From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 06:43:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0A1737B404 for ; Sun, 27 Jul 2003 06:43:19 -0700 (PDT) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB44143FAF for ; Sun, 27 Jul 2003 06:43:18 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user5.cybercity.dk (fxp0.user5.ip.cybercity.dk [212.242.41.51]) by cicero1.cybercity.dk (Postfix) with ESMTP id BE8365C4941; Sun, 27 Jul 2003 15:43:16 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user5.cybercity.dk (Postfix) with SMTP id E562556341; Sun, 27 Jul 2003 15:43:15 +0200 (CEST) Date: Sun, 27 Jul 2003 15:52:39 +0200 From: Socketd To: hawkeyd@visi.com, security@freebsd.org Message-Id: <20030727155239.3205a60b.db@traceroute.dk> In-Reply-To: <20030727125136.GA6810@sheol.localdomain> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> <20030727143600.1517c588.db@traceroute.dk> <20030727125136.GA6810@sheol.localdomain> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 13:43:20 -0000 On Sun, 27 Jul 2003 07:51:36 -0500 D J Hawkey Jr wrote: > CC'ing security@ now, since you did. Oh sorry, didn't see that you only replied to me :-) > Would you consider my above suggestion? > It could certainly be installed from the ports collection, but it > would be most useful to me (and p'raps others?) as a boot-time thang. > Think of dedicated firewalls and routers, especially those that boot > from custom CDs [and p'raps read floppies for "volatile" > configuration]. > > In my mind, the conf could be installed as /etc/rc.whatever, and the > program could be installed as /usr/local/etc/rc.d/whatever. In this > way, it'd be run on boot, and could be run anytime as > "/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too. Ah, good idea! > I'm thinking of rootkits and whatnot that drop a SUID/SGID program on > a box and force a reboot to "kick it in". Your program, by enforcing > the"rules" in the conf, could remove the exec bits on the trojan, or > just blow the trojan away. I realize I might be widening the scope > here... Hmm, if an attacker got root and installed a rootkit LockDown would be of no help. LockDown was meant to automatically setup a secure machine using the facilities that are already in the base system, but you gave me an idea! LockDown could search for ALL suid and gid files and set the permissions accordingly to the conf file, the files not listed there would be disabled (or set to a user specified default). But then again, if an admin installs a port with suid files and forget to add them to the LockDown conf file, they would be disabled the next time LockDown is executed. I have also thought about adding these options: 1. More kernel help, so you quickly can setup a kernel: kern_using_RAID="" YES if you are using raid hardware kern_using_SCSI="" YES if you are using SCSI hardware kern_using_IPv6="" YES if you want to use IPv6 kern_using_proc="" YES if you want to use /proc kern_NIC="" The nic's you use. 2. Support for most of the files in /etc (and other?) 3. Give security adwise: 1. Setting up different daemons 2. What ports to install 3. How to setup scripts to be used with cron and what to include in them > Were you to go this way, I could see where Core might consider adding > your work into the base? I'd lobby for it. :-) My code in the base system...oh I don't even dare think the beautiful thought ;-) > > I use C++ > > Oh. I was hoping you'd answer "shell script" (my preference, for quick > 'n easy modification), or "C". Well, it could be written as a shell script, but I only know C++. If someone want to join this project and write the shell script, I would be happy to help with the overall design and documentation. br socketd