From owner-freebsd-stable@FreeBSD.ORG Sun Feb 7 21:56:29 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18020106568D for ; Sun, 7 Feb 2010 21:56:29 +0000 (UTC) (envelope-from peterjeremy@acm.org) Received: from mail13.syd.optusnet.com.au (mail13.syd.optusnet.com.au [211.29.132.194]) by mx1.freebsd.org (Postfix) with ESMTP id 92A9E8FC0C for ; Sun, 7 Feb 2010 21:56:28 +0000 (UTC) Received: from server.vk2pj.dyndns.org (c122-106-232-148.belrs3.nsw.optusnet.com.au [122.106.232.148]) by mail13.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id o17LuGGW023649 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 Feb 2010 08:56:18 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id o17LuGYV004612; Mon, 8 Feb 2010 08:56:16 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id o17LuF82004611; Mon, 8 Feb 2010 08:56:15 +1100 (EST) (envelope-from peter) Date: Mon, 8 Feb 2010 08:56:15 +1100 From: Peter Jeremy To: Pascal Stumpf Message-ID: <20100207215615.GB4536@server.vk2pj.dyndns.org> References: <4B696D0B.3070301@minibofh.org> <201002061211.09140.Pascal.Stumpf@cubes.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZoaI/ZTpAVc4A5k6" Content-Disposition: inline In-Reply-To: <201002061211.09140.Pascal.Stumpf@cubes.de> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-stable@freebsd.org Subject: Re: Inmutable bit in some binaries X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Feb 2010 21:56:29 -0000 --ZoaI/ZTpAVc4A5k6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2010-Feb-06 12:11:08 +0100, Pascal Stumpf wrote: >just another idea: You may want to take a look at integrity checking syste= ms=20 >as an alternative, i.e. tripwire. Note that mtree(8) supports the integrity checking functionality of tripwire and is in the base system. (It doesn't have all the bells and whistles of tripwire and so isn't suitable for all cases). If you do go for an integrity checking system, remember to ensure that everything that your integrity checking system relies on (ie executable, database, shared libraries) is immutable - as well as the shell/cron that runs it and however the results are reported. --=20 Peter Jeremy --ZoaI/ZTpAVc4A5k6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAktvNv8ACgkQ/opHv/APuIf4lACgti1+C+vvmXkTwSts3tsEjICG dxMAoLGnXexBhms1+YrB9/2YyuHGUStR =sEqZ -----END PGP SIGNATURE----- --ZoaI/ZTpAVc4A5k6--