From owner-freebsd-security  Fri Feb 16 12: 3:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168])
	by hub.freebsd.org (Postfix) with SMTP id A041637B491
	for <security@freebsd.org>; Fri, 16 Feb 2001 12:03:34 -0800 (PST)
Received: (qmail 46793 invoked by alias); 16 Feb 2001 20:04:07 -0000
Received: from unknown (HELO sirmoobert) (137.99.158.30)
  by d156h168.resnet.uconn.edu with SMTP; 16 Feb 2001 20:04:07 -0000
Message-ID: <000701c09853$af44c0c0$1e9e6389@137.99.156.23>
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: "Rasputin" <rasputin@FreeBSD-uk.eu.org>, <security@freebsd.org>
References: <p04330100b6b2d6708b25@[134.76.136.114]> <20010216133331.A48008@dogma.freebsd-uk.eu.org>
Subject: Re: File flags
Date: Fri, 16 Feb 2001 15:04:34 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

your metaphor/analogy is flawed. It should read "if my cupboards are locked,
how can I tell if my house has been bugged?" since in most cases backdoored
binaries are installed and logs are modified, and aren't deleted.

----- Original Message -----
From: "Rasputin" <rasputin@FreeBSD-uk.eu.org>
To: <security@freebsd.org>
Sent: Friday, February 16, 2001 8:33 AM
Subject: Re: File flags


> * Ragnar Beer <rbeer@uni-goettingen.de> [010216 13:17]:
> > Howdy!
> >
> > I'm wondering which files I should protect with file flags. So far I
only
> > protected a couple of flags in /var/log but last week I read that
someone
>
> Is that a good idea? What happens if they need ot be rotated?
>
> > suggested making files in the /bin /sbin /etc directories immutable. How
much
> > sense does that make?
>
> Depends what securelevel you're in.
>
> Also there is a case for saying that this makes intrusions harder
> to detect, although that sounds to me like saying:
> "If the cupboards in your house are locked up, how are you
> supposedd to tell when you've been burgled?"
>
> --
> Rasputin
> Jack of All Trades :: Master of Nuns
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message