************************************************************************** Security Bulletin 9432 DISA Defense Communications System December 7, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9428). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 94-38 Release date: 6 December 1994, 10:05 AM EST (GMT -4) SUBJECT: Security Profile Inspector (SPI) for Unix Version 3.2 Release. SUMMARY: The Computer Security Technology Center at Lawrence Livermore National Lab announces the SPI 3.2 Upgrade Release. SPI is an automated security tool designed to assess the security of various UNIX computer systems. ASSIST provides funding for continuing development of the SPI product, and is the distribution agent for DoD. BACKGROUND: SPI is available free of charge to DOE, DoD, and other sponsoring agencies and their integrated contractors. Other U.S. Goverment agencies may obtain SPI through the Energy Science & Technology Software Center (ESTSC) in accordance with ESTSC distribution policies. Distribution details may be obtained by anonymous FTP from ciac.llnl.gov in the pub/spi directory, or email to spi@ciac.llnl.gov. SPI is maintained under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract W-7405-Eng-48. SPI is available in a tar'd, compressed, DES encrypted file from the ASSIST BBS and FTP systems (see ASSIST Information Resources paragraph below). ASSIST will provide the DES decryption key in a call back to a DSN phone number provided by the requestor (DES software is also available on the ASSIST BBS and FTP systems). ASSIST will make other arrangements for delivering SPI to DoD personnel who do not have a Milnet/Internet connection or dial-up capability. If you want to be included in the ASSIST SPI Users e-mail list, send an e-mail to spi-users@assist.mil. To download SPI related files via anonymous FTP from ASSIST.MIL (199.211.123.11) use the following procedure. Log in as "anonymous". Give your email address when prompted for a password. cd to the pub/tools/spi directory. Use "ls -l" (or "dir") to see what's there. Type "get INDEX" to get a file containing descriptions of all files in the directory. Type "binary" to transfer files in binary mode. Type "get spi3.2.tar.Z.des". Type "get SPI.INFO" for lots of important product information. Type "get spi3.2.ug.ps.Z" to get a Postscript version of the User Guide. Type "get spi3.2.rm.ps.Z" to get a Postscript version of the Reference Manual. NOTE: Check the directory pub/tools/spi/BASIS/TABLES to see if there are BASIS authentication tables available for your operating system. SPI 3.2 is shipped with a table for SunOS 4.1.3_U1 (sun4c), and work is underway to develop a broader set of tables. Log out of FTP. Move the files where you want them. (Make a special directory for the SPI distribution, and place the files in it, then cd to that directory. The SPI directory you create and files within should be owned by root, and SPI should be executed as root.) Decrypt the tar file. Type "uncompress spi3.2.tar.Z" (this should produce "spi3.2.tar"). Type "tar xvof spi3.2.tar" (This should produce lots of files and subdirectories. NOTE: The "o" option in "tar xvof" will assign the extractor's UID to all the extracted files and directories instead of trying to match the UID stored with the tar file with a UID that may be in the /etc/passwd file. If you are running an older version of tar and get an error message "filename/: cannot create", do not use the "o" option with tar.) Consult the file "A_README" for directions on how to continue with the installation. Note that you will have the option of selecting the final location of the SPI executables, SPI database files, who is to receive the mail notifications, etc.. When printing the User Guide, you may need to use "lpr -s -P{your postscript printer} spi3.2.ug.ps", where the -s mitigates the spooling of large files." SPI 3.2 INFORMATION AND RELEASE NOTES, 10 OCT 94: CONTENTS 1) RELEASE NOTES FOR THE SPI 3.2 UPGRADE 2) MAJOR FEATURES OF THE SPI 3.X SERIES 3) SPI INSTALLATION GUIDELINES AND NOTES SPI development is sponsored by the Department of Energy for the DOE community, and by the Defense Information Systems Agency (DISA) (ASSIST) on behalf of the DoD community. ================================================================== NOTICE: SPI 3.2 Patch for Solaris 2.x (SunOS 5.x) Issued 17 Nov 94 ================================================================== The patch is freely available via anonymous FTP from: ASSIST BBS: "Security Tools" file area assist.mil: pub/tools/spi/PATCHES/lib_unix/mnt_query.c.sunos5 ciac.llnl.gov: pub/spi/PATCHES/lib_unix/mnt_query.c.sunos5 Instructions are in