Date: Sun, 25 Jun 2000 22:35:49 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: security@FreeBSD.ORG Subject: Re: jail(8) Honeypots Message-ID: <20000625223549.I9883@speedy.gsinet> In-Reply-To: <13330.961956810@critter.freebsd.dk>; from phk@critter.freebsd.dk on Sun, Jun 25, 2000 at 08:13:30PM %2B0200 References: <4.3.2.20000625122615.00afbf00@207.227.119.2> <13330.961956810@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 25, 2000 at 20:13 +0200, Poul-Henning Kamp wrote:
>
> Jails(8) are probably the currently safest way to do it, but
> not the most "authentic" looking way. Finding out that you're
> in a jail is trivial and I pressume that it will become common
> knowledge for script-kiddies RSN.
Besides the /proc/$PID/status field and the 'J' in ps' status
field - which I feel to be cosmetic or for plain information and
not really the final word - what else criteria would be there to
check? I can't think of any -- at least not a reliable one. The
lack of /dev/ directory entries or the little volume :) of the
/kernel image is something one can take action against.
Would it hurt to have a knob turning off the first two flags
mentioned above? Is any piece of software "aware" of its being
jailed? Does any piece of software _have_ to know about its
running in such an environment? Failing syscalls (routing,
ifconfig, etc) could fail as well because of set securelevels.
So this is nothing new or distinguishing.
Strictly speaking there could be a criterion: the ps output
length (or its equivalent in a kernel's table). And this could
be faked just as well as root kits bring their own ps and ls with
them to hide some processes or files -- why not "invent" some
processes in the very same way (init, swapper, gettys, etc)?
This leads to the question: Was the intent behind the jail(2)
mechanism to isolate a process group or was it to fake a machine?
I guess it was the former, but could be turned into the latter.
And I'm sure you will tell me if I'm wrong. :)
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000625223549.I9883>