Re: [ISN] Linux snares security tool

From: InfoSec News (isnat_private)
Date: Wed Nov 14 2001 - 23:11:23 PST

  • Next message: InfoSec News: "RE: [ISN] Agencies flunk security review"

    Forwarded from: Aj Effin Reznor <ajat_private>
    [Last post on this message, this topic is dead. - WK]
    This horse is beyond beat, but a few points I haven't seen made, or
    may have missed.
    C2 is a joke.  It's great, for non-networked machines.
    Russ Cooper, of NTBugTraq, even had an article on the subject.
    Carried on zdnet.
    Sidebar:  Does *anyone* on zdnet review even their own archives?
    (hint:  it's at:,4728,2214860,00.html )
    Mr. Cooper writes, early in the article (in the second paragraph):
    "The assumption is that if you buy a C2 network product, which has
    been evaluated against one of these criteria, you can take it out of
    the box, install it, and rest assured that its security features are
    going to protect you. It's a mistaken belief."
    He follows this immediately by saying: "C2 certification is based on
    evaluation of products in a very controlled way. This means precise
    hardware and software configurations."
    As an example of how touchy C2 is, he writes: "Alter the drivers for
    your video, and you're system's no longer C2-secure.  Add a network
    adapter, and it's no longer C2-secure. Buy the latest Intel Processor,
    and it's no longer C2-secure. Get the picture?"
    C2 is for *non* networked machines.  Sure, it's great for logging and
    auditing, but really, what good is a machine that's unattached?  
    Can't get data in or out of it (floppys and NICs are no-no's under C2,
    ya know). By and large, a non-connected machine is going to be
    slightly (tho barely) more secure than a networked machine.
    Now, we can go ahead and say that SNARE isn't meant to be C2.  Thank
    gawd for the little things.
    Sure, they say the lack of auditing is what's really holding linux
    back from mainstream acceptance in the corporate arena.
    "As long time users of the Linux operating system, we believe that one
    of the key missing features that is holding Linux back from deployment
    in large organisations, particularly those with significant security
    requirements, is the availability of host based intrusion detection
    systems - ie: system auditing or event logging facilities."
    (How "long" can they have been using Linux, anyways?)
    I really disagree with this statement.  NT logs everything, sure. Each
    entry says little more than "an unknown event occured", yet it's
    widespread acceptance is undisputable.  Can it be the logging?
    Eh, no.
    The same page goes on to say:
    "...InterSect Alliance are proud to release a dynamically loadable
    kernel module that will form the basis for a host intrusion detection
    facility and C2-style auditing/event logging capability for Linux -
    without the need for a kernel recompile."
    Hi, I'm interested in Linux security.  And lemme tell ya, there are
    TWO things that I want to avoid.  The first is a kernel that utilizes
    loadable modules.  If anyone has noticed, most serious linux
    intrusions rely on LKMs.  This should be a red flag to anyone who is
    practiced within the security community.  Actually, it is.
    And, I wonder why "long time users" haven't learned this yet.
    LKM for the ability to install without rebooting?  Yee haa.  If secure
    logging were nearly as important as it's made out to be in this press
    release, then a simple reroll of the kernel and reboot would not make
    anyone hesititate.
    What's the second thing I avoid like ther plague?
    "Due to the nature of Linux modules, the binary versions of the
    snare-core package are kernel version specific. Binary packages are
    provided for Redhat 7.1 (kernel version 2.4.2). Users with different
    kernel versions will need to recompile snare-core from either the
    source RPM, or the supplied tar.gz file."
    Redhat, of course.  The Crimson Derby has more holes than, well,
    pretty much any other linux distro.  If you're going to run Redhat,
    then I guess you'd *need* something like SNARE.  Of course, the
    dominant holes in RH, the remote root exploits and whatnot, aren't of
    issue on a machine without a NIC...
    One last kicker....
    "However, we recognise that Linux is many things to many people, and
    building audit/event logging capabilities directly into the kernel
    will only contribute to kernel bloat. The facility may never be used
    in some Linux installations."
    Maybe I'm just fantasizing again, but I'd expect long term linux users
    (at least, ones who have rolled a few kernels in their long term using
    time) to be aware that there are a LOT of kernel options which are not
    enable by default.  Packing new features into the kernel, ones I don't
    use, has never caused me kernel bloat, as I always tune my kernels to
    the job the box will be performing; new fluff is never introduced into
    my kernels.  I imagine others employing linux in the corporate arena
    do the same thing, also.
    So, keeping with form, I need to ask:
    Who's smoking all the crack?
    Can we offer up more buzzwords?
    Can journos research topics, even from their own pub, before going to
    press malinformed?
    > As promised in my initial e-mail, I have looked into this matter
    > and spoken with experts who actually have day-to-day experience
    > and working knowledge of Linux and in particular, Linux security.
    > They
    Are these self-professed experts?  Was one named "Kimble" ?
    > have advised me to rework my article slightly to include reference
    > to C2-compliance--which is the most distinguishing factor of the
    > new tool. I have run a proof by them and they are happy with the
    > amendments, which I will be posting on our site now.
    See above.  Have they outlined the *specific* hardware for running a
    SNAREd machine?
    Also, will this be Redbook C2 or Orangebook C2?
    > Although I strongly disagree with your personal attacks against
    > me, that is another matter and one which will be addressed
    > --especially due to the fact that you have yet to remove or
    > apologise for your slanderous comments.
    Can I at least ask (again) why you didn't put much effort into
    researching these topics (to the point of comprehension) beyond
    talking to unnamed "experts" ?
    > As for the infosec news list readers you have approached, please
    > pass on to them my sincere thanks for their feedback and the
    > notice of my amendment. It is interesting to note that in a
    > community such as Linux, which is fighting daily against
    > oppression from proprietary systems, members of this community
    > would personally and professionally attack any journalist that
    > gives weight to their fight, and attempts to expose brilliance in
    > the ranks, rather than mistakes and vulnerabilities.
    Any journalist that "gives weight" through misinformation and
    misreresentation is a much a threat as any monolith that would happen
    to reside in, say, Redmond.
    Or do you think that false praise is as good as real praise?
    Consider these "attacks" as opportunities to improve your own
    technical knowledgebase so you can better understand topics, and
    therefore report on them more accurately.  Or, consider than an
    indicator of shortcomings.
    Your choice.
    > It is surprising that such a community is not applauding its
    > members who are attempting to make a difference rather than
    > shooting down the messengers.
    Flap.  C2 is all flap.  By and large useless in a production
    Designing it around the most flawed and feeble linux distro... not a
    smart move, either.
    Want applause?  I'll applaud the NSA for attempting to build it
    (linux) secure from the ground up, rather than trying to log
    inevitable intrusions in a known security-deficient distro.
    I'll applaud anyone that "attacks" products (and the manufacturers)
    and points out shortcomings in said products.  If you (anyone) feel I
    should explain the reasoning behind this... hell.... nevermind.
    > Nicole
    I've since lost the url for the original PR piece, but has anyone
    remember that Argus had their Pitbull system for Solaris, similar to
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 01:07:34 PST