home *** CD-ROM | disk | FTP | other *** search
-
- **************************************************************************
- Security Bulletin 9432 DISA Defense Communications System
- December 7, 1994 Published by: DDN Security Coordination Center
- (SCC@NIC.DDN.MIL) 1-(800) 365-3642
-
- DEFENSE DATA NETWORK
- SECURITY BULLETIN
-
- The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
- Coordination Center) under DISA contract as a means of communicating
- information on network and host security exposures, fixes, and concerns
- to security and management personnel at DDN facilities. Back issues may
- be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
- using login="anonymous" and password="guest". The bulletin pathname is
- scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
- and "nn" is a bulletin number, e.g. scc/ddn-security-9428).
- **************************************************************************
-
- + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
- ! !
- ! The following important advisory was issued by the Automated !
- ! Systems Security Incident Support Team (ASSIST) and is being !
- ! relayed unedited via the Defense Information Systems Agency's !
- ! Security Coordination Center distribution system as a means !
- ! of providing DDN subscribers with useful security information. !
- ! !
- + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
-
- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-
- Automated Systems Security Incident Support Team
- _____
- ___ ___ _____ ___ _____ | /
- /\ / \ / \ | / \ | | / Integritas
- / \ \___ \___ | \___ | | < et
- /____\ \ \ | \ | | \ Celeritas
- / \ \___/ \___/ __|__ \___/ | |_____\
- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-
- Bulletin 94-38
-
- Release date: 6 December 1994, 10:05 AM EST (GMT -4)
-
- SUBJECT: Security Profile Inspector (SPI) for Unix Version 3.2
- Release.
-
- SUMMARY: The Computer Security Technology Center at Lawrence
- Livermore National Lab announces the SPI 3.2 Upgrade Release. SPI
- is an automated security tool designed to assess the security of
- various UNIX computer systems. ASSIST provides funding for
- continuing development of the SPI product, and is the distribution
- agent for DoD.
-
- BACKGROUND: SPI is available free of charge to DOE, DoD, and other
- sponsoring agencies and their integrated contractors. Other U.S.
- Goverment agencies may obtain SPI through the Energy Science &
- Technology Software Center (ESTSC) in accordance with ESTSC
- distribution policies. Distribution details may be obtained by
- anonymous FTP from ciac.llnl.gov in the pub/spi directory, or
- email to spi@ciac.llnl.gov. SPI is maintained under the auspices
- of the U.S. Department of Energy by Lawrence Livermore National
- Laboratory under Contract W-7405-Eng-48.
-
- SPI is available in a tar'd, compressed, DES encrypted file from
- the ASSIST BBS and FTP systems (see ASSIST Information Resources
- paragraph below). ASSIST will provide the DES decryption key in
- a call back to a DSN phone number provided by the requestor (DES
- software is also available on the ASSIST BBS and FTP systems).
- ASSIST will make other arrangements for delivering SPI to DoD
- personnel who do not have a Milnet/Internet connection or dial-up
- capability.
-
- If you want to be included in the ASSIST SPI Users e-mail list,
- send an e-mail to spi-users@assist.mil.
-
- To download SPI related files via anonymous FTP from ASSIST.MIL
- (199.211.123.11) use the following procedure.
- Log in as "anonymous".
- Give your email address when prompted for a password.
- cd to the pub/tools/spi directory.
- Use "ls -l" (or "dir") to see what's there.
- Type "get INDEX" to get a file containing descriptions of all
- files in the directory.
- Type "binary" to transfer files in binary mode.
- Type "get spi3.2.tar.Z.des".
- Type "get SPI.INFO" for lots of important product information.
- Type "get spi3.2.ug.ps.Z" to get a Postscript version of the User
- Guide.
- Type "get spi3.2.rm.ps.Z" to get a Postscript version of the
- Reference Manual.
-
- NOTE: Check the directory pub/tools/spi/BASIS/TABLES to see if there
- are BASIS authentication tables available for your operating system.
- SPI 3.2 is shipped with a table for SunOS 4.1.3_U1 (sun4c), and
- work is underway to develop a broader set of tables.
-
- Log out of FTP.
- Move the files where you want them. (Make a special directory
- for the SPI distribution, and place the files in it, then cd to
- that directory. The SPI directory you create and files within
- should be owned by root, and SPI should be executed as root.)
- Decrypt the tar file.
- Type "uncompress spi3.2.tar.Z" (this should produce "spi3.2.tar").
