Tech Support Cracks the Case: Finding Answers Fast In the Middle of an Audit
Systems analysis reveals critical security flaw
In January 2008, a large company was undergoing an audit by a major public accounting firm when its auditor found a few world-writable files—or files anyone could alter—in the company's UNIX file system. This amounted to a potentially serious security flaw. To protect sensitive financial data, the company uses Symantec Enterprise Security Manager to identify just this type of issue, and immediately catch any vulnerabilities or deviations in the security policies of its applications and servers. Enterprise Security Manager should have been flagging the same files for security violations, but it wasn't.
The company called Symantec for support, and was told they would receive a quick response due to the critical nature of the audit situation. The task of diagnosing the problem was assigned to Nick, an experienced engineer.
"The customer needed to know if the product was configured incorrectly or if there was a bug in our software," Nick says. "Either way, the company needed a response within 24 hours or it could potentially fail the audit, which could open it to legal liability."
Nick began to delve into the wildcarding syntax that controls how Enterprise Security Manager looks for files, telling it to stop at a particular directory level, continue down the directory tree, or look for specific file names. He suspected that the company might be trying to apply wildcard settings in the wrong place, since these settings can be specified in more than one area and module of Enterprise Security Manager.
Resolution within 24 hours
Nick ran a series of tests in a mockup environment to try to reproduce the problem. Because of the customer's high security requirements, he was not given access to its systems, which made diagnosis more challenging. Nick was able to reproduce the errors, and determined that the company had been entering the same wildcard settings in two different areas of Enterprise Security Manager. The first place the company was entering this wildcarding was cancelling out the second, causing certain files to be ignored. When the customer specified the correct wildcard nomenclature only once—and in the correct area—Enterprise Security Manager began flagging the files as expected.
There were several files, however, that the auditor's script was still flagging but Enterprise Security Manager was not. After examining the directories these files were under, Nick noticed a commonality—they were all secured with a UNIX "sticky bit." This means that no matter what the individual file permissions, nothing in the directory can be touched by anyone other than the directory owner or system superuser. Although the files were actually secure, the auditor's script was not designed to detect the sticky bit. Fortunately, the customer was able to convince the auditor that the script needed to be modified, and then subsequently passed the audit.
Effective front-line support
"Normally this kind of an issue would go to our back-line support because the product was not performing as the customer had been led to believe," says Nick. "The fact that we were able to resolve this issue on our front line is a great example of the dependable, fast support for which we strive."