[7773] in bugtraq
Re: Security Hole in Axent ESM
daemon@ATHENA.MIT.EDU (Steve McBride)
Thu Aug 27 13:13:54 1998
Date: Thu, 27 Aug 1998 09:30:55 -0700
Reply-To: Steve McBride <steve@ZONEOFTRUST.COM>
From: Steve McBride <steve@ZONEOFTRUST.COM>
X-To: Larry Bassett <lbassett@FORE.COM>
To: BUGTRAQ@NETSPACE.ORG
Remember that ESM is a security policy enforcement tool, not a security
hole "finder" (for lack of a better word)... While these two subjects are
for the most part one and the same, all you have to do is tell ESM that,
for instance, your policy gives a umask of 022 as the suggested value, and
it won't tell you to change them.
Look through the product a little more, and take some time to develop a
custom policy, rather than using the generic Phase 1, Phase 2, Phase 3
thing, and I bet you'll find it a much more useful product.
Regards,
Steve McBride
At 07:41 AM 8/27/98 -0400, Larry Bassett wrote:
>Your point about checksums is well taken. We were externally audited and
>the auditors used Axent ESM. The Axent ESM is not what I would call a
>great security assessment tool. It is brain dead in a few places.
>
>It will complain about files and directories that have more secure
>permissions since it only checks to see if files have the permissions it is
>expecting. It also complains about the files it installs.
>
>It complained about uninstalled patches. In our case this was completely
>ridiculous because we already had newer revisions of the patches than the
>ones they suggested we install.
>
>It complained about an HP printer device being world writable. This
>complaint was pointless since these device files are functionally
>equivalent to /dev/null.
>
>It complained that a umask of 022 was unsafe. They suggested 027.
>
>There were other questionable findings but it will find misconfigurations
>and stupid mistakes. However, there are better tools available.
