Date: Fri, 22 Dec 2000 13:38:58 +1300 From: "Michael A. Williams" <mike@netxsecure.net> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Kris Kennaway <kris@FreeBSD.ORG>, Mikhail Kruk <meshko@cs.brandeis.edu>, security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <3A42A2A2.92EE47A0@netxsecure.net> References: <20001221064842.B27118@citusc.usc.edu> <Pine.LNX.4.30.0012211139260.27904-100000@daedalus.cs.brandeis.edu> <20001221084452.A28157@citusc.usc.edu> <xzp4rzxeh58.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smorgrav wrote: > > Kris Kennaway <kris@FreeBSD.ORG> writes: > > On Thu, Dec 21, 2000 at 11:39:56AM -0500, Mikhail Kruk wrote: > > > Kris Kennaway <kris@FreeBSD.ORG> writes: > > > > Correct, but if they're not noschg then you can trivially trojan a > > > > kernel module which you know is loaded at boot time. [...] > > > wait, but can't you make kernel modules and startup scripts noschg too? > > Go back and read the first paragraph above. It's theoretically > > possible, but the list of things you would have to noschg is huge, > > constantly changing from version to version, and not completely known. > > Umm, people, please, "schg" not "noschg". If you find this confusing, > use "simmutable" instead. Lots of good ideas put forward as to what should be set immutable with secure level 2 or higher, has anyone worked out a recommended list as such? Obviously needs will vary widely however a document relevant to certain OS Release and securelevels could be worthwhile, I am prepared to put some time in this as I would like to run with the results. Mike. -- Michael A. Williams, InfoSec Technology Manager NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A42A2A2.92EE47A0>