Date: Sat, 18 Sep 1999 01:02:56 -0600 From: Wes Peters <wes@softweyr.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: Warner Losh <imp@village.org>, Brett Glass <brett@lariat.org>, security@FreeBSD.ORG Subject: Re: BPF on in 3.3-RC GENERIC kernel Message-ID: <37E33920.A768C899@softweyr.com> References: <199909180624.XAA50611@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote: > > Once you read the article you will see just how flawed ``schg'' is. It > only attempts to prevent action, it does not send out any alarms. > > The propasal that jdp has on a socket sort of notification facility for > all file system modifications is a long was ahead of what could ever > be done with schg, as that tool would give us the ability to real time > audit even attempts at cracking on the system. ACF2 in the mainframe > world, and the VMS AUDIT tools are good examples of what can be done > with this type of feature. Real time alarms if someone even _tries_ > to modify a schg file is what is missing... someone turning off > schg on a file is another thing missing... or accessing the disk > through the raw device to reset the bit, etc, etc... I once spend a few days looking into a filesystem monitor. It was a good idea, but the powers that be decided they should leave that level of intervention to the system vendors (SunOS, Ultrix, etc). I told them I could do it by trapping the syscalls and they got the willies. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37E33920.A768C899>