- Type "tar xvof spi3.2.tar" (This should produce lots of files and
- subdirectories. NOTE: The "o" option in "tar xvof" will assign
- the extractor's UID to all the extracted files and directories
- instead of trying to match the UID stored with the tar file
- with a UID that may be in the /etc/passwd file. If you are
- running an older version of tar and get an error message
- "filename/: cannot create", do not use the "o" option with
- tar.)
- Consult the file "A_README" for directions on how to continue with
- the installation. Note that you will have the option of selecting
- the final location of the SPI executables, SPI database files, who
- is to receive the mail notifications, etc..
-
- When printing the User Guide, you may need to use
- "lpr -s -P{your postscript printer}
- spi3.2.ug.ps",
- where the -s mitigates the spooling of large files."
-
- SPI 3.2 INFORMATION AND RELEASE NOTES, 10 OCT 94:
-
- CONTENTS
-
- 1) RELEASE NOTES FOR THE SPI 3.2 UPGRADE
- 2) MAJOR FEATURES OF THE SPI 3.X SERIES
- 3) SPI INSTALLATION GUIDELINES AND NOTES
-
- SPI development is sponsored by the Department of Energy for the DOE
- community, and by the Defense Information Systems Agency (DISA)
- (ASSIST) on behalf of the DoD community.
-
- ==================================================================
- NOTICE: SPI 3.2 Patch for Solaris 2.x (SunOS 5.x) Issued 17 Nov 94
- ==================================================================
-
- The patch is freely available via anonymous FTP from:
-
- ASSIST BBS: "Security Tools" file area
- assist.mil: pub/tools/spi/PATCHES/lib_unix/mnt_query.c.sunos5
- ciac.llnl.gov: pub/spi/PATCHES/lib_unix/mnt_query.c.sunos5
-
- Instructions are in pub/spi/PATCHES/lib_unix/README.lib_unix.01
- This patch may also work for some other SVR4 unix platforms.
-
- Solaris users are also reminded that to build SPI, one must use
- "Build -v" and provide "-lsocket -lnsl" when prompted for
- "additional ld flags." This is detailed in the SPI.INFO file.
-
- NOTE: A SPI 3.2.1 Maintenance Release will not require the
- above patch. ASSIST will issue a bulletin when SPI 3.2.1 is
- made available.
-
-
- ============================================
- RELEASE NOTES FOR THE SPI 3.2 UPGRADE 941020
- ============================================
-
- New Features in SPI 3.2
-
- a) The Binary Authentication Tool (BAT) has now replaced the
- Binary Inspection Tool (BIT). BAT provides the ability to
- determine both system object authenticity and patch currency.
- The supplied tables are preliminary and based upon the proposed
- Binary Authentication Signatures Integrity Standard (BASIS)
- format for authentication information. Details on the current
- table coverage is included in the first few lines of each table.
- Ultimately, we envision OS vendors supplying these tables in
- conjunction with their software releases.
-
- Preliminary BAT tables for currently supported platforms may be
- found by anonymous ftp at ciac.llnl.gov, pub/spi/BASIS/TABLES.
- See the README.tables file for a description of system coverage.
-
- SPI 3.2 is shipped with a BASIS table for SunOS 4.1.3_U1
-
- b) Reports may now be printed from the user interface.
-
- c) The QSP scan disk check now avoids tracing into NFS mounted
- file systems.
-
- d) Users who have been dormant for a specified period of time are
- now reported.
-
- e) A wider range of configuration files in the home directories
- are checked for correct permissions.
-
- f) File permissions and ownerships related to uucp are checked
- for correctness.
-
- g) Directories used for anonymous ftp (bin, etc, pub) are checked
- to insure they are not links.
-
-
- SPI 3.2 disk usage (during installation and operation)
-
- Activity Total Disk Usage
- ------------------------------------- ----------------
- Obtain SPI3.2.tar.Z (compressed) ............ 1.2 MB
-
- Uncompress SPI3.2.tar.Z file
- (compressed file is removed) .............. 3.6 MB
-
- Untar SPI3.2.tar
- (tar file remains) ........................ 7.2 MB
-
- Remove tar file ............................. 3.6 MB
-
- Run SPI Installation (Build script)
- Creates executables (1.5 MB) .............. 5.1 MB
- Creates database files (1.0 MB*) .......... 6.1 MB*
-
- Remove source code (3.6 MB) ................. 2.5 MB
-
- Allow growth of database files during routine
- SPI operation (0.5 MB*) ..................... 3.0 MB
-
- (* Figures for database files assumes a typical small multi-user
- workstation, with outdated reports and database snapshots purged
- on a periodic basis.)
