From owner-freebsd-current  Wed Sep  5 18:32:54 2001
Delivered-To: freebsd-current@freebsd.org
Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5])
	by hub.freebsd.org (Postfix) with ESMTP id EF88237B401
	for <current@FreeBSD.ORG>; Wed,  5 Sep 2001 18:32:47 -0700 (PDT)
Received: from hades.hell.gr (patr530-b009.otenet.gr [195.167.121.137])
	by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f861Wi705136;
	Thu, 6 Sep 2001 04:32:45 +0300 (EEST)
Received: (from charon@localhost)
	by hades.hell.gr (8.11.6/8.11.6) id f861X7V03828;
	Thu, 6 Sep 2001 04:33:07 +0300 (EEST)
	(envelope-from charon@labs.gr)
Date: Thu, 6 Sep 2001 04:33:07 +0300
From: Giorgos Keramidas <charon@labs.gr>
To: Damieon Stark <visigoth@securitycentric.com>
Cc: current@FreeBSD.ORG
Subject: Re: new feature for /etc/security
Message-ID: <20010906043307.C2464@hades.hell.gr>
References: <20010903103522.A23496@morpheus.telemere.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010903103522.A23496@morpheus.telemere.net>; from visigoth@securitycentric.com on Mon, Sep 03, 2001 at 10:35:22AM -0500
X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2
X-URL: http://students.ceid.upatras.gr/~keramida/index.html
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

On Mon, Sep 03, 2001 at 10:35:22AM -0500, Damieon Stark wrote:
> Greetings all,
>=20
> 	In my local source tree, I have a small modification to /etc/security
> which I thought would be good to get in the base tree.  The attached .diff
> allows /etc/security to keep a record of all non-device related files loc=
ated
> in /dev.  Many blackhat utilities, and practices include using the /dev
> directory as a location to create sniffer logs, suid binaries, and other =
evil.
> By keeping a database similar to /var/log/setuid.today, administrators ca=
n be
> notified of any changes to /dev.  The diff is against -current, however t=
he
> functionality is unchanged between -stable and -current.

Isn't this blackhat practice rendered useless with DEVFS ?

Of course someone who's been hacked cannot rely on DEVFS being mounted
before anything accessed the 'hidden in /dev stuff'.

/me just wondering

-giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message