From owner-freebsd-security Thu May 11 9: 4:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 4521537BB10 for ; Thu, 11 May 2000 09:03:49 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 11 May 2000 10:03:48 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma014294; Thu, 11 May 00 10:03:38 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id KAA08418; Thu, 11 May 2000 10:03:38 -0600 (MDT) Date: Thu, 11 May 2000 10:03:38 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Adam Laurie Cc: freebsd-security@freebsd.org Subject: Re: envy.vuurwerk.nl daily run output In-Reply-To: <391A8A3C.795C15F7@algroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 11 May 2000, Adam Laurie wrote: > If someone backdoors your system with an authorized key, and is > confident they can gain root from a luser account, they don't need to > go any further, and it's extremely likely that the change will go > unnoticed *forever* But if you have hostile local users with root access, can you even trust the output from /etc/security? I see the output from /etc/security as (somewhat) interesting statistical data, but in my opinion it should never be used for intrusion detection or be used as a serious security tool. If I can root your box, what's to stop me from falsifying the reference data in /var used by /etc/security to detect system changes? If nothing else, calling it a "security" script gives a false sense of just that. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message