-
- Synopsis: SPI needs just over 7 MB of disk space during the
- installation phase, and will use about 3 MB during routine
- operation.
-
- CAUTIONARY NOTICE:
-
- SPI output reports should be reviewed for classification issues
- appropriate to the systems being evaluated.
-
-
- =========================================
- MAJOR FEATURES OF THE SPI/UNIX 3.X SERIES
- =========================================
-
- CPM and CTTY tests are included with Quick System Profile. A modified
- version of the Carnegie Mellon University CPM utility, CPM will report
- if any of your system's network interfaces are in "Promiscuous Mode".
- CTTY will determine if any Non-Console terminals are assumed secure,
- and therefore allow direct login to the root account. Any such
- terminals should be located in an appropriately secured area.
-
- SPI 3.x represents a major revision in the SPI system architecture,
- in addition to several new or enhanced features.
-
- Central to the product structure are several "OS-extraction"
- libraries, which map operating system data into elements of a SPI
- unified security model. UNIX and VMS libraries have been written,
- and libraries for other operating systems are anticipated. These
- libraries will allow the SPI security inspection codes to operate
- uniformly in varied operating system environments.
-
- A major new security inspector is the Configuration Query Language
- (CQL). Scripts written in CQL have a 4GL quality, and allow for
- flexible, conditional queries to be made over the objects of computer
- system security. CQL serves a dual role in SPI; as an inspector in
- its own right, and as an intelligent server of system information to
- the other inspection functions. Quick System Profile (formerly COPS
- shell scripts) is now implemented purely in CQL. The other SPI
- security inspectors make use of CQL to extract the raw data needed
- for their analyses. See appendix F of the SPI 3.0 user's guide for
- details on the custom use of CQL and writing CQL scripts.
-
- The Change Detection Tool (CDT) replaces both the File Inode and the
- File Data change detectors (formerly FCD and DCD.) CDT consolidates
- file, user and group change detection, reporting additions, deletions,
- as well as modifications to selected attributes. CDT allows the
- aggregation of selected files, user or group accounts according to
- attributes designated significant for change detection reporting.
- This improves security targeting by supporting rapid modifications
- and the reduction of false positives. For more details, see CDT
- under sections 3.3 and 4.4 of the SPI 3.0 user's guide.
-
- All of the SPI security inspectors and major SPI subsystems communicate
- by reporting their results in a Common Output Report Format (CORF.)
- This standardized ASCII format allows significant data sharing between
- SPI subsystems, and is also designed to be treated easily by such UNIX
- utilities as grep, cut, sort (and sed, awk, and PERL, for that matter.)
- Appendix H contains details on the SPI CORF format.
-
- The SPI Report Generator (RG) serves to produce final output reports
- that are pleasing to the eye. RG takes data in CORF format (or anything
- sufficiently similar) along with an RG format-specification file, to
- produce variably organized output reports. See Appendix G for details
- on custom use of the SPI Report Generator.
-
- NOTE: As always, reasonable defaults have been provided for the above
- new capabilities. Thus, you need not concern yourself with CQL scripts,
- CORF output, or Report Generator formatting, but the potential is there
- if you wish to further employ these tools to customize or extend your
- security inspection and reporting capabilities.
-
- Each SPI security function can be run independently of the user
- interface if desired. See man pages for more details.
-
- =====================================
- SPI INSTALLATION GUIDELINES AND NOTES
- =====================================
-
- A detailed configuration procedure allows this program to be ported
- to many different Unix systems. See special notes below for details.
-
- NOTE: SPI MUST BE RUN UNDER ONE USER_ID ONLY. Otherwise, there
- may be collisions among saved parameter and database files.
- (For security reasons, SPI is not made a Set-UID program.)
- It is recommended that SPI be built and run as "root".
-
- To configure this package, type "Build"
-
- If Build should fail on your system, try using "Build -v". This is a
- "verbose" mode where Build will tell you more of what it is doing, will
- ask you more questions, and give you more opportunities to override its
- decisions.
-
- Build will examine the system and attempt to make intelligent guesses
- as to the location and type of system utilities (compiler, header files,
- run-time libraries, etc) that are present, and needed by SPI to install
- or perform its functions. It will create a file "config.h" which will
- be included in many of the executables at compile time.
-
- Build will ask you where you would like to place the executables, the
- database files and CQL scripts. It will present default locations,
- (subdirectories of the SPI installation directory) and you may accept
- these defaults by pressing <return>. If the tail directory does not
- exist, it will ask for confirmation to create the given directory.
