From owner-freebsd-security  Thu Dec 21  0:11: 9 2000
From owner-freebsd-security@FreeBSD.ORG  Thu Dec 21 00:11:07 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from xgate4.sd.co.nz (ns.netxsecure.com [210.55.57.156])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5923437B402; Thu, 21 Dec 2000 00:11:06 -0800 (PST)
Received: from netxsecure.net (xmgate-172-2.sd.co.nz [172.16.30.2])
	by xgate4.sd.co.nz (8.11.0/8.11.0) with ESMTP id eBL8KvE10137;
	Thu, 21 Dec 2000 21:20:58 +1300 (NZDT)
Sender: mike@netxsecure.net
Message-ID: <3A41BE58.76ECD6A9@netxsecure.net>
Date: Thu, 21 Dec 2000 21:24:56 +1300
From: "Michael A. Williams" <mike@netxsecure.net>
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.5-22 i586)
X-Accept-Language: en
MIME-Version: 1.0
To: security@FreeBSD.ORG
Cc: Kris Kennaway <kris@FreeBSD.ORG>
Subject: Re: Read-Only Filesystems
References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> <20001220182936.H22288@citusc.usc.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Archived: msg.Wvp13986@xgate4
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Kris Kennaway wrote:
> On Wed, Dec 20, 2000 at 06:05:58PM -0800, Jason DiCioccio wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > The only way I could think of to do his securely in the current
> > implementation is to chflags most of the etc dir (with the exception
> > of files that did need to be cahnged like passwd master.passwd
> > aliases, etc.).. mainly the rc files.. but this makes administering
> > remotely a pain in the ass.. Of course, security in many cases comes
> > with a hassle factor.
> 
> Don't forget chflags'ing every binary involved in the startup process,
> too. And all of your kernel modules. And the boot loader and its
> config files. And all of the appropriate directories. And /etc/fstab
> so null or union mounts can't be used to shadow a protected file...you
> get the picture :-)

Securelevel 2 should not allow loading of kernel modules.

Mike.
-- 
Michael A. Williams, InfoSec Technology Manager
NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com
Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message