Date: Sun, 19 Sep 1999 13:33:48 -0600 From: Nate Williams <nate@mt.sri.com> To: Brett Glass <brett@lariat.org> Cc: Wes Peters <wes@softweyr.com>, "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, Warner Losh <imp@village.org>, security@FreeBSD.ORG Subject: Re: Real-time alarms Message-ID: <199909191933.NAA25843@mt.sri.com> In-Reply-To: <4.2.0.58.19990918201409.047f9f00@localhost> References: <199909180612.AAA00597@harmony.village.org> <4.2.0.58.19990918093306.047917c0@localhost> <37E4449B.ADDD68EE@softweyr.com> <4.2.0.58.19990918201409.047f9f00@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
> >This is what we're talking about with the auditing facility. There are > >a lot of architectural issues to be solved, starting with "what is an > >alarm" and ending with "how do I securely transmit the alarms to those > >who need to know about them"? > > > >Fun stuff, eh? > Loads. My company is doing alot of research work in this area, and I'm involved on the periphery on a number of them. Suffice it to say that there are some huge hurdles to cross that no-one has any good ideas on how to solve the problems. > Indeed. Fortunately, many of the tools are already available. E-mail comes > to mind as the simplest solution to the above, though certainly not the > only one. And a very poor one. Email is trivial to forge and/or snarf, and is not secure by any stretch of the imagination. One of the rules that you must think is that 1) They have root, you just don't know it. No system is 100% secure (except one that is smashed into billions of tiny pieces), and there is no way to completely protect a system from being broken into. If you believe that it is possible, then the conversation can stop. 2) You want to be informed that they *have* broken into the system ASAP. The bottom line is that you want to make your system difficult to get into, as well as make it *very* hard for them to do anything bad on the system before you have a chance to respond. Case in point. Tripwire is *NOT* a breakin-avoidance system, it's a breakin-detection system. Breakin detection systems are at best poor and at worst useless, and so far no-one has found a way to make them any better. :( Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909191933.NAA25843>