error.log entry - Firewalls

This is a discussion on error.log entry - Firewalls ; Sebastian Gottschalk skrev: > Anders wrote: > >> Sebastian Gottschalk skrev: >>> Anders wrote: >>> >>>> Sebastian Gottschalk skrev: >>>>> Moe Trin wrote: >>>>> >>>>>> The file integrity checker should (if possible) be stored on removable >>>>>> media along with ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 29 of 29

Thread: error.log entry

  1. Re: error.log entry

    Sebastian Gottschalk skrev:
    > Anders wrote:
    >
    >> Sebastian Gottschalk skrev:
    >>> Anders wrote:
    >>>
    >>>> Sebastian Gottschalk skrev:
    >>>>> Moe Trin wrote:
    >>>>>
    >>>>>> The file integrity checker should (if possible) be stored on removable
    >>>>>> media along with the checkfiles. This removable media should normally
    >>>>>> be stored in a secure place, and installed ONLY during the checks.
    >>>>> Installed? Booting a Linux floppy doesn't require any installation.
    >>>> No, but you need to mount it.
    >>>> "/dev/fd0 /floppy/ext2 ext2 ro,root,noauto 0 0"
    >>> The floppy will of course mount itself.

    >> Not necessary, if you use a line like the one above in fstab it will
    >> never mount
    >> by itself, and you have to be root to do it too.

    >
    > Now I'm pretty sue that you didn't get the point:


    The point I get is to use a floppy containing the checking program,
    and that I would be able to use even then the server is up and running.

    > We want to boot a floppy with Linux which contains both our indexing
    > utility (md5sum, sha1sum, ...) and the list of checksum (CSV with
    > filename;SHA1;filesize).


    For that propose I use 'Insert' instead.
    http://www.inside-security.de/insert_en.html

    > And we should never boot into a potentially compromised system.


    Even if I suspect that it has been compromised I will sure boot in to it,
    after I disconnect it from the net.

    /Anders

  2. Re: error.log entry

    Anders wrote:

    > The point I get is to use a floppy containing the checking program,
    > and that I would be able to use even then the server is up and running.


    OK, back to context: We were talking about the situation when you can
    reasonably assume the system was compromised.

    If the system is not in such a desolate state, you can run the file
    integrity check from about any point, including the to-be-checked system
    itself.

    >> We want to boot a floppy with Linux which contains both our indexing
    >> utility (md5sum, sha1sum, ...) and the list of checksum (CSV with
    >> filename;SHA1;filesize).

    >
    > For that propose I use 'Insert' instead.
    > http://www.inside-security.de/insert_en.html


    KISS

    >> And we should never boot into a potentially compromised system.

    >
    > Even if I suspect that it has been compromised I will sure boot in to it,
    > after I disconnect it from the net.


    Well, then you've already failed. The compromised system can lie to you as
    much as it wants, including an in-memory modification of the checker
    program to always return the checksums to always report success / the
    expected checksums / checksums of an uncompromised system.

  3. Re: error.log entry

    On Sun, 04 Feb 2007, in the Usenet newsgroup comp.security.firewalls, in article
    , Anders wrote:

    >Would it be possible to create a MD5 on the entire /, like:
    > md5sum / > /.md5
    >and then check it with:
    > md5sum -c /.md5
    >to see if there is any differences on the disk?


    md5sum works on a "per file" basis. What you _could_ do is to make an
    md5sum of the partition (remember, "everything is a file"), although
    there could be rather interesting complications if the entire partition
    is not mounted read-only.

    >> but don't forget to keep the system up to date.

    >
    >The magic of 'apt' ;-)


    We're a bit more paranoid, and anyway we're mainly rpm based. We have
    two individuals tasked with monitoring the security groups and downloading
    all errata as source packages. They then do an audit of the source before
    locally building the binaries and putting those onto a local updates
    server. For ordinary stuff, there is a nightly cron-job run on all systems
    that looks in the errata server, and installs anything found there. It
    also sends a mail with an "installed package list" to an inventory server
    so we can keep track of things.

