Re:{bb} No messages required... and security

To: <bb@bb4.com>
Subject: Re:{bb} No messages required... and security
From: Mark.Deiss@acs-gsg.com
Date: Tue, 01 Feb 2000 07:59:43 -0500
Content-Type: multipart/mixed; boundary="simple boundary"
Reply-To: bb@bb4.com
Sender: owner-bb@bb4.com

This may not work on your particular unix implementation but you may have the
ability to specify a second file and location in your syslog.conf. (Usually
located in /etc). So the system messages get written to your locked down
messages file (satisfying your audit package). The second file you can place in
area that "bigbro" owns/can read etc. You will need to restart your syslog
daemon to make sure the configuration change is picked up. Tighten up the access
to the second file to whatever degree satisfies your security policy. Of course,
if your audit package is really good, it will notice the second file in your
configuration file and then complain about that one having permissive access
settings.......
    You can null out the MSGFILE  in your $BBHOME/etc/bbsys.$OSTYPE and
$BBHOME/etc/bbsys.local if you want to skip out on the testing for that
particular platform. May need to examine your particular logic in bb-local.sh to
make sure it handles MSGFILE being set to null. If it has problems just slam in
simple logic check on whether MSGFILE variable has nonzero length before
proceeding with the bad-message-content-check operation.

Don't run BB as root. No reason to unless you are running some really kinky ext
scripts that require some serious system access. If you follow the threads you
will know that sometimes BB gets into mischief (especially with new releases).
So you don't want to give the BB procedures more authority then is necessary.

As for communications, BB clients talk out onto port 1984. They do not listen.
Communications is one way. For the BBDISPLAY and BBPAGER box(es) they listen for
traffic on port 1984. If they are also clients that are being monitored, then
they will also talk out onto port 1984 - even the BBDISPLAY system. The BBNET
system will be probing out on what ever service "port" you are polling for (i.e.
http, tcp/ip services...). the box will also be talking out on port 1984 to the
BBDISPLAY system. Oh yes, if you are running some ext tests on your BB clients,
then they will be using whatever service is involved with the test (maybe you
are running special ping to particular router, checking a database listener
process, whatever).

Basically your clients will be talking out on port 1984. Your
BBDISPLAY/BBNET/BBPAGER will be talking and listening on port 1984.

Also, for security concerns, the 1984 port listeners are checking for a
particular message string (i.e. status, page....) before they try and do
something with the message. The sender's IP address is also checked against a BB
maintained security file before allowing any processing of the message. Someone
could spoof your accepted IP-address sender and send bogus messages into the BB
listener with the correct initial message string. There is also a limit on
message size processed by the bbd.c module to cut down on the size of sender's
message as processed into the system. There was a thread awhile back discussing
the merits of improving the security of the status message traffic - maybe using
PGP or something. Don't know where this is on the developer's to-do list.

____________________Reply Separator____________________
Subject:    {bb} No messages required...  and security 
Author: <bb@bb4.com>
Date:       2/1/2000 12:34 PM

Due to 2nd party security  audit requirements, all our boxes' messages
files must now only be readable by root.

Currently, a user "bigbro" is the user that "runs"  bigbrother daemons
and scripts on all our boxes, and this means of course that it reports
the messages file as unreadable and I get a nice red blob!

The options would seem to be to either run bigbrother as root, or to
teak bigbroither's code and scripts (including maybe the html
processor?) to "drop" the mesages checking.

Firstly then, what's the security implications of running bigbro as
root?
Secondly, what would I have to do to disable message checking?

Or is there another, simpler solution?  (ie force permanent green
status?  ignore ?)


Seperately from the above, I'll soon be having discussions with LAN/WAN
about firewall access to "other" boxes on "the other side".  How does BB
actually check for smtp and ftp etc...  does the C code just open a tcp
port on the required port number?  And what are the security
implications (if any) of such a thing, and also of using port 1984
coming back the other way?  In essence you'll realise I'm looking for
justifications for these as otherwise all that is allowed through
firewalls here are ftp, telnetand http (port 80).

Cheers

Ian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.

Message-Id: <3896D2CD.BF192532@vf.vodafone.co.uk>
Date: Tue, 01 Feb 2000 12:34:21 +0000
From: Ian Diddams <ian.diddams@vf.vodafone.co.uk>
Mime-Version: 1.0
To: bb@bb4.com
Subject: {bb} No messages required...  and security
References: <D575EAD19EC6D311AF6300104BCC26156681@EXCHANGE>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-bb@bb4.com
Reply-To: bb@bb4.com

Prev by Date: Re: {bb} Red on empty /var/adm/messages file
Next by Date: {bb} Problems with Ping
Prev by thread: Re: {bb} No messages required... and security
Next by thread: {bb} Red on empty /var/adm/messages file
Index(es):
- Date
- Thread

Home | Main Index | Thread Index