From owner-freebsd-hackers  Mon Mar 11 12:49:44 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79])
	by hub.freebsd.org (Postfix) with ESMTP id 0492F37B402
	for <freebsd-hackers@FreeBSD.ORG>; Mon, 11 Mar 2002 12:49:42 -0800 (PST)
Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230])
	by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g2BKneV54414
	(using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO)
	for <freebsd-hackers@FreeBSD.ORG>; Mon, 11 Mar 2002 15:49:42 -0500 (EST)
	(envelope-from drwilco@drwilco.net)
Message-Id: <5.1.0.14.0.20020311220030.01c3ace0@mail.drwilco.net>
X-Sender: lists@mail.drwilco.net
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Mon, 11 Mar 2002 22:00:41 +0100
To: freebsd-hackers@FreeBSD.ORG
From: "Rogier R. Mulhuijzen" <drwilco@drwilco.net>
Subject: RE: logging securelevel violations
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


>I think this would be useful, but I would be concerned about the rate at
>which these messages could come when someone is actively attacking a system.
>Perhaps such messages could go through a rate limiter mechanism similar to
>that now used by the network interfaces.

syslogd already has a "last message repeated N times"

Also most things you do that are negated by securelevel you can only do as 
root, so I don't see how someone without elevated privileges could fill up 
your logs with these messages anyway. These audit messages could be a nice 
way of finding out that someone has root when they shouldn't. And if root 
is compromised you have bigger things to worry about then overflowing log 
files.

I personally think this would be very useful.  Maybe supply a sysctl for 
turning on and off. And for the newbies in the house turn it on by default. 
That way the "Why can't I get this to work?" caused by securelevel settings 
would be answered a lot quicker.

I'm still a junior kernel hacker myself, but I'd say this would be a 
perfect junior kernel hacker project.

         Doc


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message