Re: [Tiger-devel] Request reclassification of fsys004i?

tiger-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Tiger-devel] Request reclassification of fsys004i?

From:	Ryan Bradetich
Subject:	Re: [Tiger-devel] Request reclassification of fsys004i?
Date:	Tue, 06 Apr 2004 02:02:21 -0600

On Mon, 2004-04-05 at 03:43, Javier Fernandez-Sanguino wrote:
> Ryan Bradetich wrote:
> 
> > Hello all,
> > 
> > I believe a reclassification of the following Tiger error should be
> > reclassified:
> > 
> 
> [setuid stuff snipped]
> 
> > Thoughts or any reason why this should be "INFO" instead of "ALERT"?
> 
> Although I basicly agree with you here, one of the reasons I would be 
> careful when changing that to ALERT instead of INFO is that the setuid 
> mappings for most systems are not up-to-date and, thus, accurate. This 
> means that they cannot be trusted until tested and many of the checks 
> (including the setuid check) might start to spit up errors because of 
> out-of-date information.

That makes sense.  Right now these notices are being ignored by default,
so they will probably never get updated :(  I still think that on a
philosophical level an untracked suid / sgid file is an ALERT instead of
an INFO (especially for root suid files).

> We could make it configurable wether to generate ALERT or INFO 
> messages in this case (so that people who trust their system 
> information can fine-tune this) but I would be hesitant to make a 
> generic change since this would mean a lof of false positives for most 
> systems.

The other way this could be handled would be to make it an ALERT and add
default rules in tiger.ignore to ignore these.  It will give us the same
net effect we have now and people interested in tracking suid / sgid
files can remove these entries.  Hmm... actually would the tiger.ignore
even affect these errors? .... something I need to test .... 

I hate to start down the slippery slope of making the alerts
configurable.  (Actually, I do not have a problem with this ... but I
would like to see it done globally and not on a case-by-case basis).

> Notice this affects also check_perms, check_signatures and some other 
> of the checks executed by find_files (that make use of 'signatures', 
> 'suid_list' and 'file_access_list').

Hmm ... Will need to look into these checks better to understand the
interdependencies ... Thanks for the pointers :)

Thanks!

- Ryan

> Regards
> 
> Javier
>

[Prev in Thread]

Current Thread

[Next in Thread]

[Tiger-devel] Request reclassification of fsys004i?, Ryan Bradetich, 2004/04/05
- Re: [Tiger-devel] Request reclassification of fsys004i?, Javier Fernandez-Sanguino, 2004/04/05
  - Re: [Tiger-devel] Request reclassification of fsys004i?, Ryan Bradetich <=
    - Re: [Tiger-devel] Request reclassification of fsys004i?, Ryan Bradetich, 2004/04/08

Prev by Date: Re: [Tiger-devel] Request reclassification of fsys004i?
Next by Date: [Tiger-devel] RFC: Move check_passwdformat to systems/Linux/2?
Previous by thread: Re: [Tiger-devel] Request reclassification of fsys004i?
Next by thread: Re: [Tiger-devel] Request reclassification of fsys004i?
Index(es):
- Date
- Thread