-
- Build -q will launch the compile phase automatically (Build and Build -v
- will ask for confirmation.) During the compile phase, all actions of the
- "make" utility are sent to a file called "make.log".
-
- If SPI should fail during the compile phase, please send a copy of
- both the the files "config.h" and "make.log" to spi@ciac.llnl.gov
- or call 510-422-3881 for further assistance.
-
- Once SPI has been installed, run "spi" in the executables directory
- to bring up the main menu.
-
- SPECIAL NOTES and BUG WARNINGS:
-
- If the Build script hangs during the "compile" phase (I.E. takes
- more than 20 minutes) then examine the last few lines of the file
- "make.log". If the last attempted compile was for "md5.c", then
- it is suggested that you run "Build -v". When the script asks
- "Any additional cc flags?" type in "-O0" (dash, capital O, zero.)
- This turns off the RISC C ugen optimizer, which hangs when trying
- to optimize the module md5.c (RSA encryption module.)
-
- Major platforms and OS-versions supported by SPI 3.2
-
- sun4, sum4c, sun4e, sun4m
- -- SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.3_u1
- -- Solaris 1.1, 1.2, 1.3, 2.1, 2.2, 2.3
-
- AT&T 3B2
- -- SysV r3.2.3
- -- SVR4
- Convex/ConvexOS 9.1
- Cray/UNICOS 6.1
- DEC/ULTRIX 4.1, 4.2, 4.3, 4.4
- HP/HPUX (where yacc is present)
- IBM RS6000/AIX
- Silicon Graphics SGI/IRIX 4.0.5c, 5.2
-
- Platforms which may present problems:
-
- UNIX System V, r3.2 (Interactive, AIX, etc)
- -- Build problems fixed, but still reporting run-time
- problem with user interface.
- HP/HPUX, ...
- -- yacc is required during installation to compile the CQL utility.
- On some HPUX systems, yacc is an option and may not be present.
- SGI/IRIX,
- -- You will want to run "Build -v" here!
- -- If Build can't find the c-libraries, tell it /usr/lib/libC.a
- -- When it asks which mailer to use, tell it /usr/sbin/Mail
- -- When asked about the "-M" option, respond "cc".
- -- Also, CDT may fail to produce a system snapshot for its database,
- the problem may lie in having yp "+" entries in the user or
- group file, when not running NFS/NIS. You have two options:
- (1) Edit (spi)/cqlsrc/Makefile to set "LFLAGS= -lsun" and run
- "make install", followed by running "Snapshot", or (2) Edit the
- file (spi)/D/parameters/cdt/specs/metaspec.cdt to (#)comment out
- the last two lines. Then run a snapshot. This will disable
- change detection for users and groups.
- Sun/Solaris, ...
- -- On Solaris 2.x you should use Build -v, and when it asks you
- for any additional ld (linker) flags, you should respond with
- "-lsocket -lnsl". This is needed in order for the new "cpm"
- test to compile properly in some "not-default BSD" environments.
-
- If return from a help window or error message leaves your screen
- in a sorry state, type "control r" or "control l" to redraw the
- screen. Some versions of curses screen libraries are deficient.
-
- Since the SPI Runtime Scheduling feature will modify your crontab
- file, a copy of the original contents will be saved in a file with
- a ".orig" extension.
-
-
- A brief description of the subdirectories follows:
-
- Directories required for proper operation:
- (these are created automatically during the Build procedure.)
-
- (EXECUTABLES) This directory contains the SPI executable programs,
- as well as the subdirectories "screen" and "man" that
- are described below. If you use "Build -q" during
- installation, this directory will be installed as
- (pwd)/E, where (pwd) is the current directory. If you
- use just "Build" or "Build -v", you may select another
- location for the executables.
- D/screen: This directory contains form descriptions for the user
- interface and text for the online help windows.
- man: This directory contains the UNIX-style online manual
- pages for command-line operation of the SPI security
- functions.
- (DATABASES) This directory contains the subdirectories for SPI
- data files, described below as "database, parameters,
- corf, and results". If you use "Build -q" during
- installation, this directory will be installed as
- (pwd)/D, where (pwd) is the current directory. If you
- use just "Build" or "Build -v", you may select another
- location for the databases.
- D/parameters: This directory is where the parameter files for the SPI
- security functions are kept.
- D/database: This directory is where the database files for the SPI
- security functions reside.
- D/corf: This directory contains the raw CORF output produced by
- the SPI security inspection functions.
