From owner-freebsd-hackers Mon Mar 11 12: 2:31 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211]) by hub.freebsd.org (Postfix) with ESMTP id A756937B405 for ; Mon, 11 Mar 2002 12:02:28 -0800 (PST) Received: from mira (mira.palisadesys.com [192.188.162.116]) (authenticated (0 bits)) by magellan.palisadesys.com (8.11.6/8.11.6) with ESMTP id g2BK22w14735 (using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits) verified NO); Mon, 11 Mar 2002 14:02:02 -0600 From: "Guy Helmer" To: "Jeff Jirsa" , Subject: RE: logging securelevel violations Date: Mon, 11 Mar 2002 14:02:21 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <002001c1c936$c25ff4d0$5e3bad86@boredom> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jeff Jirsa wrote: > I've noticed that currently, violations of securelevel are > aborted, but not > typically logged. It seems like in addition to aborting whichever > calls are > in progress, logging an error might be beneficial. I recognize that this > goes along the same lines as logging file permission errors, but if a file > is marked immutable, the implicit value of the file should > suggest that one > might want to be able to audit attempted changes to that file. I think this would be useful, but I would be concerned about the rate at which these messages could come when someone is actively attacking a system. Perhaps such messages could go through a rate limiter mechanism similar to that now used by the network interfaces. I am not certain whether this addition would affect the TrustedBSD work, either. Guy Helmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message