uname output ?

Derek D. Martin ddm+gnhlug at pizzashack.org
Mon Aug 19 14:08:41 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At some point hitherto, Mark Komarinski hath spake thusly:
> On Mon, Aug 19, 2002 at 12:26:12PM -0400, Derek D. Martin wrote:
> > At some point hitherto, Mark Komarinski hath spake thusly:
> > > > Which most security-concious admins still remove or zero as a matter
> > > > of course.  Why tell the net-at-large what holes to look for?
> > > 
> > > Uhm...how can you tell the contents of /etc/issue from the net?
> > 
> > Telnet to the machine would be one way (assuming you can).  But you
> > seem to be assuming that your attacker will not be on your network.
> > 70% or more of reported computer crime is done from the inside,
> > according to the FBI.  I concur with Ben and Mike.  Said so in a post
> > that I managed to munge my from: address...  
> 
> If the attacker is local, then they probably already know what
> the distro and revision are, or can quickly find out without
> resorting to looking at /etc/issue. 

Not if they don't have an account on the machine...

> The CDs labeled "Debian" and "RedHat 7.3" on my desk are pretty good
> indicators.  Maybe I should store them in a safe?  That Solaris 8
> box should probably go too.

I've never worked in a place where the machines were homogenious.  And
yes, you should keep your media locked up.  For other reasons than
this...

> This is a really strange discussion.  You (collectively) want to know
> what kind of distro you're running, but the tools you've been given
> are security holes because they give the exact information you're
> looking for!

No.  We have no tools that will reliably tell only authenticated users
(who we must assume, for the purposes of this discussion, have
legitimate authorized access to they system), what the distribution
is.  Running a command to identify a system on a system you have
access to is not a security hole; even if you're an attacker.  Because
if you can do this, you've already gained access to the system.  At
such a point, it is always possible to determine what operating system
the machine is running, though the means by which this is accomplished
are not necessarily simple and/or convenient.

> > Note that at least on newer Linux systems, there's also an
> > /etc/issue.net, which is what you see if you telnet to a machine.
> > Some older Unix systems, IIRC, use /etc/issue for both purposes.
> 
> I remember writing about issue.net on Linux almost 5 years ago.
> Solaris doesn't use issue.

K.  Hard to keep those kinds of details straight.  Easiest to look at
a running system, of which I have none that are not recent Linux
systems, save one recent HP-UX system...

- -- 
Derek Martin               ddm at pizzashack.org    
- ---------------------------------------------
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9YTQodjdlQoHP510RAg68AKCY2mpvWhD6lp9/a5ouR7BqMplXDwCfU+Ts
PQ3P12csEh3rYMvmWNISb2c=
=k8Ob
-----END PGP SIGNATURE-----



More information about the gnhlug-discuss mailing list