Article
|
Questions
and Answers| Short Name | Long Name | Description |
| no | no_class | Null value for turning off event preselection |
| fr | file_read | Read of data, open for reading, etc. |
| fw | file_write | Write of data, open for writing, etc |
| fa | file_attr_acc | Access of object attributes: stat, pathconf, etc. |
| fm | file_attr_mod | Change of object attributes: chown, flock, etc. |
| fc | file_creation | Creation of object |
| fd | file_deletion | Deletion of object |
| cl | file_close | close(2) system call |
| pc | process | Process operations: fork, exec, exit, etc. |
| nt | network | Network events: bind, connect, accept, etc. |
| ip | ipc | System V IPC operations |
| na | non_attrib | Non-attributable events |
| ad | administrative | Administrative actions: mount, exportfs, etc. |
| lo | login_logout | Login and logout events |
| ap | application | Application auditing |
| io | ioctl | ioctl(2) system call |
| ex | exec | exec(2) system call |
| ot | other | Everything else |
| all | all | All flags set |
Intercepting commands at the exec level will catch every program that users run. Tampering with user-configurable variables such as LD_LIBRARY_PATH or IFS can not bypass logging. So, to include exec logging, change the flags and naflags line of the audit_control file to read:
flags:ex naflags:lo,exNow turn on BSM by running /etc/security/bsmconv as root. This will add a line to /etc/system to load the c2audit module, and it will turn off volume management. Once bsmconv is run, reboot the machine by issuing init 6.
If you make changes to the /etc/security/audit_control file after the initial configuration, instruct the audit daemon to read the new audit_control file by executing:
/usr/sbin/audit -sWhen the machine comes back up, there should be an audit file in /var/audit. The name of the current audit file is in /etc/security/audit_data. This file has two fields that are ":" separated -- the first is the PID of auditd, the second is the full path name of the active audit file. For example:
305:/var/audit/20040527201025.not_terminated.host.my.domainTo convert the binary audit data into human-readable form, use the praudit. Praudit has a few basic options that determine single- or multi-line display and delimiters but provides no mechanism for choosing which events get displayed. Filter the events by using auditreduce, which reads all of the files in the audit directory and searches for matching criteria. For example, to get a listing of every event for the user "usera", execute the following:
/usr/sbin/auditreduce -u usera | /usr/sbin/prauditA matching record for an ls -al would look like the following:
header,134,2,execve(2),,host.my.domain,2004-05-27 17:39:09.493 -04:00 path,/usr/xpg4/bin/ls attribute,100555,root,bin,32,15209,0 subject,usera,usera,groupa,usera,groupa,291,283,0 0 host.my.domain return,success,0Note that it did not log the arguments to the ls command. To add those fields, execute the command:
/usr/sbin/auditconfig -setpolicy +argvTo see whether it's taken effect, execute:
/usr/sbin/auditconfig -getpolicyThe output should be:
audit policies = argv,cntAfter making this modification, the records appear as:
header,151,2,execve(2),,host.my.domain,2004-05-27 17:54:22.068 -04:00 path,/usr/xpg4/bin/ls attribute,100555,root,bin,32,15209,0 exec_args,3, ls,-al,/tmp subject,usera,usera,groupa,usera,groupa,323,283,0 0 host.my.domain return,success,0To make this change permanent, edit /etc/security/audit_startup and add the line:
/usr/sbin/auditconfig -setpolicy +argvAll possible policy settings can be viewed by executing:
| /usr/sbin/auditconfig -lspolicy | |
| Policy string | description |
| ahlt | halt machine if it can not record an async event |
| arge | include exec environment args in audit recs |
| argv | include exec command line args in audit recs |
| cnt | when no more space, drop recs and keep a cnt |
| group | include supplementary groups in audit recs |
| seq | include a sequence number in audit recs |
| trail | include trailer token in audit recs |
| path | allow multiple paths per event |
| public | audit public files |
| zonename | generate zonename token |
| all | all policies |
| none | no policies |
Q Our company needs a way to transfer large files electronically to and from various outside vendors. Currently, we try to send attachments to email. Transfers using this method fail more than half the time when the files exceed 4 to 5 MB.
I believe we need our own FTP site, but I'm concerned about security. Our IT division has resisted setting this up, so we're probably stuck doing it ourselves. I'm sure they're also concerned about security, but I think it's primarily because they don't want another maintenance headache.
A Depending on your environment, implementing the features you've detailed may not be a trivial task. There are a number of things to consider when you want to set up a secure data depot.
The server itself needs to be protected, which means that you want secured authentication. Standard FTP does not encrypt the authentication phase, so there's the potential for third parties to sniff passwords and gain unauthorized access. You may want to look at a TLS/SSL-enabled ftp server like Pure-FTPd, which encrypts the authentication phase, but not the data phase. Another issue with the FTP protocol is that it's difficult to pass through a tight firewall because of the way it handles port allocation.
