From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 08:29:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A78E737B404 for ; Sun, 27 Jul 2003 08:29:26 -0700 (PDT) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E80043F85 for ; Sun, 27 Jul 2003 08:29:25 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id C1B8982FA; Sun, 27 Jul 2003 10:29:24 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id h6RFTOn15034; Sun, 27 Jul 2003 10:29:24 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Sun, 27 Jul 2003 10:29:23 -0500 From: D J Hawkey Jr To: Socketd Message-ID: <20030727152923.GA14224@sheol.localdomain> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> <20030727143600.1517c588.db@traceroute.dk> <20030727125136.GA6810@sheol.localdomain> <20030727155239.3205a60b.db@traceroute.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030727155239.3205a60b.db@traceroute.dk> User-Agent: Mutt/1.4.1i cc: security@freebsd.org Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 15:29:27 -0000 On Jul 27, at 03:52 PM, Socketd wrote: > > On Sun, 27 Jul 2003 07:51:36 -0500 > D J Hawkey Jr wrote: > > > It could certainly be installed from the ports collection, but it > > would be most useful to me (and p'raps others?) as a boot-time thang. > > Think of dedicated firewalls and routers, especially those that boot > > from custom CDs [and p'raps read floppies for "volatile" > > configuration]. > > > > In my mind, the conf could be installed as /etc/rc.whatever, and the > > program could be installed as /usr/local/etc/rc.d/whatever. In this > > way, it'd be run on boot, and could be run anytime as > > "/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too. > > Ah, good idea! > > LockDown could search for ALL suid and gid files and set the > permissions accordingly to the conf file, the files not listed there > would be disabled (or set to a user specified default)... Now you're thinking along the lines I'm thinking. Something of a system hyper- or super-visor. > ...But then again, > if an admin installs a port with suid files and forget to add them to > the LockDown conf file, they would be disabled the next time LockDown is > executed. We-ell, the admin ought not forget that, eh? ;-, The program could notify the admin in some manner or another when it disables something - I've written a few scripts that mail a cell 'phone or pager when they do something that should be known of when it happens. A log entry via syslogd(8) is mandatory, of course. > I have also thought about adding these options: > 1. More kernel help, so you quickly can setup a kernel: > kern_using_RAID="" YES if you are using raid hardware > kern_using_SCSI="" YES if you are using SCSI hardware > kern_using_IPv6="" YES if you want to use IPv6 > kern_using_proc="" YES if you want to use /proc > kern_NIC="" The nic's you use. > > 2. Support for most of the files in /etc (and other?) > > 3. Give security adwise: > 1. Setting up different daemons > 2. What ports to install > 3. How to setup scripts to be used with cron and what to > include in them I wouldn't go too far "out of scope" too fast; you might end up re-writing Tripwire! I do like the idea of checking /etc... maybe... using cksum(1), or something like that. I currently use local periodic(8) scripts, similar to /etc/periodic/daily/2*, that backs up /etc, /etc/mail, and /etc/namedb. Regarding the above comment about forgetful admins, they also have to remember to update Tripwire's config file(s), don'tcha know. > > Were you to go this way, I could see where Core might consider adding > > your work into the base? I'd lobby for it. :-) > > My code in the base system...oh I don't even dare think the beautiful > thought ;-) NOTE: I'm not a committer! I only mention the possibility; I can't make it so. > > > I use C++ > > > > Oh. I was hoping you'd answer "shell script" (my preference, for quick > > 'n easy modification), or "C". > > Well, it could be written as a shell script, but I only know C++. If > someone want to join this project and write the shell script, I would be > happy to help with the overall design and documentation. I've gotten pretty fluent with sh(1), awk(1), and sed(1). I could pro'lly write what you envision in a shell script. I wouldn't want to re-write a C++ program though; I'm not well versed in C++'s "nuances". Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/