Re: [Fed-Talk] Security Issue: ssh and bsm
Re: [Fed-Talk] Security Issue: ssh and bsm
- Subject: Re: [Fed-Talk] Security Issue: ssh and bsm
- From: Michael L Walker <email@hidden>
- Date: Mon, 8 Oct 2007 13:11:33 -0700
Update: Rollback to previous version of sshd is required for the CC
bsm auditing to work properly.
In reviewing the source code for Apple OpenSSL (from the Darwin
Site), it looks like changes where made to the bsm interface in the
sshd in the last few OSX 10.4 updates.
(OpenSSH -57.3 and OpenSSH-74 that ships with 10.4.8 and 10.4.9
respectively has the audit-bsm completely changed/rewritten from the
original Sun code used in OpenSSH-56 that shipped with 10.4.0 through
10.4.7)
Thus, on the 10.4.10 Server machine we rolled back to an earlier
version of sshd (from the 10.4.3 disk that came with the server). In
all the testing today, audit is working. No errors are reported to /
var/log/secure.log. And all unix commands are being caught before
and after a new ssh login session.
I would suggest that all users of 10.4.8 through 10.4.10 that use the
audit logging functions test sshd logins or disable them. If sshd is
required, rolling back to the sshd that shipped with earlier 10.4.x
version worked for us.
sshd from OSX 10.4.10 that breaks audit: MD5 (/usr/sbin/sshd.bad) =
25cdff7cbdc71afc2fc316b73fa7bef1
sshd from OSX 10.4.3 that works with the rest of 10.4.10 server
install: MD5 (/usr/sbin/sshd) = f674a858ef83de25d1ff23b7cddbdba3
There might have been security updates (denial of service, etc.)
changes to ssh between 10.4.8 and 10.4.10, but I would risk that,
before I would accept the entire auditing being shutdown (like it
still runs, but doesn't log any security relevant data) when a
successful ssh session is started.
Mike
On Oct 8, 2007, at 7:22 AM, Shawn A. Geddis wrote:
On Oct 7, 2007, at 8:50 PM, Michael L Walker wrote:
Setup:
Dual 2.3 GHz PowerPC G5/ 3GB SDRAM XServe
OSX 10.4.10 Server
Also tested with:
450GHz PowerPC G4
OSX 10.4.10 Client
Problem: bsm audit and ssh
This is a follow-up to the previous email I posted where certain
events are not being logged.
It appears that bsm functionality quits working when a user logs
in using ssh.
With /etc/security/audit_control set to "all" a logged in user
will report all unix commands (like trying to cd into a directory
with no privs., etc.). However, as soon as a user logs into the
machine using ssh, audit just stops logging. The auditd is still
running, but most (if not all) unix commands are no longer logged
from all users (not just the ssh session) Under most instances
the auditd must be restarted to resume required logging.
This causes another issue, in that I was under the assumption in
the configuration that you could halt the system if an error
occurs in the bsm system. Which of course does not happen during
this failure.
The only indication at this point that auditd has quit working
(besides gaps in the logs) is in /var/log/secure.log with the
error message:
"sshd[1309]: error: BSM audit: bsm_audit_session_setup:
setaudit_addr failed: Function not implemented"
Anybody seen this before? Anybody know of any work around?
Also, is there a Apple Security contact to report this potential
security hole?
Thanks,
Mike
Mike,
Also, is there a Apple Security contact to report this potential
security hole?
That would be me -or- if you wanted to submit the issue directly
yourself (and be able to track it as well) then go to:
http://bugreport.apple.com
- Ensure that you have adequately tested and are able to
reproduce this.
It would be appreciated if you would note your submission ID and
then send me an email message notifying me.
Thanks!
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden