From owner-freebsd-security@FreeBSD.ORG  Tue Sep 16 01:56:56 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 666BB16A4B3
	for <freebsd-security@freebsd.org>;
	Tue, 16 Sep 2003 01:56:56 -0700 (PDT)
Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 18AD143F3F
	for <freebsd-security@freebsd.org>;
	Tue, 16 Sep 2003 01:56:55 -0700 (PDT)
	(envelope-from guy@device.dyndns.org)
Received: from oemcomputer.device.dyndns.org (partserver.pol.local
	[172.16.10.10])
	by pol.dyndns.org (8.12.9/8.12.6) with ESMTP id h8G8up2k032101
	for <freebsd-security@freebsd.org>;
	Tue, 16 Sep 2003 10:56:53 +0200 (CEST)
Message-Id: <5.2.1.1.0.20030916104158.00a70550@device.dyndns.org>
X-Sender: guy@device.dyndns.org
X-Mailer: QUALCOMM Windows Eudora Version 5.2.1
Date: Tue, 16 Sep 2003 10:51:02 +0200
To: freebsd-security@freebsd.org
From: "Guy P." <guy@device.dyndns.org>
In-Reply-To: <20030916105523.K69601-100000@gandalf.raditex.se>
References: <20030916101414.54b145ca.db@traceroute.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: Re: boot -s - can i detect intruder
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2003 08:56:56 -0000

At 12:57 16/09/2003, you wrote:
>On Tue, 16 Sep 2003, Socketd wrote:
>
> > > The BSD box is shutdown and run again many time at day.
>
>Why is the box shutdown??? Are you doing kernel development or
>advanced devicedriver development? Why are you many persons
>on sutch a system in that case? And if you are doing kernel
>development all must have root access anyway?
>
>There is *no* reason to shut down the system in ordinary
>maintainance!
>
>GH


As far as i understood him, he meant that *someone who should not* is 
rebooting his machine, perhaps trying to use "boot -s" to get more access.

To answer the question, i think there is no definitive way to avoid a 
motivated "hacker" with physical access to a machine to do whatever he want 
- he could even plug another dd to boot from, etc...

If that box need protection, try to find a way to forbid physical access.


I'm not sure about that, but i seem to remenber that default behaviour when 
using "boot -s" is to mount only root partition, and read-only, thus the 
"nothing logged". If you want to catch that bugger, you could use a 
hardware keystroke logger - but then, it's perhaps an oversized solution 
(costwise) depending how important it is for you to get him/her.


unserious BOFH suggestion : plug a "specially crafted" keyboard with 
CTRL-ALT-DEL key sequence triggering funny events of your choice (alarm 
ring, AC power delivery to the cullprit fingers, ...)

--
         Guy