Date: Fri, 16 Feb 2001 09:27:02 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Ragnar Beer <rbeer@uni-goettingen.de> Cc: freebsd-security@freebsd.org Subject: Re: File flags Message-ID: <20010216092702.A93835@mollari.cthul.hu> In-Reply-To: <p04330100b6b2d6708b25@[134.76.136.114]>; from rbeer@uni-goettingen.de on Fri, Feb 16, 2001 at 02:15:31PM %2B0100 References: <p04330100b6b2d6708b25@[134.76.136.114]>
next in thread | previous in thread | raw e-mail | index | archive | help
--gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 16, 2001 at 02:15:31PM +0100, Ragnar Beer wrote: > Howdy! >=20 > I'm wondering which files I should protect with file flags. So far I only > protected a couple of flags in /var/log but last week I read that someone > suggested making files in the /bin /sbin /etc directories immutable. How = much > sense does that make? This only makes a real difference to security if: a) You raise the system securelevel, so that flags cannot be removed, and: b) You make just about everything in /boot, /modules, /etc, /bin, /sbin, /usr/bin, /usr/sbin immutable - any file touched during the boot process before securelevel is raised, should be protected so that attackers who break root don't have the ability to reset the securelevel by modifying a non-protected file (e.g. /sbin/ifconfig, to pick one at random) to do their dirty work (e.g. removing flags from everything) when the system reboots. A full list of files is not known, and it is probably enough to make upgrading the system a total PITA. In other words, there are some pretty fatal flaws with the concept. It does however confuse the heck out of script kiddies :-D Kris --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jWLmWry0BWjoQKURAoVOAJwKzjnIzteEJ2EX/gU45ZytGHN29ACfcHUk 09yEGk7BIy1uZxABbpbnmB8= =JQ/K -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010216092702.A93835>