From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 02:12:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACDB816A4B3 for ; Tue, 16 Sep 2003 02:12:02 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A55143FB1 for ; Tue, 16 Sep 2003 02:12:02 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 37389 invoked by uid 1000); 16 Sep 2003 09:12:01 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Sep 2003 09:12:01 -0000 Date: Tue, 16 Sep 2003 02:12:01 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: Nikolay Kanchev , freebsd-security@freebsd.org In-Reply-To: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> Message-ID: <20030916013344.J55021@walter> References: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 09:12:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Several people have physical access to my FreeBSD box and I have the feeling > that somebody try to get access with boot -s options . Can I log activity > after boot -s option (change user password, install software and etc.). > I use boot -s and change user password, but after reboot i can't find this > atcivity in log files. > The BSD box is shutdown and run again many time at day. Well, there might be some stuff you can do - maybe you can mod the kernel to log every execve(2) to a serial port or a line printer - maybe you could even log over the net or something. I've seen some patches to bash floating around that make logging of command history mandatory - this is a pretty useless approach if your attacker is at all sophisticated, but if the attacker is really clueless, it might help. Of course in this case, writing to disk will be problematic, because when you start up, the filesystem will be mounted read-only, and you can't necesarily count on any particular filesystem ever being read-write, and if a filesystem does become read-write, you'll have to take advantage of it quickly, because you don't know how long it's going to stay read-write. You could get a hardware keystroke logger - thinkgeek.com has one, and another company I forget the name of - find the tinfoilhat linux webpage, and start following links. If the attacker doesn't think to look for something like this, and if you have the money to spend, this might be the easiest approach for you. If someone has physical access to your machine, though, there's only so much you can do. The attacker can boot external media like floppies or cd's, and then alter your disk from there. You could configure the machine not to boot external media and set a bios password, but then the attacker could just open the machine, take the hard disk out, plug it into another computer and alter it there. Really the only thing you can do is to limit physical access - unless you are prepared to shell out for tamper-proof machines with crypto hardware, anyone with physical access can take over your system. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/ZtPhswXMWWtptckRAiqUAJ0a3fkvuPh2Vxj4veQSeQIBw5X7qACfR3WM GnNSEeKaC08vpJHMM/BQE3k= =6Nxn -----END PGP SIGNATURE-----