Date: Mon, 11 Sep 2006 18:17:39 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-security@FreeBSD.ORG, arne_woerner@yahoo.com Subject: Re: comments on handbook chapter Message-ID: <200609111617.k8BGHdE9072686@lurza.secnetix.de> In-Reply-To: <20060908175046.71795.qmail@web30313.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
R. B. Riddick <arne_woerner@yahoo.com> wrote: > Bigby Findrake <bigby@ephemeron.org> wrote: > > Travis H. wrote: > > > Wouldn't it be better to detect /and/ prevent an attempt to change the > > > system binaries? > > > > That's how I interpret that passage from the handbook - that you should > > detect *and* prevent. I'm not clear on how anyone is interpreting that > > passage to suggest that unequal weight should be given to one side or the > > other (detection vs. prevention). The above passage all but says, "don't > > do X because that will interfere with Y." I just don't see that advice as > > advocating imbalance. > > > Hmm... > > I think, this "schg flag"-thing should be done to all files, but invisible to a > potential attacker... <-- PROTECTION There's no need to make it "invisible". First, it wouldn't add anything to the protection. And second, it could be called a case of "security by obscurity". > When some attacker tries to get write access to that file or to move that file > around or so, it should result in a log message (like "BAD SU on ...")... <-- > DETECTION (I think one of the first messages in this thread suggested that > already...) That can be done with the AUDIT framework that has recently been MFCed to 6-stable. > And removing that flag shouldn't be possible so easy, too. What do you mean, "so easy"? It's not easy. The flag can only be removed if security level < 1. Once the system is running at >= 1, lowering the security level requires a reboot. Please see the init(8) manual page for details. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "I invented Ctrl-Alt-Delete, but Bill Gates made it famous." -- David Bradley, original IBM PC design team
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609111617.k8BGHdE9072686>