From owner-freebsd-security  Mon Feb 19  0:53:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189])
	by hub.freebsd.org (Postfix) with SMTP id 885E137B401
	for <freebsd-security@FreeBSD.ORG>; Mon, 19 Feb 2001 00:53:23 -0800 (PST)
Received: (qmail 5945 invoked by uid 1000); 19 Feb 2001 08:51:30 -0000
Date: Mon, 19 Feb 2001 10:51:30 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Nevermind <never@nevermind.kiev.ua>
Cc: Carroll Kong <damascus@home.com>,
	Brian Reichert <reichert@numachi.com>, freebsd-security@FreeBSD.ORG
Subject: Re: Remote logging
Message-ID: <20010219105130.A2946@ringworld.oblivion.bg>
Mail-Followup-To: Nevermind <never@nevermind.kiev.ua>,
	Carroll Kong <damascus@home.com>,
	Brian Reichert <reichert@numachi.com>, freebsd-security@FreeBSD.ORG
References: <p04330104b6b573740812@[192.168.0.98]> <p04330104b6b573740812@[192.168.0.98]> <20010218132255.L91352@numachi.com> <4.2.2.20010218133626.00c04f00@netmail.home.com> <20010218212442.A68304@nevermind.kiev.ua>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010218212442.A68304@nevermind.kiev.ua>; from never@nevermind.kiev.ua on Sun, Feb 18, 2001 at 09:24:42PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Feb 18, 2001 at 09:24:42PM +0200, Nevermind wrote:
> Hello, Carroll Kong!
> 
> On Sun, Feb 18, 2001 at 01:40:21PM -0500, you wrote:
> 
> > That is a good idea, however, what is to stop the enemy from killing 
> > syslogd as his first option?  I do not think syslogd logs when it gets 
> > killed?  So, despite the secure log host, he might not get the valuable 
> > info he needs.  I suppose you could then start speculating a break in if 
> > there are no more MARKs since syslogd is dead.  Even that could be 
> > fabricated I suppose.  Ugh.  Security sure is tough to implement 
> > fully.  Not trying to say you are wrong, just that I am curious how does 
> > one stop this possible problem?  Have you found a way to avoid it?
> 
> I sometimes think about some flag on process so that once launched it cannot be
> killed without specifying password... I don't know if it will be correct to
> existing process model...
> 
> What are you thinking about that?

I'd think some kind of process ACL's would be a better approach - something
like 'yeah, you're root, but you don't have this-and-this capability/token/
whatever, so there!'.. I don't know how far the ACL work has progressed,
and if there are any ideas to go in that direction, but ACL control over
sending signals certainly sounds interesting.

G'luck,
Peter

-- 
.siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message