Date: Tue, 16 Sep 2003 10:51:02 +0200 From: "Guy P." <guy@device.dyndns.org> To: freebsd-security@freebsd.org Subject: Re: boot -s - can i detect intruder Message-ID: <5.2.1.1.0.20030916104158.00a70550@device.dyndns.org> In-Reply-To: <20030916105523.K69601-100000@gandalf.raditex.se> References: <20030916101414.54b145ca.db@traceroute.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:57 16/09/2003, you wrote:
>On Tue, 16 Sep 2003, Socketd wrote:
>
> > > The BSD box is shutdown and run again many time at day.
>
>Why is the box shutdown??? Are you doing kernel development or
>advanced devicedriver development? Why are you many persons
>on sutch a system in that case? And if you are doing kernel
>development all must have root access anyway?
>
>There is *no* reason to shut down the system in ordinary
>maintainance!
>
>GH
As far as i understood him, he meant that *someone who should not* is
rebooting his machine, perhaps trying to use "boot -s" to get more access.
To answer the question, i think there is no definitive way to avoid a
motivated "hacker" with physical access to a machine to do whatever he want
- he could even plug another dd to boot from, etc...
If that box need protection, try to find a way to forbid physical access.
I'm not sure about that, but i seem to remenber that default behaviour when
using "boot -s" is to mount only root partition, and read-only, thus the
"nothing logged". If you want to catch that bugger, you could use a
hardware keystroke logger - but then, it's perhaps an oversized solution
(costwise) depending how important it is for you to get him/her.
unserious BOFH suggestion : plug a "specially crafted" keyboard with
CTRL-ALT-DEL key sequence triggering funny events of your choice (alarm
ring, AC power delivery to the cullprit fingers, ...)
--
Guy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.1.1.0.20030916104158.00a70550>