Date: Thu, 11 May 2000 10:03:38 -0600 (MDT) From: Paul Hart <hart@iserver.com> To: Adam Laurie <adam@algroup.co.uk> Cc: freebsd-security@freebsd.org Subject: Re: envy.vuurwerk.nl daily run output Message-ID: <Pine.BSF.4.21.0005110953510.8386-100000@anchovy.orem.iserver.com> In-Reply-To: <391A8A3C.795C15F7@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 11 May 2000, Adam Laurie wrote: > If someone backdoors your system with an authorized key, and is > confident they can gain root from a luser account, they don't need to > go any further, and it's extremely likely that the change will go > unnoticed *forever* But if you have hostile local users with root access, can you even trust the output from /etc/security? I see the output from /etc/security as (somewhat) interesting statistical data, but in my opinion it should never be used for intrusion detection or be used as a serious security tool. If I can root your box, what's to stop me from falsifying the reference data in /var used by /etc/security to detect system changes? If nothing else, calling it a "security" script gives a false sense of just that. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005110953510.8386-100000>