From owner-freebsd-current Wed Sep 5 18:32:54 2001 Delivered-To: freebsd-current@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id EF88237B401 for ; Wed, 5 Sep 2001 18:32:47 -0700 (PDT) Received: from hades.hell.gr (patr530-b009.otenet.gr [195.167.121.137]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f861Wi705136; Thu, 6 Sep 2001 04:32:45 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f861X7V03828; Thu, 6 Sep 2001 04:33:07 +0300 (EEST) (envelope-from charon@labs.gr) Date: Thu, 6 Sep 2001 04:33:07 +0300 From: Giorgos Keramidas To: Damieon Stark Cc: current@FreeBSD.ORG Subject: Re: new feature for /etc/security Message-ID: <20010906043307.C2464@hades.hell.gr> References: <20010903103522.A23496@morpheus.telemere.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5i In-Reply-To: <20010903103522.A23496@morpheus.telemere.net>; from visigoth@securitycentric.com on Mon, Sep 03, 2001 at 10:35:22AM -0500 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Sep 03, 2001 at 10:35:22AM -0500, Damieon Stark wrote: > Greetings all, >=20 > In my local source tree, I have a small modification to /etc/security > which I thought would be good to get in the base tree. The attached .diff > allows /etc/security to keep a record of all non-device related files loc= ated > in /dev. Many blackhat utilities, and practices include using the /dev > directory as a location to create sniffer logs, suid binaries, and other = evil. > By keeping a database similar to /var/log/setuid.today, administrators ca= n be > notified of any changes to /dev. The diff is against -current, however t= he > functionality is unchanged between -stable and -current. Isn't this blackhat practice rendered useless with DEVFS ? Of course someone who's been hacked cannot rely on DEVFS being mounted before anything accessed the 'hidden in /dev stuff'. /me just wondering -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message