is attempted, it must be able to cope with this absence. (I'm sure I'm not the only one that has /var/log symlinked to /mnt/floppy ;) Other arguments about the utility of append-only aside, why not use ext2 floppies? There's not too much space overhead. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Followup: Syslog
Peter Cordes writes: On Wed, Apr 18, 2001 at 01:57:33PM +0100, Andrew Stribblehill wrote: Not every filesystem that Linux works with supports the append-only flag. If append-only is attempted, it must be able to cope with this absence. (I'm sure I'm not the only one that has /var/log symlinked to /mnt/floppy ;) Other arguments about the utility of append-only aside, why not use ext2 floppies? There's not too much space overhead. If you are going to go to that much trouble, use a CD writer for logging. Ken Seefried, CISSP -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Logging practices (and why does it suck in Debian?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Speaking of problems with console-log, has anyone else had trouble with it when syslog restarts (e.g. when logs are rotated)? I found that after a syslog restart, no new messages would appear in the less concerned. Adding the following line to /etc/init.d/sysklogd just before the exit 0 at the end seems to have fixed it: /etc/init.d/console-log $1 /dev/null 21 - -- Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/ For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE63gNXD834tscfhTwRAmCWAJ0V162wrwRCaz4LoT2l+M88SSPjhgCdHzQk 6ay1JcdoT156inNNtPRTOnY= =v0mG -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of induvidual files?
On Wed, 18 Apr 2001, Michael Boman wrote: Is there a repository of MD5 sums for single files in a package? Look under /var/lib/dpkg/info/*.md5sums I don't know if there is an automated method of verifying that the sums match currently installed files though. -B -- Brandon High [EMAIL PROTECTED] If at first you don't succeed, destroy all evidence that you tried. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of induvidual files?
On Wed, Apr 18, 2001 at 02:46:53PM -0700, Brandon High wrote: On Wed, 18 Apr 2001, Michael Boman wrote: Is there a repository of MD5 sums for single files in a package? Look under /var/lib/dpkg/info/*.md5sums I don't know if there is an automated method of verifying that the sums match currently installed files though. debsums. or if you boot from a floppy, mount /dev/root-fs /rootfs cd /rootfs md5sum -c /var/lib/dpkg/info/*.md5sum Of course, this is mostly useless because the md5sums are on the same disk, and they could have been replaced just as easily. The main utility of debsums is if you crash your system and fsck reports damage. You can use debsums to find out which packages to apt-get install --reinstall. If you weren't going to upgrade for a while, you could put your .md5sums onto a read-only floppy, along with an md5sum binary and a kernel. (you'd have to gzip them, but they would fit if you did.) You can also use debsums to generate md5sums for packages that are missing them. This would be a good idea before making a floppy. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA-048-1] remote cfingerd exploit
At Thu, 19 Apr 2001 03:02:24 +0200, Wichert Akkerman wrote: - Debian Security Advisory DSA-048-1 [EMAIL PROTECTED] Package: cfingerd Isn't this DSA-049-1? DSA-048-1 is already reported. [SECURITY] [DSA-048-1] samba symlink attacks -- Kenshi Muto [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IPChains vs Cisco IOS Packer Filters
Did you mean access control list (acl) in CISCO? iirc CISCO IOS(up to v11) it's stateless, as ipchains. Just implement your own ipchains firewall. Your ISP has a lot of concern to change the acl for you, probably due to understaffing in CISCO experts. Alan. Hi, Can anyone tell me whether the Packet Filter on the Cisco IOS does statefull packet inspection ? and whether I'll be losing by replacing it with IPChains on Kernel 2.2.17? Biggest reason being I know nothing about the Cisco IOS and it's also a leased router to which I don't have telnet or console access (only the ISP's net is allowed access to) and I keep on needing to alter rules and it's a bugger having to wait for the ISP to respond to requests :-( PS. What resources are availble on the net on configuring and running a Linux IPChains firewall ? (other that the HOWTO of course :-) ) Thanks, Eugene van Zyl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
MD5 sums of induvidual files?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is there a repository of MD5 sums for single files in a package? If not, could it be created? Best regards Michael Boman - -- eLINUX --- Enabling the Net Economy on Linux - -- Michael Boman eLinux Pte Ltd LPIC-1 http://www.elinux.com.sg Technical ConsultantTel:(65) 227 6180 [EMAIL PROTECTED] Fax:(65) 227 5808 - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE63VBDpR7+eg93EEMRAiqHAJ9NxUG9uRb7z5J2+g7jy3lmtFrsMgCggwhG ZQsSgcWcH4MVOPSvKeHex7g= =60+n -END PGP SIGNATURE-
Re: Logging practices (and why does it suck in Debian?)
