From owner-freebsd-security Sun Jun 25 19:18:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 61F6E37B7AE for ; Sun, 25 Jun 2000 19:18:42 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 5293 invoked by uid 0); 26 Jun 2000 02:18:39 -0000 Received: from p3e9e7936.dip.t-dialin.net (HELO speedy.gsinet) (62.158.121.54) by mail.gmx.net with SMTP; 26 Jun 2000 02:18:39 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA24991 for security@FreeBSD.ORG; Sun, 25 Jun 2000 22:35:49 +0200 Date: Sun, 25 Jun 2000 22:35:49 +0200 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: jail(8) Honeypots Message-ID: <20000625223549.I9883@speedy.gsinet> Mail-Followup-To: security@FreeBSD.ORG References: <4.3.2.20000625122615.00afbf00@207.227.119.2> <13330.961956810@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <13330.961956810@critter.freebsd.dk>; from phk@critter.freebsd.dk on Sun, Jun 25, 2000 at 08:13:30PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jun 25, 2000 at 20:13 +0200, Poul-Henning Kamp wrote: > > Jails(8) are probably the currently safest way to do it, but > not the most "authentic" looking way. Finding out that you're > in a jail is trivial and I pressume that it will become common > knowledge for script-kiddies RSN. Besides the /proc/$PID/status field and the 'J' in ps' status field - which I feel to be cosmetic or for plain information and not really the final word - what else criteria would be there to check? I can't think of any -- at least not a reliable one. The lack of /dev/ directory entries or the little volume :) of the /kernel image is something one can take action against. Would it hurt to have a knob turning off the first two flags mentioned above? Is any piece of software "aware" of its being jailed? Does any piece of software _have_ to know about its running in such an environment? Failing syscalls (routing, ifconfig, etc) could fail as well because of set securelevels. So this is nothing new or distinguishing. Strictly speaking there could be a criterion: the ps output length (or its equivalent in a kernel's table). And this could be faked just as well as root kits bring their own ps and ls with them to hide some processes or files -- why not "invent" some processes in the very same way (init, swapper, gettys, etc)? This leads to the question: Was the intent behind the jail(2) mechanism to isolate a process group or was it to fake a machine? I guess it was the former, but could be turned into the latter. And I'm sure you will tell me if I'm wrong. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message