Re: Command history log for audit trail

2006-06-15 Thread Daniel Givens 

On 6/15/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:


I need to set up an audit trail for all commands run on machines.  I
know that the auth.log records who logs in and when, and that each
user's .bash_history has a history of their commands.  But is there some
other way to create a log for all commands run on a system?


You can intentionally log your session using script (man script). I'm
not aware of way to do it for everyone, unless you were to add script
to your bashrc or something. That could be a little underhanded unless
everyone using the system knew it was logging.

Regards,
Daniel


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: securing /var/www or web content

2006-02-26 Thread Daniel Givens 
There is the option of POSIX access control lists. Deny remote login
for the users you want to have access to the webroot and add them to
the access control list. For remote users, deny access. Now, if you
want to have users log in remotely and not be able to access those
files, then the only solution I can see is to give each user two
logins, one for remote login with lesser permissions and local only
accounts with more permissions.

For more on access control lists, SUSE has a good overview here:

http://www.suse.de/~agruen/acl/linux-acls/online/

To see if your filesystem supports ACLs, you can grep ACL
/boot/config-kernel-version. On my system here running SID and
2.6.15-1-k7, these modules are enabled.

CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m

To enable ACLs, you just need to add the acl option in your fstab for
that partition.

Hope that helps!

Daniel


On 2/26/06, Sels, Roger [EMAIL PROTECTED] wrote:
 Olivier,

 How is that going to solve the problem?
 His user doesn't have /var/www as a home ; the issue is /var/www is
 world-readable/writeable/executable.

 The files in your /var/www should strictly speaking only be accessible to
 your webserver ; for apache usually www-data or apache or httpd accounts
 should have rwx permissions.
 Grep for these in /etc/passwd if unsure which one to use.

 You could then set the permissions to xy0 for /var/www with chmod.
 Test, if your site doesn't funtion adequately anymore, set the permissions
 for other to r(4) only.
 So for instance: chmod -R 770 www-data:www-data (www-data is the account
 under which the apache daemon runs on Debian).

 Check out: man chmod
 man chrgrp

 Have fun

 Roger

 On Mon, February 27, 2006 1:44 am, Olivier Papauré said:
  You can try to create a user with useradd and the -d option.
 
 From man useradd :
 
   The options which apply to the useradd command are:
 
 -d home_dir
The new user will be created using home_dir as the value for
  the
user's login directory.  The default is to append the login
  name
to default_home and use that as the login directory name.
 
 
 
 
  --
  Debian Addict site : http://www.debianaddict.org
 
 
  2006/2/25, Arnel Pastrana [EMAIL PROTECTED]:
 
  Hi,
 
  May I know what are the possibilities to secure the content of my www
  folder?
 
  I want my local user to access because right now when login as an
  ordinary user using ssh i can delete the content of my www folder.
 
  What will I do? any idea?
 
  Thank you,
 
  Arnel Pastrana
  [EMAIL PROTECTED]
   The key is not to prioritize your shedule but to prioritize your
  priorities.  --- Stephen R Covey
 
 
 
  --
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact
  [EMAIL PROTECTED]
 
 
 


 --
 Life is 10 percent what you make it and 90 percent how you take it. -
 Irving Berlin


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: avahi-daemon

2006-02-22 Thread Daniel Givens 
The package maintainer has a point that an mDNS daemon would be pretty
pointless if it only bound to lo. I think it is more the
responsibility of the administrator to know what is going on his
system. If you are so worried about security, then why not check out
those NINE new Avahi packages when apt says they are going to be
installed? If you miss it there, it is very prominently displayed on
startup that the Avahi daemon is starting. Oh noes! I'd better stop
that and figure out exactly what it is. If you interested in a
security report on Avahi, Ubuntu has one here.

https://wiki.ubuntu.com/MainInclusionReportAvahi

This is a service aimed at desktop use. If you're worried about it
getting installed on a server, then you shouldn't be installing a
music player on it either. You're contradicting yourself on your
levels of paranoia.