pub/spi/PATCHES/lib_unix/README.lib_unix.01 This patch may also work for some other SVR4 unix platforms. Solaris users are also reminded that to build SPI, one must use "Build -v" and provide "-lsocket -lnsl" when prompted for "additional ld flags." This is detailed in the SPI.INFO file. NOTE: A SPI 3.2.1 Maintenance Release will not require the above patch. ASSIST will issue a bulletin when SPI 3.2.1 is made available. ============================================ RELEASE NOTES FOR THE SPI 3.2 UPGRADE 941020 ============================================ New Features in SPI 3.2 a) The Binary Authentication Tool (BAT) has now replaced the Binary Inspection Tool (BIT). BAT provides the ability to determine both system object authenticity and patch currency. The supplied tables are preliminary and based upon the proposed Binary Authentication Signatures Integrity Standard (BASIS) format for authentication information. Details on the current table coverage is included in the first few lines of each table. Ultimately, we envision OS vendors supplying these tables in conjunction with their software releases. Preliminary BAT tables for currently supported platforms may be found by anonymous ftp at ciac.llnl.gov, pub/spi/BASIS/TABLES. See the README.tables file for a description of system coverage. SPI 3.2 is shipped with a BASIS table for SunOS 4.1.3_U1 b) Reports may now be printed from the user interface. c) The QSP scan disk check now avoids tracing into NFS mounted file systems. d) Users who have been dormant for a specified period of time are now reported. e) A wider range of configuration files in the home directories are checked for correct permissions. f) File permissions and ownerships related to uucp are checked for correctness. g) Directories used for anonymous ftp (bin, etc, pub) are checked to insure they are not links. SPI 3.2 disk usage (during installation and operation) Activity Total Disk Usage ------------------------------------- ---------------- Obtain SPI3.2.tar.Z (compressed) ............ 1.2 MB Uncompress SPI3.2.tar.Z file (compressed file is removed) .............. 3.6 MB Untar SPI3.2.tar (tar file remains) ........................ 7.2 MB Remove tar file ............................. 3.6 MB Run SPI Installation (Build script) Creates executables (1.5 MB) .............. 5.1 MB Creates database files (1.0 MB*) .......... 6.1 MB* Remove source code (3.6 MB) ................. 2.5 MB Allow growth of database files during routine SPI operation (0.5 MB*) ..................... 3.0 MB (* Figures for database files assumes a typical small multi-user workstation, with outdated reports and database snapshots purged on a periodic basis.) Synopsis: SPI needs just over 7 MB of disk space during the installation phase, and will use about 3 MB during routine operation. CAUTIONARY NOTICE: SPI output reports should be reviewed for classification issues appropriate to the systems being evaluated. ========================================= MAJOR FEATURES OF THE SPI/UNIX 3.X SERIES ========================================= CPM and CTTY tests are included with Quick System Profile. A modified version of the Carnegie Mellon University CPM utility, CPM will report if any of your system's network interfaces are in "Promiscuous Mode". CTTY will determine if any Non-Console terminals are assumed secure, and therefore allow direct login to the root account. Any such terminals should be located in an appropriately secured area. SPI 3.x represents a major revision in the SPI system architecture, in addition to several new or enhanced features. Central to the product structure are several "OS-extraction" libraries, which map operating system data into elements of a SPI unified security model. UNIX and VMS libraries have been written, and libraries for other operating systems are anticipated. These libraries will allow the SPI security inspection codes to operate uniformly in varied operating system environments. A major new security inspector is the Configuration Query Language (CQL). Scripts written in CQL have a 4GL quality, and allow for flexible, conditional queries to be made over the objects of computer system security. CQL serves a dual role in SPI; as an inspector in its own right, and as an intelligent server of system information to the other inspection functions. Quick System Profile (formerly COPS shell scripts) is now implemented purely in CQL. The other SPI security inspectors make use of CQL to extract the raw data needed for their analyses. See appendix F of the SPI 3.0 user's guide for details on the custom use of CQL and writing CQL scripts. The Change Detection Tool (CDT) replaces both the File Inode and the File Data