Re: Security Hole in Axent ESM

From: Larry Bassett (lbassettat_private)
Date: Thu Aug 27 1998 - 04:41:12 PDT

Previous message: Dr. Mudge: "Re: Security Hole in Axent ESM"
Maybe in reply to: dcuppat_private: "Security Hole in Axent ESM"
Next in thread: Steve McBride: "Re: Security Hole in Axent ESM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Your point about checksums is well taken.  We were externally audited and
the auditors used Axent ESM.  The Axent ESM is not what I would call a
great security assessment tool.  It is brain dead in a few places.

It will complain about files and directories that have more secure
permissions since it only checks to see if files have the permissions it is
expecting.  It also  complains about the files it installs.

It complained about uninstalled patches.  In our case this was completely
ridiculous because we already had newer revisions of the patches than the
ones they suggested we install.

It complained about an HP printer device being world writable.  This
complaint was pointless since these device files are functionally
equivalent to /dev/null.

It complained that a umask of 022 was unsafe.  They suggested 027.

There were other questionable findings but it will find misconfigurations
and stupid mistakes.  However, there are better tools available.

>My boss bought Axent ESM and wants me to install it.  Before installing
it,I noticed it relies on CRC checksums as the mechanism to validate the
integrity of the files.  This appears to be a major security NO-NO, and
even old freeware security packages like Tripwire use stronger algorithms.
...snip...

I talked with our Axent contact and he claimed that their file integrity
validation could not be compromised by a hacker because Axent has security
experts that designed ESM.

Trust nobody!

...snip...

___________________________________________________________________________

Larry W. Bassett                                Direct: 724-742-RISK (7475)
Data Security Administrator                     Main:   724-742-4444
FORE Systems Inc.                               Fax:    724-742-7421
3000 FORE Drive                                 URL:    http://www.fore.com
Warrendale, PA  15086-7594                      Email:  lbassettat_private

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 4.0 Business Edition

mQENAjJP6WAAAAEIALgtOtvlUAflrBq7bRpO1gSDj6u5jZFmVubCTHDW+EyejjQ+
plqn7C9MOc6ntm7EFgUrTwnTsAoBU6RkmLtUF89R9ORIaTMPKH41Z9k/S0ACvj6+
esw/hnWKsumTFMsvCoRUmsTv69RfJo++Pk61+I84TNYqOLvwt3KehxYTyfUh6gUL
aaY8a126u/DstNIDTxt1V3i6tbQW0+91ydauBdcwIrDudbZZ17hOvlq/EYamn2Mw
XLIuf+3fGvLsJxUC+dtSG94kNCa69BwPmbrqCrC048BkRtINeilRyQzrJbFiJVhi
JP9YQw0p6ieozDEF9HZ+7snlhmTKJ3J+FAKuXBMABRG0JExhcnJ5IFcuIEJhc3Nl
dHQgPGxiYXNzZXR0QGZvcmUuY29tPg==
=dtEq
-----END PGP PUBLIC KEY BLOCK-----

Next message: *Hobbit*: "tripwire"
Previous message: Dr. Mudge: "Re: Security Hole in Axent ESM"
Maybe in reply to: dcuppat_private: "Security Hole in Axent ESM"
Next in thread: Steve McBride: "Re: Security Hole in Axent ESM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:42 PDT