From owner-freebsd-security Mon Feb 11 18:45:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id A8ED037B64A for ; Mon, 11 Feb 2002 18:19:04 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 1A5E4232D5 for ; Mon, 11 Feb 2002 21:17:59 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id BBBBC9F3B5; Mon, 11 Feb 2002 21:12:40 -0500 (EST) Date: Sun, 10 Feb 2002 18:16:00 -0500 From: Bill Vermillion To: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Reply-To: bv@wjv.com Message-Id: <20020212021240.BBBBC9F3B5@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Sat, 9 Feb 2002 01:31:08 -0800 (PST) > From: "f.johan.beisser" > Subject: Re: Is the technique described in this article do-able with > > On Sat, 9 Feb 2002, Andrew Kenneth Milton wrote: > > | actually, if you're going that route, it's easier to strip > > | the kernel down, lock everything nicely with a securelevel > > | (read up in init(8) about this), and remount all of the drives > > | read only. there's nothing preventing anyone from doing that. > > | there's also nothing to prevent you from booting from a drive, > > | and loading all the tools you need in to a ramdisk, and just > > | using that.. > > | of course, this is going a bit more hardcore than most people > > | want or would. > > But saner than trying to get the box to partially halt d8) > perhaps. i think it's a sane way to handle a firewall. if you're > going to log it, you should be logging either to another machine > or to a printer for hardcopy. better to do both, since the > hardcopy is not really alterable. but this is not something for > the home user.. Hardcopy is fairly hard to search with a text editor though :-) If you worry about the logs being alterable - and you did suggest logging to a second machine - then you have a real problem with security I'd guess. You could always run chflags on the logging machine to make the logs append only. Wouldn't that take care of the problem of being alterable without having to use hardcopy? -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message