Firewall Script Required for bootscripts

Dagmar d'Surreal dagmar.wants at nospam.com
Wed Mar 24 09:09:04 PST 2004


On Wed, 2004-03-24 at 04:39, Archaic wrote:
> On Tue, Mar 23, 2004 at 07:49:14PM -0600, Dagmar d'Surreal wrote:
> > 
> > nessusd (which flat out needs to be made
> > sgid if a mostly-closed firewall ruleset is in place)
> 
> nessus is an administrator tool. As such, use by non-administrators
> should be denied. That allows us to drop the sgid.

Actually, it doesn't allow us to drop the sgid.  First off, nessus is
the user utililty.  Secondly, if you'll look carefully at the scripts,
it is needed by the daemon process to be exempted from outgoing
firewalling policy in order to prevent crippling the scanning
functions.  (YAY OWNER MATCH MODULE!  WHOOHOO!!@#@!#)  We don't seem to
have a runas utility like Solaris so the next best thing we can do and
still keep it simple is to add a role group for it and sgid the binary. 
Technically there probably shouldn't be any world modes on the nessusd
binary, but since nessusd tells non-root users to take a hike, the point
is moot.

We don't want to just go and exempt all root-owned processes from the
rules, since one of the nice side effects of having a mandatory (special
term!) firewall policy is that the old trick of exploiting a service to
spawn an xterm (or similar) to the attackers host won't work if the
outbound connection is denied by the firewall.  I kid you not, this
actually breaks more canned exploits than many would like to admit. 
Particularly on a multi-user shell host, outgoing connections shouldn't
be allowed to just everywhere willy-nilly.  Using the group-owner match
module to allow outbound connections owned by processes with the users
group (which root privs don't explicitly provide, root normally has to
at last `sg users` to get that) flag is also another way to discourage
sloppy admins from doing things in the root role account that aren't
necessary.

There's just a million and one useful applications for that match
module.  Another useful one is for logging where users are making their
outbound connections to, and/or allowing/denying access to certain parts
of the network. 
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list