Date: Fri, 17 Sep 1999 15:59:11 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Warner Losh <imp@village.org> Cc: Brett Glass <brett@lariat.org>, Liam Slusser <liam@tiora.net>, Kenny Drobnack <kdrobnac@mission.mvnc.edu>, "Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu>, security@FreeBSD.ORG Subject: Re: BPF on in 3.3-RC GENERIC kernel Message-ID: <199909172259.PAA55902@apollo.backplane.com> References: <4.2.0.58.19990917160519.047cc890@localhost> <Your message of "Thu, 16 Sep 1999 18:54:24 MDT." <4.2.0.58.19990916185341.00aaf100@localhost> <4.2.0.58.19990916185341.00aaf100@localhost> <Pine.GSO.3.96.990916150427.5757E-100000@mission.mvnc.edu> <199909172208.QAA05554@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:Yes. Automation would help. Today you almost have to do : chflags schg /usr/{s,}bin/* /{s,}bin/* /usr/libexec/* /etc/* /usr/lib/* :to get started, but even that leaves a few holes... : :I'd love to see an intellegent automation tool and would happily :review it. Sadly, I don't have the time to write and maintain said :tool. : :Warner At BEST I cared about two things security-wise: (1) preventing non-root users from being able to gain root, and (2) detecting those intrusions that actually manage to break through to root. Making a system reasonably secure does not equate to protecting root from itself. If someone has root, you've lost. Period. It doesn't matter whether they can modify the system or not, you've still lost. Trying to protect root from itself only prevents your security scripts from detecting the fact that you've lost. In that respect, I find chflags utterly useless and the securelevel only moderately less so. All they do is prevent the hacker from making changes that would otherwise cause his presence to be detected. I still use it to some degree -- I think a distinction should absolutely be made between raw device access and access through a filesystem, but the primary purpose of those tools is simply to create enough of a delay to be able to react to a situation. Having the schg flag and securelevel give you useful tools, but you shoot yourself in the foot if you overuse them or come to depend on them. Believe me, chflaging half the files in / and /usr to schg is a major overuse. By the time you've schg'd everything to the point where root is supposedly 'safe', you might as well have simply mounted / and /usr read-only in the first place. It would have been easier. This is what I might recommend for a poor-sysad's security: * Setup the systems * Quietly do a read-only NFS export of everything from every system to a secure security box that only one or two people can get into. * Have that box md5 (etc....) and test the files for changes, for suid bits, and so forth. Once a night, every night, and to notify you if something changes. Check system configuration files even more often - doesn't cost you a thing to check a dozen or two files on every machine once every 5 minutes! I'm going to update my security page ( man 'security' ), it's a little dated. -Matt Matthew Dillon <dillon@backplane.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909172259.PAA55902>