- D/results: This directory is where the final output reports created
- by the SPI Report Generator are placed.
- (SCRIPTS) This directory contains the CQL scripts used for the
- CQL implementation of Quick System Profile, as well as
- other inspections. If you use "Build -q" during
- installation, this directory will be installed as
- (pwd)/S, where (pwd) is the current directory. If you
- use just "Build" or "Build -v", you may select another
- location for the CQL scripts.
-
-
- Directories not required after installation:
-
- actsrc: source for the Access Control Test utility (act)
- bitsrc: source for the Binary Inspector Tool (bit)
- cdtsrc: source for the Change Detector Tool (cdt)
- cron: source for the scheduling setup files
- dbmsrc: source for the SPI Database Manager
- include: source for the common code header files
- lib: compile-time repository for the SPI support libraries
- mexec: source for process control codes (mx, flist, lview)
- psisrc: source for the Password Security Inspector (psi)
- pwd: contains a database of dubious passwords
- qspsrc: source for the Quick System Profile Inspector (qsp)
- rgsrc: source for the SPI Report Generator (RG)
- ui: source for the SPI user interface
- man: source of the UNIX-style manual pages
-
- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-
- ASSIST is an element of the Defense Information Systems Agency
- (DISA), Center for Information Systems Security (CISS), that
- provides service to the entire DoD community. Constituents
- of the DoD with questions about ASSIST or computer security
- security issues, can contact ASSIST using one of the methods
- listed below. Non-DoD organizations/institutions, contact
- the Forum of Incident Response and Security Teams (FIRST)
- (FIRST) representative. To obtain a list of FIRST member
- organizations and their constituencies send an email to
- docserver@first.org with an empty "subject" line and a message body
- containing the line "send first-contacts".
-
- ASSIST Information Resources: To be included in the distribution
- list for the ASSIST bulletins, send your Milnet (Internet) e-mail
- address to assist-request@assist.mil. Back issues of ASSIST
- bulletins, and other security related information, are available
- from the ASSIST BBS at 703-756-7993/1154 DSN 289-7993/1154,
- and through anonymous FTP from assist.mil (IP address
- 199.211.123.11). Note: assist.mil will only accept anonymous FTP
- connections from Milnet addresses that are registered with the
- NIC or DNS.
-
- ASSIST Contact Information:
- PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00
- to 22:30 EDT (GMT -4) Monday through Friday. During off duty hours,
- weekends and holidays, ASSIST can be reached via pager at 800-791-
- 4857. The page will be answered within 30 minutes, however if a
- quicker response is required, prefix the phone number with "999".
- ELECTRONIC MAIL: Send to assist@assist.mil.
- ASSIST BBS: Leave a message for the "sysop".
-
-
- Reference herein to any specific commercial product, process, or
- service by trade name, trademark manufacturer, or otherwise, does
- not constitute or imply its endorsement, recommendation, or
- favoring by ASSIST. The views and opinions of authors expressed
- herein shall not be used for advertising or product endorsement
- purposes.
-
-
- ****************************************************************************
- * *
- * The point of contact for MILNET security-related incidents is the *
- * Security Coordination Center (SCC). *
- * *
- * E-mail address: SCC@NIC.DDN.MIL *
- * *
- * Telephone: 1-(800)-365-3642 *
- * *
- * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, *
- * Monday through Friday except on federal holidays. *
- * *
- ****************************************************************************
-
- PLEASE NOTE: Some users outside of the DOD computing communities may receive
- DDN Security bulletins. If you are not part of the DOD community, please
- contact your agency's incident response team to report incidents. Your
- agency's team will coordinate with DOD. The Forum of Incident Response and
- Security Teams (FIRST) is a world-wide organization. A list of FIRST member
- organizations and their constituencies can be obtained by sending email to
- docserver@first.org with an empty subject line and a message body containing
- the line: send first-contacts.
-
- This document was prepared as an service to the DOD community. Neither the
- United States Government nor any of their employees, makes any warranty,
- expressed or implied, or assumes any legal liability or responsibility for
- the accuracy, completeness, or usefulness of any information, product, or
- process disclosed, or represents that its use would not infringe privately
- owned rights. Reference herein to any specific commercial products, process,
- or service by trade name, trademark manufacturer, or otherwise, does not
- necessarily constitute or imply its endorsement, recommendation, or favoring
- by the United States Government. The opinions of the authors expressed herein
- do not necessarily state or reflect those of the United States Government,
- and shall not be used for advertising or product endorsement purposes.
-
-