Date: Thu, 11 May 2000 17:23:29 +0100 From: Adam Laurie <adam@algroup.co.uk> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: Paul Hart <hart@iserver.com>, freebsd-security@FreeBSD.ORG Subject: Re: envy.vuurwerk.nl daily run output Message-ID: <391ADE81.77F6FF3A@algroup.co.uk> References: <391A8A3C.795C15F7@algroup.co.uk> <Pine.BSF.4.21.0005110953510.8386-100000@anchovy.orem.iserver.com> <200005111611.MAA17380@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman wrote: > > <<On Thu, 11 May 2000 10:03:38 -0600 (MDT), Paul Hart <hart@iserver.com> said: > > > If I can root your box, what's to stop me from falsifying the > > reference data in /var used by /etc/security to detect system > > changes? > > Stupidity and inexperience. Also, not all break-ins result in root > compromise. Indeed. If your box has been rooted, you're very likely stuffed. However, it will also trap things like one luser giving their mates access, or breaching company policy by adding their homegrown key etc. etc. Currently, unless you went looking, you would not even know that they had ssh access, and, as far as I'm concerned, daily/weekly/monthly etc. are just tools that regularly go looking for oddities for me, so the more they tell me the happier I am. For serious security checking, you obviously cannot rely on such scripts. Incidentally, I'm basing my patch on the openbsd scripts which do a much more thorough job already... cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?391ADE81.77F6FF3A>