************************************************************************** Security Bulletin 9533 DISA Defense Communications System August 3, 1995 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/disn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/disn-security-95313131). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-30 Release date: 31 July, 1995, 4:05 EDT PM (GMT -4) SUBJECT: Security Profile Inspector (SPI) for Unix Version 3.2.2 Release. SUMMARY: The Computer Security Technology Center at Lawrence Livermore National Lab announces the SPI 3.2.2 Upgrade Release. SPI is an automated security tool designed to assess the security of various UNIX computer systems. ASSIST provides funding for continuing development of the SPI product, and is the distribution agent for DoD. SPI development work is performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract W-7405-Eng-48. BACKGROUND: SPI is available free of charge to DOE, DoD, and other sponsoring agencies and their integrated contractors. Other U.S. Government agencies can acquire (may be required to purchase) SPI through the Energy Science & Technology Software Center (ESTSC) and to abide by ESTSC redistribution policy. Contact information for ESTSC: INTERNET: ESTSC@ADONIS.OSTI.GOV Mail: Energy Science and Technology Software Center PO Box 1020 Oak Ridge, TN 37831-1020 Phone: 615-576-2606 Fax: 615-576-2865 (verification 615-576-2606) SPI is available to the DoD in a tar'd, compressed, DES encrypted file from the ASSIST BBS and FTP systems (see ASSIST Information Resources paragraph below). ASSIST will provide the DES decryption key in a call back to a DSN phone number provided by the requestor (DES software is also available on the ASSIST BBS and FTP systems). The DSN call back is required by distribution restrictions to ensure the recipient is DoD affiliated. ASSIST will make other arrangements for delivering SPI to DoD personnel who do not have a Milnet/Internet connection or dial-up capability. IMPORTANT NOTE: Any DoD sites that wish to further distribute SPI electronically must implement the same measures to restrict distribution to DoD only, or get approval for other restrictions from ASSIST. To download SPI related files via anonymous FTP from ASSIST.MIL (199.211.123.11) use the following procedure. Log in as "anonymous". Enter your email address when prompted for a password. cd to the pub/tools/unix/spi directory. Use "ls -l" (or "dir") to see what's there. Type "bin" to transfer files in binary mode. Type "get INDEX" to get a file containing descriptions of all files in the directory. Type "get spi3.2.tar.Z.des". Type "get SPI.INFO" for lots of important product information. Type "get spi3.2.ug.ps.Z" to get a Postscript version of the User Guide. Type "get spi3.2.rm.ps.Z" to get a Postscript version of the Reference Manual. To download SPI related files from the ASSIST BBS use the following procedure. You must have an account that has been upgraded to allow access to DoD-only restricted files. To get your account upgraded (you can set up your own account during the initial login to the BBS), provide ASSIST with a DSN number where you can be reached. After login to the BBS, from the "Main Menu" go to the "Files Menu". The SPI files are in the "Security Profile Inspector" file area 24. Type "L", then "24" for a listing of the files and descriptions. Note the information in the file descriptions for re-naming files once they are moved to a Unix system. NOTE: Check the directory pub/tools/unix/spi/BASIS/TABLES to see if there are BASIS authentication tables available for your operating system. pub/tools/unix/spi/BASIS/TABLES/README.tables file has specifics on files in the directory. Quit the FTP session. Move the files into a directory reserved for SPI only files. (Make a special root owned directory for the SPI files, and place the files in it, then cd to that directory. The SPI directory you create and files within should be owned by root, and SPI should be executed as root.) Decrypt the tar file. Type "uncompress spi-3.2.2.tar.Z". Type "tar xvof spi-3.2.2.tar" (This should produce lots of files and subdirectories. NOTE: The "o" option in "tar xvof" will assign the extractor's UID to all the extracted files and directories instead of trying to match the UID stored with the tar file with a UID that may be in the /etc/passwd file. If you are running an older version of tar and get an error message "filename/: cannot create", do not use the "o" option with tar.) Consult the file "A_README" for directions on how to continue with the installation. Note that you will have the option of selecting the final location of the SPI executables, SPI database files, who is to receive the mail notifications, etc. When printing the User Guide, you may need to use lpr -s -P{your postscript printer} spi3.2.ug.ps", where the -s mitigates the spooling of large files." SPI 3.2.2 Release Highlights - ---------------------------- This SPI release highlights stronger