From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 00:15:51 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76E8216A418 for ; Tue, 15 Jan 2008 00:15:51 +0000 (UTC) (envelope-from tim1timau@yahoo.com) Received: from web50310.mail.re2.yahoo.com (web50310.mail.re2.yahoo.com [206.190.38.243]) by mx1.freebsd.org (Postfix) with SMTP id 078D813C469 for ; Tue, 15 Jan 2008 00:15:50 +0000 (UTC) (envelope-from tim1timau@yahoo.com) Received: (qmail 37989 invoked by uid 60001); 15 Jan 2008 00:15:50 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=ICwIjY+6KWExnfaVJ59NZtHp61J7RJ8Mso07fLC5zQfXOncEWg/6kJ+lZeH+n5uAO8uTo9JvWIC+X02dQA+5NhVYmUyoYLOwezUvIWl3cNehIBUtt9lEt9YqZMUv/Bvv9MRgmlFIhPmNgi49wPbcz3t+4qdEDJmfBmYv4f64Ato=; X-YMail-OSG: WughkZoVM1lYerVlL8NRNx42mocVfGcCZlA68SDrOSRjk6VYru_7KumOPLeG_y6YNZVtpvsr8DORfUrkb05DPo48.kpgmrSMvAY_KNgPSvc9s6sEhP52VIH9nlKfxOcmsZFC7rDYaXfoUcU- Received: from [203.49.197.51] by web50310.mail.re2.yahoo.com via HTTP; Mon, 14 Jan 2008 16:15:49 PST Date: Mon, 14 Jan 2008 16:15:49 -0800 (PST) From: Tim Clewlow To: Dan Lukes , freebsd security In-Reply-To: <478BB3DA.5070302@obluda.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <965729.35921.qm@web50310.mail.re2.yahoo.com> Cc: Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 00:15:51 -0000 --- Dan Lukes wrote: > >> I need to install an anti-rootkid > > If I understand correctly, an intruder need to be superuser to be able > to install a rootkit. > > If our intruders has superuser privileges, they can tamper any > anti-rootkit. > > Is the main reason to install anti-rootkit we count the intruders are > so dumb to look for one of port's anti-rootkit package before they do > it's dirt work ? > > Or I miss something important ? > > Dan One solution would be to have /var/log/auth.log being tailed out via a serial port to another computer that is not accessable via a network - or have it sent to a printer for a permanent hard-copy. It all depends on how much you really want to do in regard to security. Cheers, Tim. ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs