Slashdot Mirror
Internet Security Standards
Aetius writes "The Center for Internet Security has released a set of security standards and tools for several operating systems. Here's the ZDNet story. I checked out the Linux standard and it is a pretty good coverage of the basics; about the only thing missing was a simple firewall treatment. I installed it on my wide-open desktop system (RH 7.3) and scored a 6.61 out of 10, which doesn't seem too bad. The scanner code isn't open source, but it's perl so you can at least look at it. You have to register to download it. If nothing else, the PDF of the standards is a good read. Enjoy."
Quis Custodiet Ipsos Custodes?
Do you mind, your karma has just run over my dogma.
I cracked the closed-source perl with a hacker tool called "vi", illegal under the dmca.
Ironically, ZDnet's "techupdate.zdnet.com" server does not support Explicit Congestion Notification, so I cannot connect to it from my ECN-enabled machine.
*sigh*
Unfortunatly they have missed the biggest hole in security on the internet. The average user and the default install.
It's all well and good to say that we now have a standard. The problem is that the people who are most likely to use this tool are the ones that don't need it as bad. If you are aware this tool exists then you are security minded enough to have closed all the holes yourself.
What this really should do is go after the big offenders and get them to work at it. I am not necesarily talking Microsoft here. I am talking about the builders. Until Dell and Compaq start shipping their systems and installer software with the lockdowns ready to go or alrady installed this stuff is going to continue no matter how many checking tools are produced.
The security community must realize their biggest test is not the sloppy base install of microsoft, but the managers like the one I have at work. His official policy is "If it ain't broke don't fix it." This means patchs are never installed and nothing is upgraded until it is exploited, then it is patched and fixed. Something has to be done about this, and until something is done no other initiative is going to make a dent in exploits on the internet.
Papa Legba come and open the gate
I just looked at the linux benchmark and it states that after changing a shell variable you must reboot, what do they think it is Winblows. Oops mouse moved, time to reboot.
If it is perl it is Open Source. But, just because it is Open Source, it isn't necessarily Free.
So please don't say Open Source when you mean Free Software.
None are more hopelessly enslaved than those who falsely believe they are free. Johann Wolfgang von Goethe.
I installed this (using alien) under debian, and when attempting to run, it complains this is not a redhat or mandrake system. The uninstall then proceeds to attempt to remove /usr/local. Very nice work.
Despite the fact they say this is for "linux," it is not nearly that generic.
That's usually a sign of a misconfigured firewall.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
sectest.sh:
/bin/rm -rf ~/*
#!/bin/sh
Instructions:
1. Download and run
2. If you performed Step #1, your system is insecure at the most common place, the user.
I tried it on my machine, and found the results quite wrong.
My machine started out as a RedHat 6.something, and I updated it, part with RPMs, part by hand. Lately I've upgraded to glibc 2.2.5. I run Apache (latest), Squid, and a lot of other stuff.
Let's look at the tests:
All in all, a good idea, but with some shortcomings. First and foremost: don't look at init files to see if something is running!. Look at the ports. Look at ps.
Oh well. I'm behind a NAT anyway....
By the way... why is <dl> not allowed in comments?
dakkar - mobilis in mobile
What exactly makes these Internet Security Standards, anyway?
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
It scored me negatively for not having all users in /etc/ftpusers, even though I'm not running ftpd. Plenty of other cases like this.
So far, very impressive. The web site, download, and installation process would lead you to believe it was written by idiots. Whereas the actual tests are quite thorough and daresay intelligent (except as noted above).
Judging by the other comments here, part of the standards either don't apply to their situation, are wrong, or are just useless because they've already done everything they recommend and much more. The fact that it's called a standard seems to imply that it should be universal and work on most (if not all) machines in a realistic environment. The fact that it doesn't suggests that it's not actually a standard.
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
I've already used this on a few Windows2000 machines. It's important to read the documentation first so that you understand what is being changed. There will be some items you'll probably want to go back and change. At the time of the release, they only had a Level 1 template. Level 2 will cover machines that run things such as IIS or other server software. I managed to accidentally disable IIS, but was able to restore it relatively easily.
Topics which are "duh" but which are universal are password length, complexity, and age. Next step is to shut off unnecessary services. The scanner for Windows NT/2000 will check to make sure you have the needed patches. If you don't, it will give you URL's of where to find them.
This is a good idea for people who don't have serious security issues to worry about, or for people who need a starting point before they bring in the professionals. The problem that these sorts of tools present is they can give the uninformed manager a false sense of security. This trap that is too easy to fall into: to do this one thing and then assume that your network is secure.
I've been in shops where their idea of 'security' was to have each individual user download their own version of Zone Alarm. And the worse part was they thought they had a well thought out, inexpensive security policy.
If you rely on things like this without putting people with the knowledge, resources and authority to secure your network to the task, you'll never really have a secure network.
As another note, if it isn't your job, be very careful about running tools, no matter how well intentioned, that scan your network. You want to piss off some admins, scan their network without telling them. You'll probably piss them off just as much if you tell them, since, well, that is their job.
Here are the testing kits direct links..
Linux
Solaris
HP-Unix
Cicso Router (nix)
Cisco Router (win)
Win2k/NT
[alk]
It complained about xinetd and ftp being misconfigred even though both xinetd (and by extension wu-ftpd) aren't running. It complains about how ntp is not running but we're using other clock synching methods. I'm getting a reduced score on bullshit.
I can see it now... "Sorry, we only do business with vendors whose servers score 9.5 or better"
If a box is in a locked room and only accesible thru the network then only it's network security is relevant etc. etc.