Does the data itself need to be protected? If you're passing proprietary data between clients, do you want other people to be able to intercept and read that data? If not, then you also want something that does encryption of the data as well as encryption of the authentication phase. This is usually accomplished by using SSL, whether as compiled with something like scp/sftp/ssh or as compiled into something like Apache.
Can both ends pull data, or does one end need to push data? In other words, can you download files from clients, or will they have to be able to upload them to you? The former case is reasonably easy to handle with a Web server like SSL-enabled Apache. This option doesn't work as well if people need to upload files to you, though it can be made to work via custom CGI scripts.
If people need to upload files to you, can they have shell access on the machine? If so, you can easily use scp or sftp. If not, then you need to restrict their capabilities to upload only. Standard FTP does this, but is not secure. Tools like scp and sftp can be augmented to do this, but they were not designed to do so out of the box.
Depending on your platform, you may be able to use an FTP daemon with TLS/SSL support for both authentication and data connections built in.
Take a look at:
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.htmlfor a comparison of ftps servers and clients.
Q I've been looking at implementing DNSBLs on our mail servers, but I'm not sure which lists to use. Are there some generally accepted ones? Ones to avoid? Actually, is there even a canonical list of all DNSBL services anywhere?
A Which DNSBLs you want to use depends on your site policy. Do you need to be conservative in what you reject, or can you be extremely aggressive? How much collateral damage are you willing to accept? For a fairly comprehensive list, take a look at:
http://spamlinks.openrbl.org/filter-dnsbl-lists.htm#spamsourceThey break the list down into various types of DNSBLs, including those that are mainstream or aggressive, how addresses get on the list, whitelists vs blacklists, etc. Openrbl.org also has links to testing DNSBLs, information on DNSBL return codes, and comparison statistics for various DNSBLs. If you can't find a combination of DNSBLs that meet your needs, you may consider running your own.
Q I've been trying to learn shell scripting, primarily Bourne because it's the most portable. One of the things that I've come across is a weird function or variable substitution that looks like the following:
if [ "Xsomething" != "X${somevar}" ]; then
What do the capital X characters do in this statement? As far as I
can tell, these serve no purpose, and things work just fine if you
remove them.
A This is a common defensive coding practice. The capital X characters are in the statement to prevent the code from evaluating strange non-alphanumeric characters after the variable expansion. The X prefix basically means that the comparison will always be treated as a string instead of doing something odd with the contents of ${somevar}. You can replace the X with any other alphabet character or series of characters that you want and it will have the same effect. Imagine that the ${somevar} variable had the contents of "-foo". If you left off the X, the expansion would be:
if [ something != -foo ]; thenThat's invalid syntax and the test will give you an error. With the addition of the X prefix, you instead get:
if [ Xsomething != X-foo]; thenwhich is valid shell syntax.
Q We have a large number of AIT tapes that we no longer need, so we were going to degauss them and sell them on eBay. I'm concerned that degaussing the tapes will ruin them, though, since I've heard that the process can destroy certain types of media. I know that AIT tapes have a MIC chip on them, and I'm wondering if that will be irrecoverably damaged in the degaussing process.
A The tape products that can be damaged by degaussing are those that have factory pre-recorded magnetic servo tracks. Luckily, all versions of AIT tapes are safe and you can degauss them at will. For a list of media that is safe/not safe to degauss, take a look at:
http://www.fujifilmmediasource.com/specs/degauss.htmQ We have various Linux boxes at work that run Oracle for test, development, and production. We also have a number FreeBSD boxes on which I'd like to install Oracle as well, but I haven't been able to find a FreeBSD version of Oracle out there. I know one must exist, because I've heard of other people running Oracle on FreeBSD. Is there a special FreeBSD-only Web site from which I need to download Oracle?
A The people running Oracle on FreeBSD are doing so under Linux emulation mode. For detailed instructions on how to get Oracle9i running from scratch on a FreeBSD box, take a look at Brian Ledbetter's article in the daemon news:
http://ezine.daemonnews.org/200402/oracle.htmlIt includes information on the prerequisites you need, where to get the Oracle distribution for Linux, how to set up the Linux compat packages and users, and how to run the Oracle9i installer. There are even snapshots of the GUI installer running so you know exactly what things should look like. Brian also reports that installing Oracle10g on FreeBSD appears to be much easier than the preceding versions.
If you're interested in Oracle8i instead of 9i for some reason, take a look at:
http://www.scc.nl/~marcel/howto-oracle.htmlor Chapter 22 of the FreeBSD handbook:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/linuxemu-oracle.htmlAmy Rich, president of the Boston-based Oceanwave Consulting, Inc. (http://www.oceanwave.com), has been a UNIX systems administrator for more than 10 years. She received a BSCS at Worcester Polytechnic Institute, and can be reached at: qna@oceanwave.com.