From owner-freebsd-security  Thu May 11  9:24:35 2000
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP id CC3B537B582
	for <freebsd-security@FreeBSD.ORG>; Thu, 11 May 2000 09:24:30 -0700 (PDT)
	(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id QAA10342; Thu, 11 May 2000 16:23:29 GMT
Message-ID: <391ADE81.77F6FF3A@algroup.co.uk>
Date: Thu, 11 May 2000 17:23:29 +0100
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: Paul Hart <hart@iserver.com>, freebsd-security@FreeBSD.ORG
Subject: Re: envy.vuurwerk.nl daily run output
References: <391A8A3C.795C15F7@algroup.co.uk>
		<Pine.BSF.4.21.0005110953510.8386-100000@anchovy.orem.iserver.com> <200005111611.MAA17380@khavrinen.lcs.mit.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Garrett Wollman wrote:
> 
> <<On Thu, 11 May 2000 10:03:38 -0600 (MDT), Paul Hart <hart@iserver.com> said:
> 
> > If I can root your box, what's to stop me from falsifying the
> > reference data in /var used by /etc/security to detect system
> > changes?
> 
> Stupidity and inexperience.  Also, not all break-ins result in root
> compromise.

Indeed. If your box has been rooted, you're very likely stuffed.
However, it will also trap things like one luser giving their mates
access, or breaching company policy by adding their homegrown key etc.
etc. Currently, unless you went looking, you would not even know that
they had ssh access, and, as far as I'm concerned, daily/weekly/monthly
etc. are just tools that regularly go looking for oddities for me, so
the more they tell me the happier I am. For serious security checking,
you obviously cannot rely on such scripts. Incidentally, I'm basing my
patch on the openbsd scripts which do a much more thorough job
already...

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message