Date: Sat, 18 Sep 1999 01:02:56 -0600 From: Wes Peters <wes@softweyr.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: Warner Losh <imp@village.org>, Brett Glass <brett@lariat.org>, security@FreeBSD.ORG Subject: Re: BPF on in 3.3-RC GENERIC kernel Message-ID: <37E33920.A768C899@softweyr.com> References: <199909180624.XAA50611@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote:
>
> Once you read the article you will see just how flawed ``schg'' is. It
> only attempts to prevent action, it does not send out any alarms.
>
> The propasal that jdp has on a socket sort of notification facility for
> all file system modifications is a long was ahead of what could ever
> be done with schg, as that tool would give us the ability to real time
> audit even attempts at cracking on the system. ACF2 in the mainframe
> world, and the VMS AUDIT tools are good examples of what can be done
> with this type of feature. Real time alarms if someone even _tries_
> to modify a schg file is what is missing... someone turning off
> schg on a file is another thing missing... or accessing the disk
> through the raw device to reset the bit, etc, etc...
I once spend a few days looking into a filesystem monitor. It was a good
idea, but the powers that be decided they should leave that level of
intervention to the system vendors (SunOS, Ultrix, etc). I told them I
could do it by trapping the syscalls and they got the willies. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://softweyr.com/ wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37E33920.A768C899>