[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security issues
|
From: |
Jacob Lee |
|
Subject: |
Security issues |
|
Date: |
02 Jul 2002 11:17:18 -0400 |
I'm beginning a rollout of cfengine in a small (13 machines so far) but
bourgeuning Linux installation inside of a larger Windows network. I
recently noticed a security issue where I'm worried that cfengine will
decrease the security of the installed base.
Here are the facts:
All the machines have the same (weak) root password so that the users
can perform basic tasks that do require root privileges.
The machine that the computers download configurations from will have a
special root password that only the admins know.
The machines allow remote root logins via ssh so that I can perform
maintenance remotely - note that some of the machines are actually in
different cities, and as such must require remote logins.
All the machines are behind a firewall.
I am worried about the following situation occuring:
1. An attacker breaks into the network from outside (I only control the
Linux administration, not the main servers which run Windows.)
2. S/he discovers the root password either via social engineering or via
any number of insecurities (this would not be difficult).
3. S/he investigates the local copy of cfagent.conf to find all the
other Linux boxen.
4. S/he copies a modified update.conf onto all the computers, changing
policyhost from the secure server to an 0wned machine.
5. The attacker can now, at any time, modify one file to destroy (or
subtly change) all the Linux computers.
Under the current system (setup scripts + ssh), the attacker still gains
access to all the systems via one password, but it is more difficult to
discover the other machines and attack all of them the same way. I would
know -- one of the reasons I'm evaluating cfengine is to avoid having to
make the same change 13 times (having to remember which machines I've
not updated, which ones were off at the time of the change, etc.)!
Is there any way to suitably protect the cfengine input files? The
public-key architecture does not solve the problem, since this attack
bypasses it. Not giving the users the root password is not an option.
Securing the root password is not practical, either; I can think of (off
the top of my head) at least 3 different ways to gain the root
passwords. And that doesn't count social engineering, which would be
even easier than a technical assault, given that our users are of the
type where demanding secure passwords fails because any difficult
password can be found on a sticky-note on the user's computer. So I'm at
a loss as to how to prevent the above scenario from occuring. Any ideas?
- Security issues,
Jacob Lee <=