Sysadmin:Security

From UGCS

Revision as of 01:10, 26 October 2007 by Jdhutchin@ugcs.caltech.edu (Talk | contribs)

Known Problems

Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity
Symlink attack possible to gain access to Apache Kerberos service keytab for Poseidon
If too much spam comes in, it can overload slapd on zeus causing mail to softbounce and the load on zeus to go way up. The solution is to set the ldap database to readonly temporarily.

All the python we wrote needs to be double-checked
Machines need to be kept up to date at minimum once a week (every 3 days is preferable if time available)

Credit to sle from OCF: possible race condition in cgi-wrapper and php-wrapper - need to perform chdir after dropping privileges
Kerberos security holes that need to be patched urgently
- krb5-admin-server: up to date on zeus and that's all we need to worry about in terms of major major exploits at the moment --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
linux-2.6: CVE-2007-4571 and CVE-2007-4573 - local privilege escalation vulnerabilities, extremely serious on amd64. working on backporting a fix and getting it compiled by hephaestus. --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
- Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua
CVE-2007-4995 openssl vulnerability - need to upgrade all core servers
- Note: debian's automated install does NOT auto-restart impacted services, so an lsof is needed to check for 'path inode' values indicating use of replaced library

If they have access to an email account that's in their mailAlternateAddress, send them a randomized password (md5sum'ing random stuff)
If they have a phone number in ldap, and we can call them on that, use it
Use ssh pubkey to encrypt password if ssh key available
If these fail, and their full name is listed on the UGCS account, confirm records with the Alumni Assoc.