change detectors (formerly FCD and DCD.) CDT consolidates file, user and group change detection, reporting additions, deletions, as well as modifications to selected attributes. CDT allows the aggregation of selected files, user or group accounts according to attributes designated significant for change detection reporting. This improves security targeting by supporting rapid modifications and the reduction of false positives. For more details, see CDT under sections 3.3 and 4.4 of the SPI 3.0 user's guide. All of the SPI security inspectors and major SPI subsystems communicate by reporting their results in a Common Output Report Format (CORF.) This standardized ASCII format allows significant data sharing between SPI subsystems, and is also designed to be treated easily by such UNIX utilities as grep, cut, sort (and sed, awk, and PERL, for that matter.) Appendix H contains details on the SPI CORF format. The SPI Report Generator (RG) serves to produce final output reports that are pleasing to the eye. RG takes data in CORF format (or anything sufficiently similar) along with an RG format-specification file, to produce variably organized output reports. See Appendix G for details on custom use of the SPI Report Generator. NOTE: As always, reasonable defaults have been provided for the above new capabilities. Thus, you need not concern yourself with CQL scripts, CORF output, or Report Generator formatting, but the potential is there if you wish to further employ these tools to customize or extend your security inspection and reporting capabilities. Each SPI security function can be run independently of the user interface if desired. See man pages for more details. ===================================== SPI INSTALLATION GUIDELINES AND NOTES ===================================== A detailed configuration procedure allows this program to be ported to many different Unix systems. See special notes below for details. NOTE: SPI MUST BE RUN UNDER ONE USER_ID ONLY. Otherwise, there may be collisions among saved parameter and database files. (For security reasons, SPI is not made a Set-UID program.) It is recommended that SPI be built and run as "root". To configure this package, type "Build" If Build should fail on your system, try using "Build -v". This is a "verbose" mode where Build will tell you more of what it is doing, will ask you more questions, and give you more opportunities to override its decisions. Build will examine the system and attempt to make intelligent guesses as to the location and type of system utilities (compiler, header files, run-time libraries, etc) that are present, and needed by SPI to install or perform its functions. It will create a file "config.h" which will be included in many of the executables at compile time. Build will ask you where you would like to place the executables, the database files and CQL scripts. It will present default locations, (subdirectories of the SPI installation directory) and you may accept these defaults by pressing . If the tail directory does not exist, it will ask for confirmation to create the given directory. Build -q will launch the compile phase automatically (Build and Build -v will ask for confirmation.) During the compile phase, all actions of the "make" utility are sent to a file called "make.log". If SPI should fail during the compile phase, please send a copy of both the the files "config.h" and "make.log" to spi@ciac.llnl.gov or call 510-422-3881 for further assistance. Once SPI has been installed, run "spi" in the executables directory to bring up the main menu. SPECIAL NOTES and BUG WARNINGS: If the Build script hangs during the "compile" phase (I.E. takes more than 20 minutes) then examine the last few lines of the file "make.log". If the last attempted compile was for "md5.c", then it is suggested that you run "Build -v". When the script asks "Any additional cc flags?" type in "-O0" (dash, capital O, zero.) This turns off the RISC C ugen optimizer, which hangs when trying to optimize the module md5.c (RSA encryption module.) Major platforms and OS-versions supported by SPI 3.2 sun4, sum4c, sun4e, sun4m -- SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.3_u1 -- Solaris 1.1, 1.2, 1.3, 2.1, 2.2, 2.3 AT&T 3B2 -- SysV r3.2.3 -- SVR4 Convex/ConvexOS 9.1 Cray/UNICOS 6.1 DEC/ULTRIX 4.1, 4.2, 4.3, 4.4 HP/HPUX (where yacc is present) IBM RS6000/AIX Silicon Graphics SGI/IRIX 4.0.5c, 5.2 Platforms which may present problems: UNIX System V, r3.2 (Interactive, AIX, etc) -- Build problems fixed, but still reporting run-time problem with user interface. HP/HPUX, ... -- yacc is required during installation to compile the CQL utility. On some