Date: Sun, 27 Jul 2003 07:51:36 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: Socketd <db@traceroute.dk> Cc: freebsd-security@freebsd.org Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) Message-ID: <20030727125136.GA6810@sheol.localdomain> In-Reply-To: <20030727143600.1517c588.db@traceroute.dk> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> <20030727143600.1517c588.db@traceroute.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
CC'ing security@ now, since you did.
On Jul 27, at 02:36 PM, Socketd wrote:
>
> On Sun, 27 Jul 2003 06:29:33 -0500
> D J Hawkey Jr <hawkeyd@visi.com> wrote:
>
> > Your plan is to incorporate this into/for rc.conf, and your program
> > would be run at boot?
>
> It is meant to be installed from the port collection and then executed
> once, but you can of course run it as many times you want (but if you
> haven't changed the sytem, since the last time you ran it, this makes no
> sense).
Would you consider my above suggestion?
It could certainly be installed from the ports collection, but it would
be most useful to me (and p'raps others?) as a boot-time thang. Think of
dedicated firewalls and routers, especially those that boot from custom
CDs [and p'raps read floppies for "volatile" configuration].
In my mind, the conf could be installed as /etc/rc.whatever, and the
program could be installed as /usr/local/etc/rc.d/whatever. In this way,
it'd be run on boot, and could be run anytime as
"/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too.
I'm thinking of rootkits and whatnot that drop a SUID/SGID program on a
box and force a reboot to "kick it in". Your program, by enforcing the
"rules" in the conf, could remove the exec bits on the trojan, or just
blow the trojan away. I realize I might be widening the scope here...
Were you to go this way, I could see where Core might consider adding
your work into the base? I'd lobby for it. :-)
> > What language do you think you'll use (hopefully,
> > something supported by the base OS, e.g., not ruby, modula, or perl)?
>
> I use C++
Oh. I was hoping you'd answer "shell script" (my preference, for quick
'n easy modification), or "C".
Just some suggestions,
Dave
--
______________________ ______________________
\__________________ \ D. J. HAWKEY JR. / __________________/
\________________/\ hawkeyd@visi.com /\________________/
http://www.visi.com/~hawkeyd/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030727125136.GA6810>