    >For 'Vi' it is "only" a little bit more than 500 pages to read, I am
    >using it on Ip-Cop but not as much as I should have to do, to really
    >learn it well enough to get us of it on a daily bases.


    A neighbor teaches UNIX at a local junior college, and the "Introduction
    to UNIX" class teaches basic concepts and some applications (vi, mail,
    man, cat, wc, more, less, sort, tr, sed, grep, cut, awk, find, regular
    expressions, pipes and redirections). The first two or three weeks of
    class (3 hour class twice a week), the students are flailing away - way
    over their head. By the ninth week, they are doing "one-liners" like

    [compton ~]$ history | sed 's/^......//' | tr '|' '\n' | sed 's/^ *//' |
    cut -d' ' -f1 | sort -u | wc -l
    84
    [compton ~]$

    He has a hand-out for 'vi' that is five pages long. The textbook used
    covers vi in one chapter of 48 pages. It also has 60 pages in a chapter
    on 'ed' and 'ex', but he just skims over that. Looking at the O'Reilly
    catalog (http://www.ora.com/), the "Learning the vi Editor, 6th Edition"
    (ISBN 1-56592-426-6) is 344 pages, while the chapter covering vi in the
    'Linux in a Nutshell' and 'UNIX in a Nutshell' is less than 15 pages.

    You don't need to know everything about vi to use it effectively.
    Depending on what packages your distribution supplied, you might have the
    'vim' clone, and that comes with

    [compton ~]$ whatis vim vimtutor
    vim (1) - Vi IMproved, a programmers text editor
    vim [ex] (1) - Vi IMproved, a programmers text editor
    vim [gvim] (1) - Vi IMproved, a programmers text editor
    vim [rvi] (1) - Vi IMproved, a programmers text editor
    vim [rview] (1) - Vi IMproved, a programmers text editor
    vim [vi] (1) - Vi IMproved, a programmers text editor
    vim [view] (1) - Vi IMproved, a programmers text editor
    vimtutor (1) - the Vim tutor
    [compton ~]$ rpm -qd `rpm -qa | grep ^vim` | wc -l
    311
    [compton ~]$

    The latter command is rpm specific, but queries the installed packages
    that begin with the string 'vim' to count the number of files identified
    as "documentation" (man pages, help pages, HOWTOs, FAQs, and general
    information) that is installed from those packages.

    Old guy


  4. Re: error.log entry

    On Sun, 04 Feb 2007, in the Usenet newsgroup comp.security.firewalls, in article
    , Anders wrote:
    >Sebastian Gottschalk skrev:
    >> Anders wrote:
    >>
    >>> Sebastian Gottschalk skrev:
    >>>> Anders wrote:
    >>>>> "/dev/fd0 /floppy/ext2 ext2 ro,root,noauto 0 0"
    >>>> The floppy will of course mount itself.


    Gottschalk - READ THE GOD DAMN POST!!! Or stop posting because you don't
    have a clue! Look at the freakin' man page and learn what "noauto" means.

    >> Now I'm pretty sue that you didn't get the point:


    Nope you are the one who doesn't know what you are talking about.

    >The point I get is to use a floppy containing the checking program,
    >and that I would be able to use even then the server is up and running.


    Yes - just ignore this idiot, as his help is useless.

    Old guy


  5. Re: error.log entry

    Moe Trin wrote:

    > On Sun, 04 Feb 2007, in the Usenet newsgroup comp.security.firewalls, in article
    > , Anders wrote:
    >>Sebastian Gottschalk skrev:
    >>> Anders wrote:
    >>>
    >>>> Sebastian Gottschalk skrev:
    >>>>> Anders wrote:
    >>>>>> "/dev/fd0 /floppy/ext2 ext2 ro,root,noauto 0 0"
    >>>>> The floppy will of course mount itself.

    >
    > Gottschalk - READ THE GOD DAMN POST!!! Or stop posting because you don't
    > have a clue! Look at the freakin' man page and learn what "noauto" means.


