Author: Benjamin D. Thomas
Gaim, MIT, Netatalk, socat, mpg123, rssh, xpdf, gpdf, cups, kdegraphics, squid,
and libtiff. The distributors include Conectiva, Fedora, Gentoo, Mandrake, Red
Hat, Slackware, and SuSE.
Developing A Security Policy
Create a simple, generic policy for your system that your users can
readily understand and follow. It should protect the data you’re
safeguarding, as well as the privacy of the users. Some things to
consider adding are who has access to the system (Can my friend use
my account?), who’s allowed to install software on the system, who
owns what data, disaster recovery, and appropriate use of the system.
A generally accepted security policy starts with the phrase: “That which
is not expressly permitted is prohibited”
This means that unless you grant access to a service for a user,
that user shouldn’t be using that service until you do grant access.
Make sure the policies work on your regular user account, Saying,
“Ah, I can’t figure this permissions problem out, I’ll just do it
as root” can lead to security holes that are very obvious, and even
ones that haven’t been exploited yet.
Additionally, there are several questions you will need to answer
to successfully develop a security policy:
- What level of security do your users expect?
- How much is there to protect, and what is it worth?
- Can you afford the down-time of an intrusion?
- Should there be different levels of security for different groups?
- Do you trust your internal users?
- Have you found the balance between acceptable risk and secure?
You should develop a plan on who to contact when there is a
security problem that needs attention.
There are quite a few documents available on developing a Site
Security Policy. You can start with the SANS Security Policy
Project.
Excerpt from the LinuxSecurity Administrator’s Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@guardiandigital.com)
LinuxSecurity.com
Feature Extras:
Mass
deploying Osiris – Osiris is a centralized file-integrity program
that uses a client/server architecture to check for changes on a system. A central
server maintains the file-integrity database and configuration for a client
and at a specified time, sends the configuration file over to the client, runs
a scan and sends the results back to the server to compare any changes. Those
changes are then sent via email, if configured, to a system admin or group of
people. The communication is all done over an encrypted communication channel.
AIDE
and CHKROOTKIT -Network security is continuing to be a big problem
for companies and home users. The problem can be resolved with an accurate security
analysis. In this article I show how to approach security using aide and chkrootkit.
An
Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code
– Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software (Addison-Wesley,
2002). More recently, he has co-written with Greg Hoglund a companion volume,
Exploiting Software, which details software security from the vantage point
of the other side, the attacker. He has graciously agreed to share some of his
insights with all of us at LinuxSecurity.com.
[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch is
a comprehensive newsletter that outlines the security vulnerabilities that have
been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.[
Subscribe
Distribution: | Conectiva | ||
10/22/2004 | mozilla | ||
upstream fix
This announcement updates mozilla packages for Conectiva Linux 9 and 10 to mozilla version 1.7.3. This updates fixes lots of vulnerabilities. |
|||
10/25/2004 | zlib | ||
denial of service vulnerabilities fix
Due to a Debian bug report[3], a denial of service vulnerability[4] was discovered in the zlib compression library versions 1.2.x, in the inflate() and inflateBack() functions. |
|||
10/26/2004 | kernel | ||
vulnerabilities fix
This announcement fixes a vulnerability in the Linux kernel which could allow a local attacker to obtain sensitive information due to an issue when handling 64-bit file offset pointers. |
|||
10/27/2004 | foomatic-filters vulnerability | ||
vulnerabilities fix
The foomatic-rip filter in foomatic-filters contains a vulnerability[2][3] caused by insufficient checking of command-line parameters and environment variables which may allow arbitrary remote command execution on the print server with the permissions of the spooler user (“lp”). |
|||
Distribution: | Fedora | ||
10/26/2004 | cups-1.1.20-11.6 update | ||
vulnerabilities fix
A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. |
|||
10/27/2004 | glib2 | ||
and gtk2 md5sums update
The md5sums of the glib2-2.4.7-1.1 and gtk2-2.4.13-2.1 updates don’t match the ones in the announcements I sent out. |
|||
Distribution: | Gentoo | ||
10/24/2004 | MySQL | ||
Multiple vulnerabilities
Several vulnerabilities including privilege abuse, Denial of Service, and potentially remote arbitrary code execution have been discovered in MySQL. |