default password testing, and improved installation allowing NFS-sharing of SPI executables. For additional information see the SPI-Product-Info file on the ASSIST BBS/FTP systems. Portability: 1. A "rename" function was created for systems lacking one. 2. A "strstr" function was created for systems lacking one. 3. Configure looks for SYSV paths ahead of BSD paths, to accommodate hybrids (Solaris) which like to have both. 4. We have conducted successful regression tests on ULTRIX 4.4, IRIX 5.3 SunOS 4.1.X and Solaris 2.X Installation: 1. All tools now place their "work" files in the user's active data (D) directory, rather than the executables (E) or the working directory. Hence, it is now possible to put the SPI executables on an NFS server and allow multiple remote users to run inspections, without collisions between named workfiles. The data (D) directories must be separate and reside local to each system, with an identical path description. See "SHARED USE" under SPI INSTALLATION GUIDELINES AND NOTES, below. 2. Configure automatically adds "ldflags = -lnsl -lsocket" for Solaris. 3. Configure automatically adds "ldflags = -lsun" for IRIX. 4. Configure automatically adds "ccflags = -O0" for ULTRIX. 5. Configure tests which of "arflags = crvs" or "arflags = crv" is allowable (some systems require the 's', others refuse it.) Enhancements: 1. The Password Security Inspection (PSI) now includes over 300 special-case password tests on each user account, independent of dictionary selection. 2. More special-case files (/var/tmp, /dev/null, etc.,) have been excepted from certain CQL tests to reduce false positives. 3. Files "/dev/tty*" have been excepted to avoid owner and permission Change Detection Tests in CDT. 4. Underscores may now be "toggled off" in the SPI Report Generator, to accomodate improved report viewing tools like "Merlin". Remediation: 1. Fixed BUG in Access Control Test (ACT) which failed to properly link users to groups for the purpose of testing chained dependencies. 2. Fixed BUG in Change Detection Tool (CDT) which caused unpredictable failures on some systems due to CDT memory mis- allocation. 3. Removed unused directory "dbmsrc". 4. "temp" files cleaned up more thoroughly. Major platforms and OS-versions supported by SPI 3.2.2: AT&T 3B2 SVR4 Cray/UNICOS 6.1 DEC/ULTRIX 4.1, 4.2, 4.3, 4.4 HP/HPUX 9.03, 9.05 IBM RS6000/AIX 3.2.5 SGI/IRIX 4.0.5c, 5.2, 5.3 SunOS 4.x, 5.x (Solaris 2.x) NOTE: The mnt_query_02.tar.Z file available from the ASSIST FTP and BBS SPI file areas contains a patch for SPI 3.2.2/1 on Solaris 2.3 systems that fixes a flaw in the QSP (Quick System Profile via CQL) when run with the option "scandisk=Y". The flawed version will fail to properly avoid NFS-mounted directories, resulting in *very* long runtimes on systems with extensive NFS mounts. See the patch README file for details. Special Install Instructions: SPI has problems with NIS(YP) entries. This area is being worked as time permits. At present, this may cause certain SPI tests to fail, or to hang. The short-term solution is to disable certain SPI tests that make use of these entries. First, you may need to edit the file (spi)/D/parameters/cdt/specs/metaspec.cdt to #comment out one or both of the last two lines. Then run a CDT snapshot. This will disable change detection for users and groups. Second, you may need to edit the CQL script "qscript" and isolate (again by #commenting out) some of the tests that refer to USER or GROUP entries. The bulk of the QSP (Quick System Profile) tests should then proceed normally. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided. ASSIST Contact Information: PHONE: 800-357-4231 (or 703-607-4700 DSN 327), duty hours are 06:00 to 22:30 EDT (GMT -4) Monday through Friday. During off duty hours, weekends and holidays, ASSIST can be reached via pager at 800-791- 4857. The page will be answered within 30 minutes, however if a quicker response is required, prefix the phone number with "999". ELECTRONIC MAIL: Send to assist@assist.mil. ASSIST BBS: Leave a message for the "sysop". ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital signature mechanism for bulletins. PGP 2.6.2 incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt, and through the world wide web from http://net-dist.mit.edu/pgp.html. In accordance with the terms of that license, PGP 2.6.2 may be used for non-commercial purposes only. Instructions for downloading the PGP 2.6.2 software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW 3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9 0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9 O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg== =d5rP - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMB01zNH6sbnW3Io9AQENSwQApbBpASZcmoYGIX4jBxEPj9FFdGgk9iAG hYnhA0FqZjXvRcHnDVjXq583zLsTPDlrteYdClqHuLVNH4orGAaftcWpoVrG/E3p OYsXaABI7rxfC6r9wFrZpkBq7lqlMrkQtfL3+Q3UTbI8IvilSJD56/HK6JIXR/CI ZMb9TwruP8E= =W5/Q -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.