Go to the first, previous, next, last section, table of contents.
Cfengine is not specifically a tool for implementing high security
solutions for system administration, but it has many features which can
be used to monitor the state of your systems and warn about potential
breaches in security. Here are some suggestions as to how you can be more
security conscious with cfengine's help.
- CERT advisories
-
The CERT coordination centre (Computer Emergency Response Team) publishes
warnings about known bugs and security risks in computer systems
which can lead to compromised security. Their recommendations often
involve disabling certain programs, changing permissions to remove
setuid root flags and editing configuration files. These are things
which you can deal with using cfengine.
- disabling binaries
-
When to elect to disable a file, cfengine renames it, moves it to a
file repository (if you have defined one) and changes the mode
of the file to read only for its owner. This is sufficient to
disable binary programs and plain files.
- The setuid log
-
Cfengine is always on the lookout for files which are setuid or setgid root.
It doesn't go actively looking for them, but whenever you get cfengine
to check a file or directory with the
files
feature, it will make
a note of setuid programs it finds there. These are recorded in the
file `cfengine.host.log' which is stored under `/etc/cfengine' or
`/var/log/cfengine'.
When new setuid programs are discovered, a warning is printed, but only
if you are root. If you ever want a complete list, delete the log
file and cfengine will think that all of the setuid programs it finds
are new. The log file is not readable by normal users.
- Suspicious filenames
-
Whenever cfengine opens a directory and scans through files
(
files
, tidy
, copy
), it is on the lookout for for
suspicious filenames, i.e. files like `.. .' containing only space
and/or dots. Such files are never created by sensible people, but are
often used by hackers to try to hide dangerous programs. Cfengine
prints warnings about such files.
- Spoofing
-
Spoofing refers to attempts to masquerade as another host when sending
network transmissions. The
cfd
program attempts to unmask such
attempts by performing double reverse lookups in the name service. This
verifies by a trusted server that the socket address and the host name
are really who they claim to be. If you have the TCP wrappers package
on your system (libwrap)
then cfd will attempt to use it to detect other spoofs too, See section TCP wrappers. If you don't have TCP wrappers, then the only line of
defense is the double reverse lookup.
- Race conditions in file copying
-
When copying files from a source, it is possible that something
might go wrong during the operation and leave a corrupt file in
place. For example, the disk might become full while copying
a file. This could lead to problems. Cfengine deals with this
by always copying to a new file on the destination filesystem
(prefix `.cfnew') and then renaming it into place, only
if the transfer was successful. This ensures that there is
space on the filesystem and that nothing went wrong with
the network connection or the disk during copying.
size=
in copy
-
As a further check on copying, cfengine allows you to define acceptable
limits on the size of files. After all, sometimes errors might occur
quite independently of anything you are doing with cfengine. Perhaps the
master password file got emptied somehow, or got replaced by a binary,
through some silly mistake. By checking making an estimate of the
expected size of the file and adding it to the copy command, you can
avoid installing a corrupt file and making a localized problem into a
global one.
useshell=
in shellcommands
-
There are dangers in starting scripts from programs which run with root
privileges. Normally, shell commands are started by executing them with
the help of a `/bin/sh -c' command. The trouble with this is that
it leaves one open to a variety of attacks. One example is fooling the
shell into starting foreign programs by manipulating the
IFS
variable to treat '/' sa a separator. You can ask cfengine to start
programs directly, without involving an intermediary shell, by setting
the useshell
variable to false. The disadvantage is that you will
not be able to use shell directives such as `|' and >
in
your commands.
Go to the first, previous, next, last section, table of contents.