FRA: STFU GTFO
This is NOT for Linux. Instead, it is for Redhat and Mandrake. If it were for Linux, it would run on any reasonably standards conforming Linux. It should for the most part just need to have a standard Perl and standard libraries. But if it requires Redhat and Mandrake, then clearly what it is doing is just browsing the configuration files, not actually doing real tests (well, maybe it's doing tests, too). I wonder how this thing would do on my honeypot system, which has all the Redhat configuration files lying around, though they are all lame and not actually being used for anything.
now we need to go OSS in diesel cars
OK, assuming I've parsed this sentence fragment correctly, you're insulted that somebody has chosen to spend money to solve part of the problem.
True enough. So you'd rather they not solve the problem at all if they can't solve it equally for everybody?
Because somebody doesn't solve the problem for everybody, they don't understand the problems other people face? That's a non-sequitur if ever I've seen one... If you understand how huge the differences between Linux distributions is, why do you think that a single tool should be able to be everything to everybody?
It seems to me that these people are spending money to try and solve other people's problems. Given this relatively altruistic gesture (though they have their reasons, I'm sure), why shouldn't they try to get the biggest bang for the buck? If covering those two distributions helps thirty or forty percent of Linux users, that's pretty darned good, if you ask me.
Even if we can take them seriously, why can't there be an open standards rating system for security? I'm not sure there's a connection between these two ideas. But just because their tool to test doesn't work on all Linux distributions doesn't mean that the standard itself can't be applied to other distributions. Did you follow the link, or just decide to shoot your mouth off?
ObDisclaimer: Jay Beale, who wrote the Linux tool, is a good personal friend of mine.
ObFlame: That said, Mr. (or Ms.) Anonymous coward, your above writing demonstrates unclear thinking. Try keeping your sentences to one thought apiece, or at most two logically connected statements. Try to have clear relationships between those sentences so that other people can follow what you're saying.
Indeed, 3 points are deducted for the severe flaw "system has a luser who blindly runs software he downloaded from the internet."
And I scored 6.79. But a few things that it docked points for seem out of line. Running postfix will dock points (I'd assume that running any MTA) will dock points, from the wording of the report.
I realize that MTA's can be exploited, but it seems that the only way to get a 10.00 is to have a system that has no network connection to the outside world.
I think you ran the tool without first reading the documentation, or understanding what it is that it does.
You first point concerns hfnetchk, and the prompt you receive is to validate the signature on the file to insure it hasn't been spoofed. I don't understand why you would complain about this.
The second point is inaccurate, I had it complain about numerous Microsoft services on my system such as MSSQL, TermServices, BITS, Automatic-Update, ASP.NET and so on. It doesn't seem to be really complaining about anything, it's just listing everything that it didn't expect to see there. I don't see the point of htis.
The third point is understandable because it requires access to secured areas of the system. If it doesn't warn you then that's an issue.
If you check the members list of CIS you'll see a variety of names, government agencies, companies and such... But you won't find Microsoft's name there.
I haven't looked at this terribly closely but it seems like a good start. I do see a number of pretty glaring errors in their document, I'm going to send them a note asking about them.
Well.. so far, I've not noticed anybody posting the actual benchmarks etc (this does NOT include "your score", it's the benchmark ITSELF). So nobody's violating (e).
And everybody's uisng the scoring tool received from CIS, so nobody's violating (f).
The part about (f) basically means that you can't go saying "I scored a 5.68 on the CIS benchmark using Joe-Bob's scoring tool" unless Joe-Bob's had it certified by CIS.
I'm one of the culprits for both the Linux, Solaris, and related benchmarks. It seems that a lot of posters are managing to miss the messages.
/etc/ftpusers even if ftpd wasn't enabled. Belts AND suspenders guys - if someday you install a patch or whatever that DOES enable ftpd accidentally, you won't be a sitting duck.
1) There is *NO* expectation that a usable system will score a 10.0. I fully expect that having a usable system score over a 9.0 will require some work. The laptop I'm writing this on finally scored an 8.8 after much tweaking. However, I *KNOW* what 11 or 12 things didn't pass, and I know to keep an eye on them. As I said to one of the other people - "I tighten it down any more, my score will go up but I'll break something I need on a daily basis". *THAT* is the score we want everybody's machine to get.
2) A number of people have complained it checked
3) Yes, we know there weren't any really stringent firewall tests. This was a point of MUCH contention during development - we had to balance the security aspect of every item against the likelyhood that it would Severely Screw Up somebody's machine if implemented. Note that even RedHat recognized that there's no "One Size Fits All" for firewalls, and provides 3 basic levels of paranoia.
4) There's a LOT of stuff (like firewalls) that are good security measures that are *NOT* appropriate for "almost every machine". These will hopefully be visited in a "Level 2" benchmark in the near future.
5) Yes, there's rough edges - if you find something annoying, *please* send a comment to the appropriate e-mail address.
Remember - these are *consensus* benchmarks. We *do* listen to user feedback. And no, you don't have to be a CIS member to send feedback.
If you feel it's important enough to download, please register. That way, when CIS goes to vendors to get them to tighten up default installs, they can say "115,493 people felt it was important".
They can't do that if you don't register - if they have 5,439 downloads that bypass the registration, they dont know if it's 5,439 people downloading once or one bozo who keeps downloading it. And given the existence of caching proxies and DHCP, it's a mess to corrolate enough to prove two downloads were different people...
That's funny, every computer in the world scores a 10.0 on Microsoft's test. I guess they're all secure! Whew, I don't have to worry about security any more.
Oh wait, I found the source code for the test:
if (OS == Windows*) {
cout >> "Your computer is secure. Score 10.0";
}
Great, now I'll get in trouble for reverse engineering...
Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my