Re: {bb} No messages required... and security

[Sean MacGuire <sean@www.maclawran.ca>]

> Due to 2nd party security  audit requirements, all our boxes' messages
> files must now only be readable by root.
> 
> Currently, a user "bigbro" is the user that "runs"  bigbrother daemons
> and scripts on all our boxes, and this means of course that it reports
> the messages file as unreadable and I get a nice red blob!
> 
> The options would seem to be to either run bigbrother as root, or to
> teak bigbroither's code and scripts (including maybe the html
> processor?) to "drop" the mesages checking.
> 
> Firstly then, what's the security implications of running bigbro as
> root?

If you're going to run big brother as root, then I'd reinstall the
whole thing *as root*.  Let me explain... since BB is mostly happy
little shell scripts, and if you've installed them as a non-root
user, then that userID might still be able to write into the scripts
which are now being run as root.  Get the drift?

If you've gone to the efforts of tightening up access to the messages
file, it would be kind of silly to increase risk by running BB as
root.

Remember, that BB is your friend.  It's good to have something watching
the messages file...

A plausible solution would be to create a bigbrother group, and allow
the BB group read access to the messages file (or put BB in whatever
group the messages file is in).  (That's what groups are for).

> Secondly, what would I have to do to disable message checking?

Comment out the test in bb-local.sh.  Not a good solution.
Keeping an eye on the messages file is important (otherwise I wouldn't
have put the test in there).  Wierd, bad, things show up there first.
You need to know about them, fast.  BB is a constant pest about 
messages; a pain in the ass; 'cause otherwise I'd forget to do it.

> Or is there another, simpler solution?  (ie force permanent green
> status?  ignore ?)

The second-party demand of "root access only to messages" is a 
suggestion.  Have a chat with whomever is running the tool or doing
the audit and show them BB.  Ask them about the risks of having BB 
able to read the messages file versus the risks of the file being
"secure", but never read.  Ask them for a solution.

(Hint - the answer is the group thing).

> Seperately from the above, I'll soon be having discussions with LAN/WAN
> about firewall access to "other" boxes on "the other side".  How does BB
> actually check for smtp and ftp etc...  does the C code just open a tcp
> port on the required port number?  

Yup.  That's what bbnet does.

> And what are the security implications (if any) of such a thing, 

Um, depends on your policy, really.  Nothing prevents you from 
checking the other boxes on the other side from the other side
with their own instance of BB, for example...

> and also of using port 1984 coming back the other way?  

1984 doesn't come back the other way in those cases.  The BBNET machine
does all those tests (from the inside) and sends the results to
BBDISPLAY and BBPAGEER machines who are listening on port 1984 (wherever
they are) for these messages.

> In essence you'll realise I'm looking for
> justifications for these as otherwise all that is allowed through
> firewalls here are ftp, telnetand http (port 80).

Depends where BBDISPLAY and BBPAGER are; that may be all you need.
-- 
Sean MacGuire, Reality Engineering 		the BB Ministry of Truth
sean@bb4.com 					http://www.bb4.com
+1 514 996 INET

		"Looking down the barrel of another day"
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.