From owner-freebsd-hackers  Mon Feb 24 17:25:40 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id RAA07746
          for hackers-outgoing; Mon, 24 Feb 1997 17:25:40 -0800 (PST)
Received: from sasami.jurai.net (root@sasami.jurai.net [207.172.25.144])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA07194;
          Mon, 24 Feb 1997 17:15:00 -0800 (PST)
Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.5/8.8.3) with SMTP id UAA20229; Mon, 24 Feb 1997 20:14:15 -0500 (EST)
Date: Mon, 24 Feb 1997 20:14:15 -0500 (EST)
From: "Matthew N. Dodd" <winter@jurai.net>
To: Nate Johnson <nate@ncsu.edu>
cc: Julian Elischer <julian@whistle.com>, adrian@obiwan.aceonline.com.au,
        jehamby@lightside.com, hackers@freebsd.org, auditors@freebsd.org
Subject: Re: disallow setuid root shells?
In-Reply-To: <9702242229.AA03727@biohazard.csc.ncsu.edu>
Message-ID: <Pine.BSI.3.95.970224201136.12054F-100000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 24 Feb 1997, Nate Johnson wrote:
> %well the security audit should pick up any new suid files each night,
> Except the case where the hacker truly knows what they're doing, in which
> case, the security audit will be worthless.  root can modify any files he
> wants, including the database used to compare suid files against. =(

Tripwire suggests storing the file signature database on a hardware
protected read only device.  Say a SCSI drive with WP on.

I'm not that paranoid so running in secure level 1 with the database set
schg is good enough for me.

Have a good one.

/* 
   Matthew N. Dodd		| A memory retaining a love you had for life	
   winter@jurai.net		| As cruel as it seems nothing ever seems to
   http://www.jurai.net/~winter | go right - FLA M 3.1:53	
*/