Date: Fri, 17 Sep 1999 15:59:11 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Warner Losh <imp@village.org> Cc: Brett Glass <brett@lariat.org>, Liam Slusser <liam@tiora.net>, Kenny Drobnack <kdrobnac@mission.mvnc.edu>, "Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu>, security@FreeBSD.ORG Subject: Re: BPF on in 3.3-RC GENERIC kernel Message-ID: <199909172259.PAA55902@apollo.backplane.com> References: <4.2.0.58.19990917160519.047cc890@localhost> <Your message of "Thu, 16 Sep 1999 18:54:24 MDT." <4.2.0.58.19990916185341.00aaf100@localhost> <4.2.0.58.19990916185341.00aaf100@localhost> <Pine.GSO.3.96.990916150427.5757E-100000@mission.mvnc.edu> <199909172208.QAA05554@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:Yes. Automation would help. Today you almost have to do
: chflags schg /usr/{s,}bin/* /{s,}bin/* /usr/libexec/* /etc/* /usr/lib/*
:to get started, but even that leaves a few holes...
:
:I'd love to see an intellegent automation tool and would happily
:review it. Sadly, I don't have the time to write and maintain said
:tool.
:
:Warner
At BEST I cared about two things security-wise: (1) preventing non-root
users from being able to gain root, and (2) detecting those intrusions
that actually manage to break through to root.
Making a system reasonably secure does not equate to protecting root from
itself. If someone has root, you've lost. Period. It doesn't matter
whether they can modify the system or not, you've still lost. Trying
to protect root from itself only prevents your security scripts from
detecting the fact that you've lost.
In that respect, I find chflags utterly useless and the securelevel only
moderately less so. All they do is prevent the hacker from making changes
that would otherwise cause his presence to be detected. I still use it
to some degree -- I think a distinction should absolutely be made between
raw device access and access through a filesystem, but the primary purpose
of those tools is simply to create enough of a delay to be able to react to
a situation.
Having the schg flag and securelevel give you useful tools, but you
shoot yourself in the foot if you overuse them or come to depend on them.
Believe me, chflaging half the files in / and /usr to schg is a major
overuse. By the time you've schg'd everything to the point where root
is supposedly 'safe', you might as well have simply mounted / and /usr
read-only in the first place. It would have been easier.
This is what I might recommend for a poor-sysad's security:
* Setup the systems
* Quietly do a read-only NFS export of everything from every system
to a secure security box that only one or two people can get into.
* Have that box md5 (etc....) and test the files for changes, for
suid bits, and so forth. Once a night, every night, and to notify
you if something changes.
Check system configuration files even more often - doesn't cost
you a thing to check a dozen or two files on every machine once
every 5 minutes!
I'm going to update my security page ( man 'security' ), it's a little
dated.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909172259.PAA55902>