Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 8 Sep 2006 10:50:45 -0700 (PDT)
From:      "R. B. Riddick" <arne_woerner@yahoo.com>
To:        Bigby Findrake <bigby@ephemeron.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: comments on handbook chapter
Message-ID:  <20060908175046.71795.qmail@web30313.mail.mud.yahoo.com>
In-Reply-To: <20060908101441.V90396@home.ephemeron.org>

next in thread | previous in thread | raw e-mail | index | archive | help
--- Bigby Findrake <bigby@ephemeron.org> wrote:
> On Wed, 6 Sep 2006, Travis H. wrote:
> > Wouldn't it be better to detect /and/ prevent an attempt to change the
> > system binaries?
> 
> That's how I interpret that passage from the handbook - that you should 
> detect *and* prevent.  I'm not clear on how anyone is interpreting that 
> passage to suggest that unequal weight should be given to one side or the 
> other (detection vs. prevention).  The above passage all but says, "don't 
> do X because that will interfere with Y."  I just don't see that advice as 
> advocating imbalance.
> 
Hmm...

I think, this "schg flag"-thing should be done to all files, but invisible to a
potential attacker... <-- PROTECTION

When some attacker tries to get write access to that file or to move that file
around or so, it should result in a log message (like "BAD SU on ...")... <--
DETECTION (I think one of the first messages in this thread suggested that
already...)

And removing that flag shouldn't be possible so easy, too. Maybe just from the
physically safe console...

-Arne


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060908175046.71795.qmail>