    I know what "noauto" means. That's exactly why I wrote a statement
    _against_ it.

  6. Re: error.log entry

    Moe Trin skrev:
    > On Sun, 04 Feb 2007, in the Usenet newsgroup comp.security.firewalls, in article
    > , Anders wrote:
    >
    >> Would it be possible to create a MD5 on the entire /, like:
    >> md5sum / > /.md5
    >> and then check it with:
    >> md5sum -c /.md5
    >> to see if there is any differences on the disk?

    >
    > md5sum works on a "per file" basis. What you _could_ do is to make an
    > md5sum of the partition (remember, "everything is a file"), although
    > there could be rather interesting complications if the entire partition
    > is not mounted read-only.


    Maybe it is better to first use 'debsums -s', and go from that point to
    see if
    and there to create any md5's on separate files.

    >>> but don't forget to keep the system up to date.

    >> The magic of 'apt' ;-)

    >
    > We're a bit more paranoid, and anyway we're mainly rpm based. We have
    > two individuals tasked with monitoring the security groups and downloading
    > all errata as source packages. They then do an audit of the source before
    > locally building the binaries and putting those onto a local updates
    > server. For ordinary stuff, there is a nightly cron-job run on all systems
    > that looks in the errata server, and installs anything found there. It
    > also sends a mail with an "installed package list" to an inventory server
    > so we can keep track of things.


    I don't think I have to be that paranoid, it is no critical environment,
    just the GPG key's and a restrictive sources.list wold be good enough
    for me.

    >> For 'Vi' it is "only" a little bit more than 500 pages to read, I am
    >> using it on Ip-Cop but not as much as I should have to do, to really
    >> learn it well enough to get us of it on a daily bases.

    >
    > A neighbor teaches UNIX at a local junior college, and the "Introduction
    > to UNIX" class teaches basic concepts and some applications (vi, mail,
    > man, cat, wc, more, less, sort, tr, sed, grep, cut, awk, find, regular
    > expressions, pipes and redirections). The first two or three weeks of
    > class (3 hour class twice a week), the students are flailing away - way
    > over their head. By the ninth week, they are doing "one-liners" like
    >
    > [compton ~]$ history | sed 's/^......//' | tr '|' '\n' | sed 's/^ *//' |
    > cut -d' ' -f1 | sort -u | wc -l
    > 84
    > [compton ~]$
    >
    > He has a hand-out for 'vi' that is five pages long. The textbook used
    > covers vi in one chapter of 48 pages. It also has 60 pages in a chapter
    > on 'ed' and 'ex', but he just skims over that. Looking at the O'Reilly
    > catalog (http://www.ora.com/), the "Learning the vi Editor, 6th Edition"
    > (ISBN 1-56592-426-6) is 344 pages, while the chapter covering vi in the
    > 'Linux in a Nutshell' and 'UNIX in a Nutshell' is less than 15 pages.
    >
    > You don't need to know everything about vi to use it effectively.
    > Depending on what packages your distribution supplied, you might have the
    > 'vim' clone, and that comes with
    >
    > [compton ~]$ whatis vim vimtutor
    > vim (1) - Vi IMproved, a programmers text editor
    > vim [ex] (1) - Vi IMproved, a programmers text editor
    > vim [gvim] (1) - Vi IMproved, a programmers text editor
    > vim [rvi] (1) - Vi IMproved, a programmers text editor
    > vim [rview] (1) - Vi IMproved, a programmers text editor
    > vim [vi] (1) - Vi IMproved, a programmers text editor
    > vim [view] (1) - Vi IMproved, a programmers text editor
    > vimtutor (1) - the Vim tutor
    > [compton ~]$ rpm -qd `rpm -qa | grep ^vim` | wc -l
    > 311
    > [compton ~]$
    >
    > The latter command is rpm specific, but queries the installed packages
    > that begin with the string 'vim' to count the number of files identified
    > as "documentation" (man pages, help pages, HOWTOs, FAQs, and general
    > information) that is installed from those packages.


