From owner-freebsd-security  Sun Jun 14 14:45:55 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA06431
          for freebsd-security-outgoing; Sun, 14 Jun 1998 14:45:55 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from heron.doc.ic.ac.uk (LXCzKt5823KtuafgmXDEZ1J4JGJT0HtP@heron.doc.ic.ac.uk [146.169.46.3])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA06347
          for <security@freebsd.org>; Sun, 14 Jun 1998 14:45:40 -0700 (PDT)
          (envelope-from njs3@doc.ic.ac.uk)
Received: from oak71.doc.ic.ac.uk [146.169.46.71] ([3Gb4oMLE3ya512KVhquW4GIStA18FOI7])
	by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3)
	id 0ylKaU-0007E2-00; Sun, 14 Jun 1998 22:45:18 +0100
Received: from njs3 by oak71.doc.ic.ac.uk with local (Exim 1.62 #3)
	id 0ylKaT-0001Nb-00; Sun, 14 Jun 1998 22:45:17 +0100
From: njs3@doc.ic.ac.uk (Niall Smart)
Date: Sun, 14 Jun 1998 22:45:17 +0100
In-Reply-To: Eivind Eklund <eivind@yes.no>
       "Re: bsd securelevel patch question" (Jun 14, 11:21pm)
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: Eivind Eklund <eivind@yes.no>, Niall Smart <njs3@doc.ic.ac.uk>,
        dima@best.net, Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: bsd securelevel patch question
Cc: jayrich@room101.sysc.com, security@FreeBSD.ORG
Message-Id: <E0ylKaT-0001Nb-00@oak71.doc.ic.ac.uk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jun 14, 11:21pm, Eivind Eklund wrote:
} Subject: Re: bsd securelevel patch question
> On Sun, Jun 14, 1998 at 11:23:53AM +0100, Niall Smart wrote:
> > 
> > What use are securelevels without propagating the immutable flag?
> 
> They can assure that a correct system comes up again after a boot,
> with logs of at least the point of attack.  This can be a dramatic
> improvement.

Yes, that is an improvement, but not much of one if no logs of the attack
were generated (which is a very likely scenario, I have never seen logs
of an attack, only attempted attacks), or if the attacker controls the
program you are using to view the logs, or if the attacker controls the
syslogd ensuring no suspicious log entries subsequent to the intrusion
ever reach the log files.

Propagating the immutable flag leads to a dramatic improvement, not
propagating it leads to a a meagre improvement, in fact it could be
construed as taking a step backwards due to over confidence in the
security of the system just because the secure levels wand has been
waved.

I still haven't heard one convincing argument for not propagating the
immutable flag, and have given plenty for.

Niall

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message