HPUX systems, yacc is an option and may not be present. SGI/IRIX, -- You will want to run "Build -v" here! -- If Build can't find the c-libraries, tell it /usr/lib/libC.a -- When it asks which mailer to use, tell it /usr/sbin/Mail -- When asked about the "-M" option, respond "cc". -- Also, CDT may fail to produce a system snapshot for its database, the problem may lie in having yp "+" entries in the user or group file, when not running NFS/NIS. You have two options: (1) Edit (spi)/cqlsrc/Makefile to set "LFLAGS= -lsun" and run "make install", followed by running "Snapshot", or (2) Edit the file (spi)/D/parameters/cdt/specs/metaspec.cdt to (#)comment out the last two lines. Then run a snapshot. This will disable change detection for users and groups. Sun/Solaris, ... -- On Solaris 2.x you should use Build -v, and when it asks you for any additional ld (linker) flags, you should respond with "-lsocket -lnsl". This is needed in order for the new "cpm" test to compile properly in some "not-default BSD" environments. If return from a help window or error message leaves your screen in a sorry state, type "control r" or "control l" to redraw the screen. Some versions of curses screen libraries are deficient. Since the SPI Runtime Scheduling feature will modify your crontab file, a copy of the original contents will be saved in a file with a ".orig" extension. A brief description of the subdirectories follows: Directories required for proper operation: (these are created automatically during the Build procedure.) (EXECUTABLES) This directory contains the SPI executable programs, as well as the subdirectories "screen" and "man" that are described below. If you use "Build -q" during installation, this directory will be installed as (pwd)/E, where (pwd) is the current directory. If you use just "Build" or "Build -v", you may select another location for the executables. D/screen: This directory contains form descriptions for the user interface and text for the online help windows. man: This directory contains the UNIX-style online manual pages for command-line operation of the SPI security functions. (DATABASES) This directory contains the subdirectories for SPI data files, described below as "database, parameters, corf, and results". If you use "Build -q" during installation, this directory will be installed as (pwd)/D, where (pwd) is the current directory. If you use just "Build" or "Build -v", you may select another location for the databases. D/parameters: This directory is where the parameter files for the SPI security functions are kept. D/database: This directory is where the database files for the SPI security functions reside. D/corf: This directory contains the raw CORF output produced by the SPI security inspection functions. D/results: This directory is where the final output reports created by the SPI Report Generator are placed. (SCRIPTS) This directory contains the CQL scripts used for the CQL implementation of Quick System Profile, as well as other inspections. If you use "Build -q" during installation, this directory will be installed as (pwd)/S, where (pwd) is the current directory. If you use just "Build" or "Build -v", you may select another location for the CQL scripts. Directories not required after installation: actsrc: source for the Access Control Test utility (act) bitsrc: source for the Binary Inspector Tool (bit) cdtsrc: source for the Change Detector Tool (cdt) cron: source for the scheduling setup files dbmsrc: source for the SPI Database Manager include: source for the common code header files lib: compile-time repository for the SPI support libraries mexec: source for process control codes (mx, flist, lview) psisrc: source for the Password Security Inspector (psi) pwd: contains a database of dubious passwords qspsrc: source for the Quick System Profile Inspector (qsp) rgsrc: source for the SPI Report Generator (RG) ui: source for the SPI user interface man: source of the UNIX-style manual pages <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-756-7993/1154 DSN 289-7993/1154, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. ASSIST Contact Information: PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00 to 22:30 EDT (GMT -4) Monday through Friday. During off duty hours, weekends and holidays, ASSIST can be reached via pager at 800-791- 4857. The page will be answered within 30 minutes, however if a quicker response is required, prefix the phone number with "999". ELECTRONIC MAIL: Send to assist@assist.mil. ASSIST BBS: Leave a message for the "sysop". Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DDN Security bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.