From owner-freebsd-security@FreeBSD.ORG Thu Sep 22 11:59:26 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B150616A41F for ; Thu, 22 Sep 2005 11:59:26 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from addr9.addr.com (addr9.addr.com [38.113.244.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A8B243D45 for ; Thu, 22 Sep 2005 11:59:26 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from logik.ath.cx (localhost [127.0.0.1]) by addr9.addr.com (8.12.11/8.12.8/Submit) with ESMTP id j8MBxNMf029852 for ; Thu, 22 Sep 2005 04:59:24 -0700 (PDT) Received: by logik.ath.cx (Postfix, from userid 1001) id 9725D6406; Thu, 22 Sep 2005 12:59:23 +0100 (BST) Date: Thu, 22 Sep 2005 12:59:23 +0100 From: markzero To: freebsd-security@freebsd.org Message-ID: <20050922115923.GB73668@logik.internal.network> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="s/l3CgOIzMHHjg/5" Content-Disposition: inline X-GPG-Key: http://darklogik.org/pub/pgp/pgp.txt X-Fingerprint: 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 X-ADDRSpamFilter: Passed, probability (0%) X-ADDRSignature: 281B41DA Subject: Re: Mounting filesystems with "noexec" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2005 11:59:26 -0000 --s/l3CgOIzMHHjg/5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ oops, ommitted the CC line to freebsd-security@ ] May I throw in my two euros? security.noexec.log_bin: /sbin/trusted_logging_prog security.noexec.log_maxrate: N security.noexec.log_enabled: 0 security.noexec.log_enabled refuses to enable itself unless security.noexec.log_bin exists and has the correct permissions, etc. security.noexec.log_maxrate is the maximum allowed number of logs per second. If this rate is exceeded, wait for a preset grace period and then if logs are still pouring in, stop accepting logs and periodically write a loud WARNING line to the log (this would be watched by something like logcheck to alert the administrator). This would prevent the flood of logging taking out the machine and the grace period should allow enough logging to make sure we know who the culprit was. Of course, this is all theoretical. There's most likely a glaring error or omission... M PS: could this be implemented with the MAC framework somehow? Isn't this sort of thing exactly what it was meant for? --=20 pgp: http://www.darklogik.org/pub/pgp/pgp.txt 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 ----- End forwarded message ----- --=20 pgp: http://www.darklogik.org/pub/pgp/pgp.txt 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iQIVAwUBQzKcmhf7S3ICB+1DAQoxOhAAqxgkX5TwmsAfxwhLK66tp6yJES66y4xP PatXT98/qr+GqcK2TgNV2KVp3XLxFN/AAZ59zTefOT8Y0NQ6hAZ/SGHOwceWZNph PUgQSvhp35XSklYA3t0zTOX7D7lNp7G5vZEi99rfOASDuLmW8ZDyCyr+3LUpXJFh PqnaX29EWvA3vCe83Abj86T9N4tRf/GDgUXQRx8z0clkxJuWCQUsYggFCdQyy9Y1 9HssS+YBuup9PcdoOEnzbn2wwstkWJf683LvncHW1ZWjqJCTPjLrFExEvpRi5++/ 6oVqudd0ebauJUwhcDjJ0FWrlMG3SPICuTNBcThUNAnpuGSzyzOuBoLyqdTOKIUU MxbAZT1gUGGUuiupuOWO+AdWcigQwxHhsMgBjxY0Nw54kcT+FtL6Lq6GbxkJxzDy 4HqZhlP1gp9o2J4J8Y1bTbLnVTysjfpS2iG//rwLBWz2NxuWLGx4yPtIJcv+qPgL 5dpNlkeEK1ypweVq/aJ43bM68YG462/o9OpamYDqJEHeRaiWhoutdaIY46uqCCKp 9NnJy7deXjR2zq1H2hRQsY9qJI57i2XZe2QVKKKmpVligPajhugjJ9d4lyZXxS2w qLZWPNM6wB+GFLhYqKAO8bkPCU3sXmIuIhS+QenS2Y4I4LMe6tnbPrS63aSK0rCS CfkrIqzpiW0= =EOSI -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5--