From owner-freebsd-hackers  Mon Mar 11 12: 2:31 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211])
	by hub.freebsd.org (Postfix) with ESMTP id A756937B405
	for <freebsd-hackers@FreeBSD.ORG>; Mon, 11 Mar 2002 12:02:28 -0800 (PST)
Received: from mira (mira.palisadesys.com [192.188.162.116])
	(authenticated (0 bits))
	by magellan.palisadesys.com (8.11.6/8.11.6) with ESMTP id g2BK22w14735
	(using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits) verified NO);
	Mon, 11 Mar 2002 14:02:02 -0600
From: "Guy Helmer" <ghelmer@palisadesys.com>
To: "Jeff Jirsa" <jjirsa@hmc.edu>, <freebsd-hackers@FreeBSD.ORG>
Subject: RE: logging securelevel violations
Date: Mon, 11 Mar 2002 14:02:21 -0600
Message-ID: <FPEBKMIFGFHCGLLKBLMMOEGOCAAA.ghelmer@palisadesys.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal
In-Reply-To: <002001c1c936$c25ff4d0$5e3bad86@boredom>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Jeff Jirsa wrote:
> I've noticed that currently, violations of securelevel are
> aborted, but not
> typically logged. It seems like in addition to aborting whichever
> calls are
> in progress, logging an error might be beneficial. I recognize that this
> goes along the same lines as logging file permission errors, but if a file
> is marked immutable, the implicit value of the file should
> suggest that one
> might want to be able to audit attempted changes to that file.

I think this would be useful, but I would be concerned about the rate at
which these messages could come when someone is actively attacking a system.
Perhaps such messages could go through a rate limiter mechanism similar to
that now used by the network interfaces.

I am not certain whether this addition would affect the TrustedBSD work,
either.

Guy Helmer


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message