Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Sep 2006 21:05:19 -0500
From:      "Travis H." <solinym@gmail.com>
To:        freebsd-security@freebsd.org
Subject:   comments on handbook chapter
Message-ID:  <d4f1333a0609061905y709843ecm454509067925a7ca@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
``You do not want to overbuild your security or you will interfere
with the detection side, and detection is one of the single most
important aspects of any security mechanism. For example, it makes
little sense to set the schg flag (see chflags(1)) on every system
binary because while this may temporarily protect the binaries, it
prevents an attacker who has broken in from making an easily
detectable change that may result in your security mechanisms not
detecting the attacker at all.''

Wouldn't it be better to detect /and/ prevent an attempt to change the system
binaries?  It seems to me that advising people to focus on detection rather
than prevention is wrong-headed.  What are you going to do after you detect
the attacker?  If it's not "prevent him from doing anything", then I question
the intelligence of this approach.

Root-level compromises don't always get detected immediately, don't always
get caught, and once they're in, the playing field is level, and they are very
time-consuming to investigate and clean.  For example, I know someone with
a rootkit that he can install to flash on an add-in card for a device that has
DMA access to main memory.  For this reason, I usually recommend
on prevention as a first priority, and detection as a second priority.

For example, Markus Ranum said he once recompiled ls to reboot if it is run
by root.  Another trick involves recompiling /bin/sh to check to see if it
has a tty (shells spawned by network daemons will generally not).

Perhaps there is some way to locate any part of the kernel that performs
access control and optionally klog the details, so that any actions
which are denied also automatically detect possible intrusions?
Hmm, I should mention this to elad efrat, who is doing kauth work
on NetBSD...
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0609061905y709843ecm454509067925a7ca>