From owner-freebsd-security Fri Feb 16 9:27: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-49.dsl.lsan03.pacbell.net [64.165.226.49]) by hub.freebsd.org (Postfix) with ESMTP id D636037B67D for ; Fri, 16 Feb 2001 09:27:03 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0733D66ED1; Fri, 16 Feb 2001 09:27:02 -0800 (PST) Date: Fri, 16 Feb 2001 09:27:02 -0800 From: Kris Kennaway To: Ragnar Beer Cc: freebsd-security@freebsd.org Subject: Re: File flags Message-ID: <20010216092702.A93835@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rbeer@uni-goettingen.de on Fri, Feb 16, 2001 at 02:15:31PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 16, 2001 at 02:15:31PM +0100, Ragnar Beer wrote: > Howdy! >=20 > I'm wondering which files I should protect with file flags. So far I only > protected a couple of flags in /var/log but last week I read that someone > suggested making files in the /bin /sbin /etc directories immutable. How = much > sense does that make? This only makes a real difference to security if: a) You raise the system securelevel, so that flags cannot be removed, and: b) You make just about everything in /boot, /modules, /etc, /bin, /sbin, /usr/bin, /usr/sbin immutable - any file touched during the boot process before securelevel is raised, should be protected so that attackers who break root don't have the ability to reset the securelevel by modifying a non-protected file (e.g. /sbin/ifconfig, to pick one at random) to do their dirty work (e.g. removing flags from everything) when the system reboots. A full list of files is not known, and it is probably enough to make upgrading the system a total PITA. In other words, there are some pretty fatal flaws with the concept. It does however confuse the heck out of script kiddies :-D Kris --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jWLmWry0BWjoQKURAoVOAJwKzjnIzteEJ2EX/gU45ZytGHN29ACfcHUk 09yEGk7BIy1uZxABbpbnmB8= =JQ/K -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message