Re: [Fed-Talk] Security Issue: ssh and bsm
Re: [Fed-Talk] Security Issue: ssh and bsm
- Subject: Re: [Fed-Talk] Security Issue: ssh and bsm
- From: Michael L Walker <email@hidden>
- Date: Sun, 14 Oct 2007 16:31:04 -0700
To continue the problems found (MacOSX 10.4.10)...
I was logged into the terminal, opened up a Terminal session, did an
'su hacker', entered the password...attempted to change to
directories with no access and change the date (date -u 01010101) as
the non-priv user 'hacker'...
Again another service (su or was it the underlying shell code?) that
does not log to audit under 10.4.10!
Thus, the list continues to grow of Unix services that are not
logging to the Common Criteria BSM audit subsystem.
ssh (without rolling back to previous version),
su (or the underlying shell code..) (haven't tried rolling back or
reviewing the source code yet)
ftp (reported by Todd Heberlein)
finger (also reported by Todd)
Mike
On Oct 8, 2007, at 7:22 AM, Shawn A. Geddis wrote:
On Oct 7, 2007, at 8:50 PM, Michael L Walker wrote:
Setup:
Dual 2.3 GHz PowerPC G5/ 3GB SDRAM XServe
OSX 10.4.10 Server
Also tested with:
450GHz PowerPC G4
OSX 10.4.10 Client
Problem: bsm audit and ssh
This is a follow-up to the previous email I posted where certain
events are not being logged.
It appears that bsm functionality quits working when a user logs
in using ssh.
With /etc/security/audit_control set to "all" a logged in user
will report all unix commands (like trying to cd into a directory
with no privs., etc.). However, as soon as a user logs into the
machine using ssh, audit just stops logging. The auditd is still
running, but most (if not all) unix commands are no longer logged
from all users (not just the ssh session) Under most instances
the auditd must be restarted to resume required logging.
This causes another issue, in that I was under the assumption in
the configuration that you could halt the system if an error
occurs in the bsm system. Which of course does not happen during
this failure.
The only indication at this point that auditd has quit working
(besides gaps in the logs) is in /var/log/secure.log with the
error message:
"sshd[1309]: error: BSM audit: bsm_audit_session_setup:
setaudit_addr failed: Function not implemented"
Anybody seen this before? Anybody know of any work around?
Also, is there a Apple Security contact to report this potential
security hole?
Thanks,
Mike
Mike,
Also, is there a Apple Security contact to report this potential
security hole?
That would be me -or- if you wanted to submit the issue directly
yourself (and be able to track it as well) then go to:
http://bugreport.apple.com
- Ensure that you have adequately tested and are able to
reproduce this.
It would be appreciated if you would note your submission ID and
then send me an email message notifying me.
Thanks!
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden