Date: Wed, 6 Sep 2006 21:05:19 -0500 From: "Travis H." <solinym@gmail.com> To: freebsd-security@freebsd.org Subject: comments on handbook chapter Message-ID: <d4f1333a0609061905y709843ecm454509067925a7ca@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
``You do not want to overbuild your security or you will interfere with the detection side, and detection is one of the single most important aspects of any security mechanism. For example, it makes little sense to set the schg flag (see chflags(1)) on every system binary because while this may temporarily protect the binaries, it prevents an attacker who has broken in from making an easily detectable change that may result in your security mechanisms not detecting the attacker at all.'' Wouldn't it be better to detect /and/ prevent an attempt to change the system binaries? It seems to me that advising people to focus on detection rather than prevention is wrong-headed. What are you going to do after you detect the attacker? If it's not "prevent him from doing anything", then I question the intelligence of this approach. Root-level compromises don't always get detected immediately, don't always get caught, and once they're in, the playing field is level, and they are very time-consuming to investigate and clean. For example, I know someone with a rootkit that he can install to flash on an add-in card for a device that has DMA access to main memory. For this reason, I usually recommend on prevention as a first priority, and detection as a second priority. For example, Markus Ranum said he once recompiled ls to reboot if it is run by root. Another trick involves recompiling /bin/sh to check to see if it has a tty (shells spawned by network daemons will generally not). Perhaps there is some way to locate any part of the kernel that performs access control and optionally klog the details, so that any actions which are denied also automatically detect possible intrusions? Hmm, I should mention this to elad efrat, who is doing kauth work on NetBSD... -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0609061905y709843ecm454509067925a7ca>