From owner-freebsd-security  Thu Dec 21 16:25:15 2000
From owner-freebsd-security@FreeBSD.ORG  Thu Dec 21 16:25:13 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from xgate4.sd.co.nz (ns.netxsecure.com [210.55.57.156])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5ECD537B400; Thu, 21 Dec 2000 16:25:11 -0800 (PST)
Received: from netxsecure.net (xmgate-172-2.sd.co.nz [172.16.30.2])
	by xgate4.sd.co.nz (8.11.0/8.11.0) with ESMTP id eBM0Z8E11122;
	Fri, 22 Dec 2000 13:35:09 +1300 (NZDT)
Sender: mike@netxsecure.net
Message-ID: <3A42A2A2.92EE47A0@netxsecure.net>
Date: Fri, 22 Dec 2000 13:38:58 +1300
From: "Michael A. Williams" <mike@netxsecure.net>
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.5-22 i586)
X-Accept-Language: en
MIME-Version: 1.0
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Kris Kennaway <kris@FreeBSD.ORG>,
	Mikhail Kruk <meshko@cs.brandeis.edu>, security@FreeBSD.ORG
Subject: Re: Read-Only Filesystems
References: <20001221064842.B27118@citusc.usc.edu> <Pine.LNX.4.30.0012211139260.27904-100000@daedalus.cs.brandeis.edu> <20001221084452.A28157@citusc.usc.edu> <xzp4rzxeh58.fsf@flood.ping.uio.no>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Archived: msg.Cbm13986@xgate4
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Dag-Erling Smorgrav wrote:
> 
> Kris Kennaway <kris@FreeBSD.ORG> writes:
> > On Thu, Dec 21, 2000 at 11:39:56AM -0500, Mikhail Kruk wrote:
> > > Kris Kennaway <kris@FreeBSD.ORG> writes:
> > > > Correct, but if they're not noschg then you can trivially trojan a
> > > > kernel module which you know is loaded at boot time. [...]
> > > wait, but can't you make kernel modules and startup scripts noschg too?
> > Go back and read the first paragraph above. It's theoretically
> > possible, but the list of things you would have to noschg is huge,
> > constantly changing from version to version, and not completely known.
> 
> Umm, people, please, "schg" not "noschg". If you find this confusing,
> use "simmutable" instead.

Lots of good ideas put forward as to what should be set immutable with
secure level 2 or higher, has anyone worked out a recommended list as
such?
Obviously needs will vary widely however a document relevant to certain
OS Release and securelevels could be worthwhile, I am prepared to put
some time in this as I would like to run with the results.

Mike.

-- 
Michael A. Williams, InfoSec Technology Manager
NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com
Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message