On Tue, Apr 17, 2001 at 10:58:22AM -0600, Nate Duehr wrote: I had problems early on with console-log keeping machines from properly rebooting during remote reboots over ssh. Did that get cleared up? I could never track down why so I didn't submit a bug report on it, because I wasn't sure if it was a local problem to that machine only or not. just remove the symlink to console-log from /etc/rc0.d and /etc/rc6.d, maybe /etc/rc1.d too. the stop script is broken it seems, if you remove the symlinks, it will get killed anyway -- ,---. Name: Alson van der Meulen Personal: [EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' Say, What does Superblock Error mean, anyhow? -
Re: Followup: Syslog
Quoting Micah Anderson [EMAIL PROTECTED]: One additional tweak which falls into line with the security setups, that I think is a good idea is to made the log files in /var/log to be chattr +a (append only) so logfiles cannot be modified or removed altogether to cover up tracks. This isn't the the biggest security trick because all it does is make it if you don't know about chattr then you can't install a trojan. If you've got root then removing the immutability flags is trivial, but only if you know how to, or even know they exist. But it has kept the lower-level admins at a site I work at from modifying the logfiles, which is against policy. Not every filesystem that Linux works with supports the append-only flag. If append-only is attempted, it must be able to cope with this absence. (I'm sure I'm not the only one that has /var/log symlinked to /mnt/floppy ;) -- Andrew Stribblehill [EMAIL PROTECTED] Systems programmer, IT Service, University of Durham, England
Re: Followup: Syslog
from the secret journal of Micah Anderson ([EMAIL PROTECTED]): One additional tweak which falls into line with the security setups, that I think is a good idea is to made the log files in /var/log to be chattr +a (append only) so logfiles cannot be modified or removed altogether to cover up tracks. This isn't the the biggest security trick because all it does is make it if you don't know about chattr then you can't install a trojan. If you've got root then removing the immutability flags is trivial, but only if you know how to, or even know they exist. But it has kept the lower-level admins at a site I work at from modifying the logfiles, which is against policy. That's exactly right, append-only mode is useless. This is only mean for situations where non-root users must be able to write to a file, but not modify it. If syslog is running as root, there is zero point to this excersize. And as someone else pointed out, not every linux filesystem (or possibly even the hurd's implimentation of ext2) supports this. Just because a feature exists, doesn't mean that it should be used. -- Jacob Kuntz [EMAIL PROTECTED] http://underworld.net/~jake
Re: Followup: Syslog
On Wed, Apr 18, 2001 at 01:57:33PM +0100, Andrew Stribblehill wrote: Not every filesystem that Linux works with supports the append-only flag. If append-only is attempted, it must be able to cope with this absence. (I'm sure I'm not the only one that has /var/log symlinked to /mnt/floppy ;) Other arguments about the utility of append-only aside, why not use ext2 floppies? There's not too much space overhead. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: Followup: Syslog
Peter Cordes writes: On Wed, Apr 18, 2001 at 01:57:33PM +0100, Andrew Stribblehill wrote: Not every filesystem that Linux works with supports the append-only flag. If append-only is attempted, it must be able to cope with this absence. (I'm sure I'm not the only one that has /var/log symlinked to /mnt/floppy ;) Other arguments about the utility of append-only aside, why not use ext2 floppies? There's not too much space overhead. If you are going to go to that much trouble, use a CD writer for logging. Ken Seefried, CISSP
Re: Logging practices (and why does it suck in Debian?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Speaking of problems with console-log, has anyone else had trouble with it when syslog restarts (e.g. when logs are rotated)? I found that after a syslog restart, no new messages would appear in the less concerned. Adding the following line to /etc/init.d/sysklogd just before the exit 0 at the end seems to have fixed it: /etc/init.d/console-log $1 /dev/null 21 - -- Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/ For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE63gNXD834tscfhTwRAmCWAJ0V162wrwRCaz4LoT2l+M88SSPjhgCdHzQk 6ay1JcdoT156inNNtPRTOnY= =v0mG -END PGP SIGNATURE-
Re: MD5 sums of induvidual files?
On Wed, 18 Apr 2001, Michael Boman wrote: Is there a repository of MD5 sums for single files in a package? Look under /var/lib/dpkg/info/*.md5sums I don't know if there is an automated method of verifying that the sums match currently installed files though. -B -- Brandon High [EMAIL PROTECTED] If at first you don't succeed, destroy all evidence that you tried.
Re: MD5 sums of induvidual files?
On Wed, Apr 18, 2001 at 02:46:53PM -0700, Brandon High wrote: On Wed, 18 Apr 2001, Michael Boman wrote: Is there a repository of MD5 sums for single files in a package? Look under /var/lib/dpkg/info/*.md5sums I don't know if there is an automated method of verifying that the sums match currently installed files though. debsums. or if you boot from a floppy, mount /dev/root-fs /rootfs cd /rootfs md5sum -c /var/lib/dpkg/info/*.md5sum Of course, this is mostly useless because the md5sums are on the same disk, and they could have been replaced just as easily. The main utility of debsums is if you crash your system and fsck reports damage. You can use debsums to find out which packages to apt-get install --reinstall. If you weren't going to upgrade for a while, you could put your .md5sums onto a read-only floppy, along with an md5sum binary and a kernel. (you'd have to gzip them, but they would fit if you did.) You can also use debsums to generate md5sums for packages that are missing them. This would be a good idea before making a floppy. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: MD5 sums of induvidual files?
Brandon High [EMAIL PROTECTED] writes: On Wed, 18 Apr 2001, Michael Boman wrote: Is there a repository of MD5 sums for single files in a package? Look under /var/lib/dpkg/info/*.md5sums I don't know if there is an automated method of verifying that the sums match currently installed files though. Try debsums -s and read man debsums. Note that not all packages come with an *.md5sums file :-( [EMAIL PROTECTED]:~$ dpkg -l | grep ^.i | wc -l 536 [EMAIL PROTECTED]:~$ ls /var/lib/dpkg/info/*.list | wc -l # faster 536 [EMAIL PROTECTED]:~$ ls /var/lib/dpkg/info/*.md5sums | wc -l 429 -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development Science is like sex: sometimes something useful comes out, but that is not the reason we are doing it -- Richard Feynman
Re: [SECURITY] [DSA-048-1] remote cfingerd exploit
At Thu, 19 Apr 2001 03:02:24 +0200, Wichert Akkerman wrote: - Debian Security Advisory DSA-048-1 [EMAIL PROTECTED] Package: cfingerd Isn't this DSA-049-1? DSA-048-1 is already reported. [SECURITY] [DSA-048-1] samba symlink attacks -- Kenshi Muto [EMAIL PROTECTED]