    I have Vim installed as I erratically call 'Vi'.

    It was this little bible I had in mind.
    http://truth.sk/vim/vimbook-OPL.pdf
    'VI Improved (VIM)' by 'Steve Oualline' made in 2002, and it is actually in
    572 pages or (using 'wc -w') 142505 words.

    VIM manuals and more on the sourceforge.
    http://vimdoc.sourceforge.net/

    /Anders

  7. Re: error.log entry

    On Mon, 05 Feb 2007, in the Usenet newsgroup comp.security.firewalls, in article
    , Anders wrote:

    >Moe Trin skrev:


    >> md5sum works on a "per file" basis. What you _could_ do is to make an
    >> md5sum of the partition (remember, "everything is a file"), although
    >> there could be rather interesting complications if the entire partition
    >> is not mounted read-only.

    >
    >Maybe it is better to first use 'debsums -s', and go from that point to
    >see if and there to create any md5's on separate files.


    The disadvantage of 'debsums' is that is that is only monitors the files
    that belong to packages. Your home directory, data for your server and
    so on is not checked - as the Debian package maintainers can't know what
    those files/directories are going to look like. There is a 'debsums_gen'
    tool, but that's probably not going to help either. A disadvantage of
    these package tools is shown in the header of the man pages:

    [van-allen ~]$ whatis debsums debsums_gen
    debsums (1) - check the MD5 sums of installed Debian packages
    debsums_gen (8) - Generate /var/lib/dpkg/info/*.md5sums for packages
    lacking it
    [van-allen ~]$

    They only do MD5 sums. (rpm is similar, but also notes size, permissions
    and ownerships). Compare that to a designated Integrity checker. In
    fact, look at the bottom of the debsums(1) man page:

    debsums is intended primarily as a way of determining what installed
    files have been locally modified by the administrator or damaged by media
    errors and is of limited use as a security tool.

    If you are looking for an integrity checker that can run from safe media,
    do integrity checks on checksum databases and can be easily configured to
    run periodically to warn the admin of changes see other tools such as:
    aide, integrit, samhain, or tripwire.

    I'm aware of an application called 'fcheck(1)' which can be found on some
    Debian installations. It was a Perl script. Two other possibilities are
    'fam' and 'gamin' - although 'fam' has gotten a reputation as a resource
    pig.

    Old guy

  8. Re: error.log entry

    Moe Trin skrev:
    > On Mon, 05 Feb 2007, in the Usenet newsgroup comp.security.firewalls, in article
    > , Anders wrote:
    >
    >> Moe Trin skrev:


    I just have to thank you for you're time taken.
    And tell you that I am going to use Aide, I have been struggling with the
    aide.conf a couple of hours, and now I believe that I have a functional
    ..conf
    for my desktop (haven't had time to make it for the server), but there is no
    way I gonna be able to use a floppy-disk the size is almost 2MB, so have to
    keep it on an USB-stick instead.
    The advantage is that I be able to have several installations on that
    USB-stick (128MB),
    the disadvantage is that I wan't to use the stick for other purposes to.

    /Anders

  9. Re: error.log entry

    On Wed, 07 Feb 2007, in the Usenet newsgroup comp.security.firewalls, in article
    <8Xoyh.31436$E02.12790@newsb.telia.net>, Anders wrote:

    >I just have to thank you for you're time taken.


    Glad to help

    >And tell you that I am going to use Aide, I have been struggling with
    >the aide.conf a couple of hours, and now I believe that I have a
    >functional .conf for my desktop (haven't had time to make it for the
    >server), but there is no way I gonna be able to use a floppy-disk the
    >size is almost 2MB, so have to keep it on an USB-stick instead.


    Well, there were 2.88 MB floppies long ago, and there were Zip drives
    in various sizes, but a USB stick is a _LOT_ more convenient.

    >The advantage is that I be able to have several installations on that
    >USB-stick (128MB),
    >the disadvantage is that I wan't to use the stick for other purposes to.


    You'll just have to get another ;-)

    Old guy

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2