|||
10/24/2004 | Gaim | ||
Multiple vulnerabilities
Multiple vulnerabilities have been found in Gaim which could allow a remote attacker to crash the application, or possibly execute arbitrary code. |
|||
10/25/2004 | MIT | ||
krb5 Insecure temporary file use in send-pr.sh
The send-pr.sh script, included in the mit-krb5 package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility. |
|||
10/25/2004 | Netatalk | ||
Insecure tempfile handling in etc2ps.sh
The etc2ps.sh script, included in the Netatalk package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility. |
|||
10/25/2004 | socat | ||
Format string vulnerability
socat contains a format string vulnerability that can potentially lead to remote or local execution of arbitrary code with the privileges of the socat process. |
|||
10/27/2004 | mpg123 | ||
Buffer overflow vulnerabilities
Buffer overflow vulnerabilities have been found in mpg123 which could lead to execution of arbitrary code. |
|||
10/27/2004 | rssh | ||
Format string vulnerability
rssh is vulnerable to a format string vulnerability that allows arbitrary execution of code with the rights of the connected user, thereby bypassing rssh restrictions. |
|||
Distribution: | Mandrake | ||
10/22/2004 | xpdf | ||
vulnerabilities fix
Chris Evans discovered numerous vulnerabilities in the xpdf package which can result in DOS or possibly arbitrary code execution. |
|||
10/22/2004 | gpdf | ||
DoS vulnerability fix
Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as gpdf. |
|||
10/22/2004 | cups | ||
DoS vulnerabilities fix
Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code. |
|||
10/22/2004 | kdegraphics | ||
DoS vulnerability fix
Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as kpdf. |
|||
10/22/2004 | squid | ||
SNMP processing vulnerability fix
iDEFENSE discovered a Denial of Service vulnerability in squid version 2.5.STABLE6 and previous. The problem is due to an ASN1 parsing error where certain header length combinations can slip through the validations performed by the ASN1 parser, leading to the server assuming there is heap corruption or some other exceptional condition, and closing all current connections then restarting. |
|||
10/22/2004 | gpdf | ||
DoS vulnerability fix
Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code. |
|||
10/22/2004 | kdegraphics | ||
DoS vulnerability fix
Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code. |
|||
10/22/2004 | CUPS | ||
DoS vulnerabilities fix
Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code. |
|||
10/22/2004 | xpdf | ||
vulnerabilities fix
Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs like cups which have embedded versions of xpdf. These can result in writing an arbitrary byte to an attacker controlled location which probably could lead to arbitrary code execution. |
|||
Distribution: | Red Hat | ||
10/22/2004 | CUPS | ||
security issues fix
Updated cups packages that fix denial of service issues, a security information leak, as well as other various bugs are now available. |
|||
10/22/2004 | libtiff | ||
update
Updated libtiff packages that fix various buffer and integer overflows are now available. |
|||
10/27/2004 | mysql-server update | ||
update
An updated mysql-server package that fixes various security issues is now available in the Red Hat Enterprise Linux 3 Extras channel of Red Hat Network. |
|||
10/27/2004 | xchat | ||
SOCKSv5 proxy security issue fix
An updated xchat package that fixes a stack buffer overflow in the SOCKSv5 proxy code. |
|||
10/27/2004 | xpdf | ||
security flaws fix
An updated xpdf package that fixes a number of integer overflow security flaws is now available. |
|||
Distribution: | Slackware | ||
10/22/2004 | Gaim | ||
buffer overflow
A buffer overflow in the MSN protocol handler for GAIM 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and may allow the execution of arbitrary code. |
|||
10/26/2004 | apache, mod_ssl, php security issues fix | ||
buffer overflow
New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues. |
|||
Distribution: | Suse | ||
10/22/2004 | libtiff | ||
security vulnerability fix
Chris Evans found several security related problems during an audit of the image handling library libtiff, some related to buffer overflows, some related to integer overflows and similar. |
|||
10/26/2004 | xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups security vulnerability fix | ||
security vulnerability fix
Chris Evans found several integer overflows and arithmetic errors. Additionally Sebastian Krahmer from the SuSE Security-Team found similar bugs in xpdf 3. |
|||
10/26/2004 | xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups remote system compromise | ||
security vulnerability fix
Chris Evans found several integer overflows and arithmetic errors. Additionally Sebastian Krahmer from the SuSE Security-Team found similar bugs in xpdf 3. |
|||