On 2/22/06, aliban [EMAIL PROTECTED] wrote:
 Hi,

 as the package maintainer seems to ignore my complaint I forward the 
 discussion to debian-user mailing list.

 On debian testing the rhythmbox suggested to install the avahi-daemon that 
 listens on all interfaces by default.

 I think this kind of install behaviour is insecure even if the package 
 maintainer does not agree.

 In short I think: even if the user should know what he is doing when he 
 updates his system it is not a secure design for packages to start listening 
 on all interfaces by default without prompting AND warning the user. It is 
 not sufficient to mention this behaviour somewhere in the package description 
 as many packages come as a dependency or as a suggested package; users wont 
 read every package description of every package they install, especially if 
 they come as a suggested package or dependency.

 best regards.


 Sjoerd Simons schrieb:




 On Mon, Feb 20, 2006 at 11:22:29PM +0100, Aliban wrote:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 Package: avahi-daemon
 Version: 0.6.6-1
 Severity: normal
 
 I don't know why this pkg was installed in my testing. For 
 sure I did not
 install it directly, maybe it was some strange dependency 
 from something?
 
 
 
 
 
 
 
 
 
 No strange dependencies. You probably got it because rhythmbox 
 recommends it.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 Yes, I think that was the reason.




 Anyway, this thing listens on all interfaces by default. I 
 think this design
 is insecure. It should bind to localhost only (ok, this might 
 not make sense
 for such a service) OR it should ask the user for the 
 interfaces it binds to.
 
 
 
 
 
 
 
 
 
 Uhm, yeah, well, an mDNS daemon that only listens on lo is completely 
 useless.
 If you would looked a little bit further you might have seen that the 
 daemon
 runs as a unprivileged user, version 0.6.6-2 of the package even runs 
 in a
 minimal chroot environment, so it's actually quite secure by design.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 I don't doubt that it has a quite secure design. Anyway, as soon as
 something starts listening on the network this is a potential security
 hole. In contrast to applications that are only contacting the internet
 on user's demand (in example a webbrowser, email client or instant
 messenger) this thing is always on and not depending on additional user
 interaction, therefore it is a different level of 'taking care'.




 
 
 
 
 
 
 
 
 
 
 
 
 
 
 Please change the installer's  behaviour.
 
 
 
 
 
 
 
 
 
 If you don't want it, purge it from your system. Afaik everything 
 that doesn't
 directly need it only recommends it. Closing this bug
 
   Sjoerd
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 I did not have problems to remove it from the system, I just wonder why
 something gets installed and opens a port and starts listening to all
 interfaces without asking me, esspecially if I did not directly ask for
 this program. Do you really expect all users to read every line of every
 program description? When you install Adobe or Java from sun, did you
 read every single word in the license? Would you like it if Adobe just
 opens some 'obscure' service listening on all interfaces?

 Of course it does not make sense to install this daemon and listen only
 on local host. Maybe the maybe the recommending should be removed but
 this is another thing...

 Anyway, all I think is that users should be prompted (in example as
 portmap does it).

 I suggest you add something like xyz is a service that does blah blah,
 ... For most users this service should bind only to a local area network
 and not to the internet. (If you need this service at all) Do you want
 to bind to all interface? - with no as default!

 I would be very happy if you can add such a thing.

 What do you think?

 Edrin






 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a
 subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Security scanner

2006-01-23 Thread Daniel Givens 
On 1/23/06, Jaroslaw Tabor [EMAIL PROTECTED] wrote:
 Hi all!

 Has anyone know a network scanner I can run on Debian to search LAN 
 for
 unprotected windows shares ?

Look into Nessus. (http://www.nessus.org/)

 Or maybe something looking for simple
 passwords ?

Look into John the Ripper (http://www.openwall.com/john/)


 I'd like to automate discovering stupid users, leaving full
 access to their C:\.

...I still wouldn't let them have full access to the root drive.
Leaves for too many openings for malware (ad/spyware, viruses, worms)
to go crazy on your systems. Stupid users are assumed, stupid admins
are another thing all together.

~Daniel