[geeks] Security People haven't heard of OpenBSD!
Scott Howard
geeks at sunhelp.org
Sat Nov 3 04:27:38 CST 2001
On Fri, Nov 02, 2001 at 05:05:56PM -0600, Bill Bradford wrote:
> We (not me, someone way over my head) paid some "auditing company" to do a
> "Security audit" of our network. What they handed us was a Nessus report
> printout. (www.nessus.org). The UNIX admins groaned and said "we could
> have saved you whatever you paid them.." but they were a BIG NAME COMPANY..
>
> It was full of stuff like "this system is running NFS". We were like
> "no shit."
We get one of these done each year (as dictated by our "Operational Risk"
people)...
This year they looked over one of our Internet facing, massively cutdown
(for security of course) machines. The report contained things like :
* Patch 105181-26 is not applied. This patch resolves some security issues.
(Patch 105181-28, the current at the time, was already applied!)
* Patch 105xxx-xx is not applied. This patch resolves security issues with
xterm (or something in X, forgot exactly what).
(Nothing to do with X is installed on the machine, for obvious reasons - and
you can't patch whats not there)
* /usr/sbin/ufsdump has incorrect permissions (SUID/SGID bits removed). This
may imply security has been breached. (duh!) A number of files were listed
with the same comments
* /usr/sbin/su is suid. Permissions of this file should be checked to see if
this can be changed. (duh!)
* Portmap is running on this machine. (It wasnt)
* SunRPC is running on this machine. (You mean this isnt the same as portmap?)
Plus a few other things I can't remember at the moment.
They also decided that one or two of our web load balancers were running
Portmap, NFSD, and Imap (they don't even support those, let alone having them
enabled) as well as suggesting that we disable port 80 on them (did I mention
they were _web_ load balancers?)
Scott.
More information about the geeks
mailing list