argus-2.0.5.beta.6.tar.gz available

Carter Bullard carter at qosient.com
Tue Mar 19 21:44:29 EST 2002


Hey Yotam,
None-the-less, I think it is a good discussion.

I've uploaded ftp://qosient.com/dev/argus-2.0/argus-2.0.5.beta.6.tar.gz
which implements your pid file suggestions, to allow argus
to specify a specific pid file.  In support of this feature,
we now have new argus.conf variables, ARGUS_PID_FILENAME and
ARGUS_MAX_INSTANCES, and we've now got "-I <number>",
"-c" and "-n pidfile" options to play with.  The
support/Config/argus.conf and the various man pages
have been updated, so I hope your suggestion has been
fully implemented.
 
They all seem to work, as much as I have had time to
test.

Please do give this new version of argus a spin.  There
are some fixes for Cisco V5 netflow record parsing, and
a few rare seg faulting conditions fixed, so please do
test.

Thanks for all the support,

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Yotam Rubin
> Sent: Tuesday, March 19, 2002 8:52 PM
> To: 'Argus'
> Subject: Re: pid file issues
> 
> 
> On Tue, Mar 19, 2002 at 12:48:52PM -0500, Carter Bullard wrote:
> [...]
> > 
> >    If we allow argus to specify the pid file directory,
> > we can prevent bad pid filename choices, if we support
> > pid filenames, then we can't prevent anything, which is
> > ok at one level, and somewhat irresponsible on the other?
> 
> The situation still remains, if a malicious user has 
> sufficient access[1]
> to create an arbitrary PID file, why would he need argus to 
> create the pid
> file for him? I mean, why can't he simply "echo somepid > 
> /var/run/identd.run"?
> argus should run under the assumption that it trusts its 
> users. This sort
> of attack can only be carried out by a user with relevant access.
> I will not reiterate my claims further, because I believe 
> I've made myself
> pretty clear.
> 
> 	Regards, Yotam Rubin
> 
> 
> [1] Of course, argus can be setuid root, but then the admin 
> has an entirely
>     different set of problems.
> 
> > 
> >    Suggestions?
> > 
> > 
> > Carter
> > 
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street, Suite 18K
> > New York, New York  10022
> > 
> > carter at qosient.com
> > Phone +1 212 588-9133
> > Fax   +1 212 588-9134
> > http://qosient.com
> > 
> 
> 



More information about the argus mailing list