Forwarded from: Aj Effin Reznor <ajat_private> [Last post on this message, this topic is dead. - WK] This horse is beyond beat, but a few points I haven't seen made, or may have missed. C2 is a joke. It's great, for non-networked machines. Russ Cooper, of NTBugTraq, even had an article on the subject. Carried on zdnet. Sidebar: Does *anyone* on zdnet review even their own archives? (hint: it's at: http://www.zdnet.com/windows/stories/main/0,4728,2214860,00.html ) Mr. Cooper writes, early in the article (in the second paragraph): "The assumption is that if you buy a C2 network product, which has been evaluated against one of these criteria, you can take it out of the box, install it, and rest assured that its security features are going to protect you. It's a mistaken belief." He follows this immediately by saying: "C2 certification is based on evaluation of products in a very controlled way. This means precise hardware and software configurations." As an example of how touchy C2 is, he writes: "Alter the drivers for your video, and you're system's no longer C2-secure. Add a network adapter, and it's no longer C2-secure. Buy the latest Intel Processor, and it's no longer C2-secure. Get the picture?" C2 is for *non* networked machines. Sure, it's great for logging and auditing, but really, what good is a machine that's unattached? Can't get data in or out of it (floppys and NICs are no-no's under C2, ya know). By and large, a non-connected machine is going to be slightly (tho barely) more secure than a networked machine. Now, we can go ahead and say that SNARE isn't meant to be C2. Thank gawd for the little things. Sure, they say the lack of auditing is what's really holding linux back from mainstream acceptance in the corporate arena. >From http://www.intersectalliance.com/projects/Snare/index.html: "As long time users of the Linux operating system, we believe that one of the key missing features that is holding Linux back from deployment in large organisations, particularly those with significant security requirements, is the availability of host based intrusion detection systems - ie: system auditing or event logging facilities." (How "long" can they have been using Linux, anyways?) I really disagree with this statement. NT logs everything, sure. Each entry says little more than "an unknown event occured", yet it's widespread acceptance is undisputable. Can it be the logging? Eh, no. The same page goes on to say: "...InterSect Alliance are proud to release a dynamically loadable kernel module that will form the basis for a host intrusion detection facility and C2-style auditing/event logging capability for Linux - without the need for a kernel recompile." Hi, I'm interested in Linux security. And lemme tell ya, there are TWO things that I want to avoid. The first is a kernel that utilizes loadable modules. If anyone has noticed, most serious linux intrusions rely on LKMs. This should be a red flag to anyone who is practiced within the security community. Actually, it is. And, I wonder why "long time users" haven't learned this yet. LKM for the ability to install without rebooting? Yee haa. If secure logging were nearly as important as it's made out to be in this press release, then a simple reroll of the kernel and reboot would not make anyone hesititate. What's the second thing I avoid like ther plague? "Due to the nature of Linux modules, the binary versions of the snare-core package are kernel version specific. Binary packages are provided for Redhat 7.1 (kernel version 2.4.2). Users with different kernel versions will need to recompile snare-core from either the source RPM, or the supplied tar.gz file." Redhat, of course. The Crimson Derby has more holes than, well, pretty much any other linux distro. If you're going to run Redhat, then I guess you'd *need* something like SNARE. Of course, the dominant holes in RH, the remote root exploits and whatnot, aren't of issue on a machine without a NIC... One last kicker.... "However, we recognise that Linux is many things to many people, and building audit/event logging capabilities directly into the kernel will only contribute to kernel bloat. The facility may never be used in some Linux installations." Maybe I'm just fantasizing again, but I'd expect long term linux users (at least, ones who have rolled a few kernels in their long term using time) to be aware that there are a LOT of kernel options which are not enable by default. Packing new features into the kernel, ones I don't use, has never caused me kernel bloat, as I always tune my kernels to the job the box will be performing; new fluff is never introduced into my kernels. I imagine others employing linux in the corporate arena do the same thing, also. So, keeping with form, I need to ask: Who's smoking all the crack? Can we offer up more buzzwords? Can journos research topics, even from their own pub, before going to press malinformed? > As promised in my initial e-mail, I have looked into this matter > and spoken with experts who actually have day-to-day experience > and working knowledge of Linux and in particular, Linux security. > They Are these self-professed experts? Was one named "Kimble" ? > have advised me to rework my article slightly to include reference > to C2-compliance--which is the most distinguishing factor of the > new tool. I have run a proof by them and they are happy with the > amendments, which I will be posting on our site now. See above. Have they outlined the *specific* hardware for running a SNAREd machine? Also, will this be Redbook C2 or Orangebook C2? http://www.radium.ncsc.mil/tpep/library/rainbow/ > > Although I strongly disagree with your personal attacks against > me, that is another matter and one which will be addressed > --especially due to the fact that you have yet to remove or > apologise for your slanderous comments. Can I at least ask (again) why you didn't put much effort into researching these topics (to the point of comprehension) beyond talking to unnamed "experts" ? > > As for the infosec news list readers you have approached, please > pass on to them my sincere thanks for their feedback and the > notice of my amendment. It is interesting to note that in a > community such as Linux, which is fighting daily against > oppression from proprietary systems, members of this community > would personally and professionally attack any journalist that > gives weight to their fight, and attempts to expose brilliance in > the ranks, rather than mistakes and vulnerabilities. Any journalist that "gives weight" through misinformation and misreresentation is a much a threat as any monolith that would happen to reside in, say, Redmond. Or do you think that false praise is as good as real praise? Consider these "attacks" as opportunities to improve your own technical knowledgebase so you can better understand topics, and therefore report on them more accurately. Or, consider than an indicator of shortcomings. Your choice. > > It is surprising that such a community is not applauding its > members who are attempting to make a difference rather than > shooting down the messengers. Flap. C2 is all flap. By and large useless in a production environment. Designing it around the most flawed and feeble linux distro... not a smart move, either. Want applause? I'll applaud the NSA for attempting to build it (linux) secure from the ground up, rather than trying to log inevitable intrusions in a known security-deficient distro. I'll applaud anyone that "attacks" products (and the manufacturers) and points out shortcomings in said products. If you (anyone) feel I should explain the reasoning behind this... hell.... nevermind. > > Nicole I've since lost the url for the original PR piece, but has anyone remember that Argus had their Pitbull system for Solaris, similar to this? -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 01:07:34 PST