From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 09:46:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49C6237B401 for ; Sun, 27 Jul 2003 09:46:12 -0700 (PDT) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C23943FBF for ; Sun, 27 Jul 2003 09:46:11 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user2.cybercity.dk (fxp0.user2.ip.cybercity.dk [212.242.41.35]) by cicero2.cybercity.dk (Postfix) with ESMTP id 580F218F4AE; Sun, 27 Jul 2003 18:46:09 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user2.cybercity.dk (Postfix) with SMTP id 561CB186A3; Sun, 27 Jul 2003 18:46:08 +0200 (CEST) Date: Sun, 27 Jul 2003 18:55:32 +0200 From: Socketd To: hawkeyd@visi.com, security@freebsd.org Message-Id: <20030727185532.70c0b4b9.db@traceroute.dk> In-Reply-To: <20030727152923.GA14224@sheol.localdomain> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> <20030727143600.1517c588.db@traceroute.dk> <20030727125136.GA6810@sheol.localdomain> <20030727155239.3205a60b.db@traceroute.dk> <20030727152923.GA14224@sheol.localdomain> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 16:46:12 -0000 On Sun, 27 Jul 2003 10:29:23 -0500 D J Hawkey Jr wrote: > > LockDown could search for ALL suid and gid files and set the > > permissions accordingly to the conf file, the files not listed there > > would be disabled (or set to a user specified default)... > > Now you're thinking along the lines I'm thinking. Something of a > system hyper- or super-visor. Well I don't know if we are thinking along the same lines. LockDown is not meant to be an IDS or system monitor program, just a quick secure setup helper. > I do like the idea of checking /etc... maybe... using cksum(1), or > something like that. I currently use local periodic(8) scripts, > similar to /etc/periodic/daily/2*, that backs up /etc, /etc/mail, and > /etc/namedb. By /etc support I meant options like rc_conf, login_class and openssh for "all" files in /etc > NOTE: I'm not a committer! I only mention the possibility; I can't > make it so. Hehe, I know :-) > I've gotten pretty fluent with sh(1), awk(1), and sed(1). I could > pro'lly write what you envision in a shell script. I wouldn't want to > re-write a C++ program though; I'm not well versed in C++'s "nuances". The program is really easy to write since it only change file permissions and add text to some files in /etc (and other easy to write stuff) br socketd