Author: Benjamin D. Thomas
released for libneon, mailman, kde, xpcd, kdepim, httpd, SquirrelMail, cvs,
neon, subversion, cadaver, metamail, firebird, opera, mysql, mc, apache, heimdal,
kernel, utempter, and LHA. The distributors include Conectiva, Debian, Fedora,
FreeBSD, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware, SuSE, and TurboLinux.
Internal and External Audit
One of the most important but overlooked
aspects of information security is auditing. All servers have been hardened,
all patches installed, access is regularly monitored, but can one be sure all
of those countermeasures are effective? Auditing is an independent review to
form an opinion. It can provide assurance that the security controls in place
are doing their job. It is important to conduct both internal and external,
each having their own advantages. Auditing is increasingly becoming top-management
priority because of the increased reliance on IT, increased system complexity,
and increased concern for security. Also, many laws are requiring it as a necessary
business function to achieve compliance.
Internal audit is a tool that can
be used to give assurance to managers and other personnel. It provides the ability
to compare the security policies, procedures, and practices being used with
those in a standard or best practices. It gives management the ability to make
comparisons between different departments and divisions. From an IT security
point of view, it identifies areas that need attention and can provide information
on how to improve overall security. It is always better to identify and fix
problems found internally, rather than in external audits.
External audits are conducted by
third parties and can be used to give assurance to other parties such as share-holders,
the board of directors, or partner companies. External audits can provide the
information necessary to make comparisons between other companies (if the data
is available) or industry standards. The process of auditing produces reports
that are issued to management and are written in a way that they can understand
and address. It involves translating technical risks into business language.
Generally, audit reports summarize the current situation, compare that with
what the standards say, and provide direction on how to achieve compliance.
Auditing can provide the information required for implementing new security
controls, conducting a risk analysis, and special internal investigations.
Pentesting and vulnerability assessments
are another essential aspect of auditing. It is necessary to check system security
from an intruder’s perspective. Auditors should ask who, what, when, where,
and how. Timelines should be compiled, system logs should be reviewed, and personnel
should be interviewed. Rather than only hoping a system is secure, auditing
can provide a level of assurance that will help you sleep better at night.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity
Feature Extras:
Guardian
Digital Security Solutions Win Out At Real World Linux
– Enterprise Email and Small Business Solutions Impres at Linux Exposition.
Internet and network security was a consistent theme and Guardian Digital
was on hand with innovative solutions to the most common security issues.
Attending to the growing concern for cost-effective security, Guardian Digital’s
enterprise and small business applications were stand-out successes.Interview
with Siem Korteweg: System Configuration Collector
– In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.Security:
MySQL and PHP
– This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
| Distribution: | Conectiva | ||
| 5/25/2004 | libneon | ||
| Heap overflow vulnerability libneon library which could be abused by remote WebDAV servers to execute |
|||
| 5/27/2004 | mailman | ||
| Multiple vulnerabilities Fixes cross site scripting and remote password retrieval vulnerabilities, |
|||
| 5/27/2004 | kde | ||
| Insufficient input sanitation The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for |
|||
| Distribution: | Debian | ||
| 5/25/2004 | xpcd | ||
| Buffer overflow vulnerability Bug allows copy of user-supplied data of arbitrary length into a fixed-size |
|||
| Distribution: | Fedora | ||
| 5/25/2004 | kdepim | ||
| Buffer overflow vulnerability An attacker could construct a VCF file so that when it was opened by a victim |
|||
| 5/25/2004 | httpd | ||
| Multiple vulnerabilities Fixes an exploitable memory leak and escapable error-log output. |
|||
| Distribution: | FreeBSD | ||
| 5/27/2004 | sys Buffer cache invalidation vulnerability |
||
| Multiple vulnerabilities In some situations, a user with read access to a file may be able to prevent |
|||
| Distribution: | Gentoo | ||
| 5/25/2004 | SquirrelMail | ||
| Cross-site scripting vulnerabilities SquirrelMail is subject to several XSS and one SQL injection vulnerability. |
|||
| 5/25/2004 | cvs | ||
| Heap overflow vulnerability CVS is subject to a heap overflow vulnerability allowing source repository |
|||
| 5/25/2004 | neon | ||
| Heap overflow vulnerability A vulnerability potentially allowing remote execution of arbitrary code |
|||
| 5/25/2004 | Subversion | ||
| Format string vulnerability There is a vulnerability in the Subversion date parsing code which may lead |
|||
| 5/25/2004 | cadaver | ||
| Heap overflow vulnerability There is a heap-based buffer overflow, possibly leading to execution of |
|||
| 5/25/2004 | metamail | ||
| Multiple vulnerabilities Several format string bugs and buffer overflows were discovered in metamail, |
|||
| 5/25/2004 | Firebird | ||
| Buffer overflow vulnerability A buffer overflow may allow a local user to manipulate or destroy local |
|||
| 5/25/2004 | Opera | ||
| Insufficient input sanitation A vulnerability exists in Opera’s telnet URI handler that may allow a remote |
|||
| 5/27/2004 | MySQL | ||
| Symlink vulnerability Two MySQL utilities create temporary files with hardcoded paths, allowing |
|||
| 5/27/2004 | mc | ||
| Multiple vulnerabilities Multiple security issues have been discovered in Midnight Commander including |
|||
| 5/27/2004 | Apache | ||
| 1.3 Multiple vulnerabilities Several security vulnerabilites have been fixed in the latest release of |
|||
| 5/27/2004 | Heimdal | ||
| Buffer overflow vulnerability A possible buffer overflow in the Kerberos 4 component of Heimdal has been |
|||
| Distribution: | Mandrake | ||
| 5/25/2004 | apache-mod_perl Multiple vulnerabilities |
||
| Buffer overflow vulnerability Four security vulnerabilities were fixed with the 1.3.31 release of Apache. |
|||
| 5/25/2004 | kernel | ||
| 2.6 Multiple vulnerabilities Several kernel 2.6 vulnerabilities have been fixed in this update. |
|||
| 5/27/2004 | mailman | ||
| Password leak vulnerability Mailman versions >= 2.1 have an issue where 3rd parties can retrieve member |
|||
| 5/27/2004 | kolab-server Plain text passwords |
||
| Password leak vulnerability The affected versions store OpenLDAP passwords in plain text. |
|||
| Distribution: | OpenBSD | ||
| 5/25/2004 | cvs | ||
| Heap overflow vulnerability Malignant clients can run arbitrary code on CVS servers. |
|||
| Distribution: | Red Hat |
||
| 5/27/2004 | utempter | ||
| Symlink vulnerability An updated utempter package that fixes a potential symlink vulnerability |
|||
| 5/27/2004 | LHA | ||
| Multiple vulnerabilities Ulf Harnhammar discovered two stack buffer overflows and two directory traversal |
|||
| 5/27/2004 | tcpdump,libpcap,arpwatch Denial of service vulnerability |
||
| Multiple vulnerabilities Upon receiving specially crafted ISAKMP packets, TCPDUMP would crash. |
|||
| Distribution: | Slackware | ||
| 5/25/2004 | cvs | ||
| Heap overflow vulnerability Carefully crafted server requests to run arbitrary programs on the CVS server |
|||
| Distribution: | Suse | ||
| 5/27/2004 | kdelibs/kdelibs3 Insufficient input sanitation |
||
| Heap overflow vulnerability The URI handler of the kdelibs3 and kdelibs class library contains a flaw |
|||
| Distribution: | Turbolinux | ||
| 5/25/2004 | kernel | ||
| Multiple vulnerabilities The vulnerabilities may allow an attacker to cause a denial of service to |
|||
