Security
OSSEC for host-based intrusion detection
A free software entrant into the host-based intrusion detection system (HIDS) arena, OSSEC, released version 2.4 earlier this month, with a number of upgrades and bug fixes. OSSEC may not be as well-known as other free software HIDS, like Samhain, AIDE, Osiris, or Open Source Tripwire, but they are all trying to do a similar job: detect changes to a running system that may have been caused by malicious activity. The techniques used by HIDS varies considerably, from simply hashing file contents and comparing them periodically to more sophisticated log file and behavioral analysis.
Conceptually, a HIDS should monitor everything about the system's state, such that it can detect changes in behavior that stem from some kind of host intrusion. Unlike network intrusion detections systems, which look at the network traffic to try to detect intrusion attempts, HIDS will only see problems after the fact. It is, in some sense, a second line of defense that is generally deployed behind a NIDS, at least in those installations with high security needs.
Most HIDS implementations only bite off some portion of the job. The simplest look for changes to system files and binaries by using hashes of their contents. Taking that a step further, and storing the hashes of "important" files on a separate system or read-only media provides defense against an intrusion that targets the files which store the hashes. OSSEC takes that idea even further by moving most of the monitoring and analysis to separate, presumably strongly hardened systems.
The basic architecture is intended to be client-server, with a "manager" running on a central server and "agents" running on each of the systems to be monitored. The agent is a small program that runs with low privileges and forwards information to the manager. There is also a "logcollector" process that runs as root on a client, and does just what its name would imply. Configuration information is mostly stored by the manager with some being locally cached. For obvious reasons, that configuration cache is monitored and changes to it will cause an alert.
OSSEC can be run in standalone mode, where the analysis and gathering are on the same host. The manager can also gather information from various devices, such as routers, firewalls, and other IDS systems without using an agent. There are agentless solutions for some devices, while others can use remote syslog to send their log information to the manager system. OSSEC is cross-platform, running on most major Unix systems as well as various flavors of Windows.
There are four main features to OSSEC, starting with file integrity monitoring. For logs, the monitoring rules are fairly extensive, covering a wide range of free and proprietary applications like apache, asterisk, Cisco IOS, McAfee anti-virus, MySQL, PostgreSQL, and so on. Much of what OSSEC does with log files is similar to what logwatch or syslog-ng can do, but the analysis can be done site-wide, and actions can be performed based on what OSSEC finds. New rules can be added for additional services or site-specific logging using an XML rule syntax.
As would be expected, system administrators can be alerted by email if some class of problem is detected. In addition, OSSEC has the ability to perform "active responses" based on certain kinds of attacks. OSSEC comes with a handful of pre-defined responses for things like adding an IP address to /etc/hosts.deny or to various firewalls' deny lists. Adding additional active responses is done by creating an XML chunk that specifies what to run and another to describe when to run it.
The fourth main feature of OSSEC is rootkit detection that runs periodically on client systems. For Windows clients, there is an additional feature that checks the registry for changes, and alerts the administrator of any it finds.
OSSEC was originally written by Daniel Cid and released as free software in 2004. Since that time, the code has been acquired twice, most recently by Trend Micro, which offers commercial support for OSSEC. It is licensed under the GPLv3, and is available as a tarball (along with SHA1/MD5 hashes for verification) from the installation page.
As with any HIDS solution, it will require some tweaking for specific environments to reduce false-positives to a manageable level. OSSEC has a number of useful features and looks to be a solution that is growing in popularity. It would seem to be a good candidate for one or more distributions to pick up and configure for their specific needs, which would make it easier for their users to start monitoring with OSSEC. For anyone considering HIDS for security at their site, OSSEC is worth a look.
