Date: Thu, 21 Dec 2000 21:24:56 +1300 From: "Michael A. Williams" <mike@netxsecure.net> To: security@FreeBSD.ORG Cc: Kris Kennaway <kris@FreeBSD.ORG> Subject: Re: Read-Only Filesystems Message-ID: <3A41BE58.76ECD6A9@netxsecure.net> References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> <20001220182936.H22288@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > On Wed, Dec 20, 2000 at 06:05:58PM -0800, Jason DiCioccio wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > The only way I could think of to do his securely in the current > > implementation is to chflags most of the etc dir (with the exception > > of files that did need to be cahnged like passwd master.passwd > > aliases, etc.).. mainly the rc files.. but this makes administering > > remotely a pain in the ass.. Of course, security in many cases comes > > with a hassle factor. > > Don't forget chflags'ing every binary involved in the startup process, > too. And all of your kernel modules. And the boot loader and its > config files. And all of the appropriate directories. And /etc/fstab > so null or union mounts can't be used to shadow a protected file...you > get the picture :-) Securelevel 2 should not allow loading of kernel modules. Mike. -- Michael A. Williams, InfoSec Technology Manager NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A41BE58.76ECD6A9>