New vulnerabilities
apache-mod_auth_shadow: restriction bypass
| Package(s): | apache-mod_auth_shadow | CVE #(s): | CVE-2010-1151 | ||||||||||||||||
| Created: | April 19, 2010 | Updated: | May 28, 2010 | ||||||||||||||||
| Description: | From the Mandriva advisory:
A race condition was found in the way mod_auth_shadow used an external helper binary to validate user credentials (username / password pairs). A remote attacker could use this flaw to bypass intended access restrictions, resulting in ability to view and potentially alter resources, which should be otherwise protected by authentication | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2010-1311 | ||||||||||||||||||||
| Created: | April 19, 2010 | Updated: | September 8, 2010 | ||||||||||||||||||||
| Description: | From the Mandriva advisory:
The qtm_decompress function in libclamav/mspack.c in ClamAV before 0.96 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted CAB archive that uses the Quantum (aka .Q) compression format. NOTE: some of these details are obtained from third party information. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
gource: predictable temporary filename
| Package(s): | gource | CVE #(s): | |||||
| Created: | April 20, 2010 | Updated: | April 21, 2010 | ||||
| Description: | From the Red
Hat bugzilla:
A Debian bug report notes that Gource creates its log file with a predictable name (/tmp/gource-$(UID).tmp), which a malicious user could use to overwrite arbitrary files via a symlink attack, with the privileges of the user running Gource. | ||||||
| Alerts: |
| ||||||
irssi: multiple vulnerabilities
| Package(s): | irssi | CVE #(s): | CVE-2010-1155 CVE-2010-1156 | ||||||||||||||||||||||||||||||||
| Created: | April 16, 2010 | Updated: | June 21, 2010 | ||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that irssi did not perform certificate host validation when using SSL connections. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2010-1155) Aurelien Delaitre discovered that irssi could be made to dereference a NULL pointer when a user left the channel. A remote attacker could cause a denial of service via application crash. (CVE-2010-1156) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
java: information disclosure
| Package(s): | java-1.6.0-sun | CVE #(s): | CVE-2010-0886 CVE-2010-0887 | ||||||||||||
| Created: | April 20, 2010 | Updated: | July 21, 2010 | ||||||||||||
| Description: | From the Oracle advisory:
This Security Alert addresses security issues CVE-2010-0886 and CVE-2010-0887, which are vulnerabilities in desktop Java running in web browsers only; these vulnerabilities are not present in Java running on servers or standalone Java desktop applications and do not impact any Oracle server based software. The desktop vulnerabilities are in the Java Deployment Toolkit and the new Java Plug-in that are included in various Oracle Java SE and Java for Business releases. They only affect Java when running in a 32-bit web browser. These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For a successful exploit, a user running an affected release in their browser will need to visit a malicious web page that exploits this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libnids: denial of service
| Package(s): | libnids | CVE #(s): | CVE-2010-0751 | ||||
| Created: | April 20, 2010 | Updated: | April 21, 2010 | ||||
| Description: | From the Pardus advisory:
The ip_evictor function in ip_fragment.c in libnids, as used in dsniff and possibly other products, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via crafted fragmented packets. | ||||||
| Alerts: |
| ||||||
memcached: denial of service
| Package(s): | memcached | CVE #(s): | CVE-2010-1152 | ||||||||||||
| Created: | April 20, 2010 | Updated: | June 14, 2010 | ||||||||||||
| Description: | From the Pardus advisory:
memcached.c in memcached allows remote attackers to cause a denial of service (daemon hang or crash) via a long line that triggers excessive memory allocation. | ||||||||||||||
| Alerts: |
| ||||||||||||||
scsi-target-utils: format string vulnerability
| Package(s): | scsi-target-utils | CVE #(s): | CVE-2010-0743 | ||||||||||||||||||||||||||||||||
| Created: | April 20, 2010 | Updated: | January 23, 2012 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A format string flaw was found in scsi-target-utils' tgtd daemon. A remote attacker could trigger this flaw by sending a carefully-crafted Internet Storage Name Service (iSNS) request, causing the tgtd daemon to crash. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
sudo: arbitrary command execution
| Package(s): | sudo | CVE #(s): | CVE-2010-1163 | ||||||||||||||||||||||||||||||||||||||||
| Created: | April 19, 2010 | Updated: | January 25, 2011 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ., which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>