From owner-freebsd-security Tue Jan 18 8:10:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 1F24B14E23 for ; Tue, 18 Jan 2000 08:10:34 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA27203; Tue, 18 Jan 2000 08:06:11 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda27201; Tue Jan 18 08:05:53 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA07412; Tue, 18 Jan 2000 08:05:52 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdQw7408; Tue Jan 18 08:05:35 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id IAA48520; Tue, 18 Jan 2000 08:05:34 -0800 (PST) Message-Id: <200001181605.IAA48520@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdk48482; Tue Jan 18 08:05:15 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: Omachonu Ogali Cc: Adam , Will Andrews , freebsd-security@FreeBSD.ORG Subject: Re: Parent Logging Patch for sh(1) In-reply-to: Your message of "Mon, 17 Jan 2000 21:04:07 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 18 Jan 2000 08:05:15 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , O machonu Ogali writes: > http://tribune.intranova.net/archives/sh-log+access.patch adds uid and > username logging along with a deny list (/etc/sh.deny). > > And in reference to Keith Stevenson's 'So?', if you can determine the > point of entry in an intrusion you can backtrack to where it originated, > the main reason I created that patch was to allow a system administrator > to backtrack in the case of an intrusion. A couple of points re the patch: 1. Exploits are tailored, e.g. offsets, instructions, etc., for each targeted platform. All a cracker needs to do is use /bin/csh to circumvent this on FreeBSD systems. Since most people install another shell, e.g. bash, exploits can be altered to use other shells. Though I haven't had a chance to think about alternative solutions, I think we need to step back and look at the bigger picture. If I may offer a half-baked idea: Why not a kernel module that implements the access list at execve(2) for any shell or binary. The reason for a kernel module is that not everyone would want the latency that this would cause nor the extra kernel memory. It could also be a kernel option for static link into the kernel. Another idea might be that Robert Watson's logging and ACL's could be extended to implement this. Robert, care to comment? 1a. Related to #1 above, all a cracker needs to do is transfer his own shell to the victim system thereby circumventing all of #1. In this case a non-executable stack and jail(2) are your friends. A non-executable stack for FreeBSD was discussed here in the past. I'm not sure whether anyone is implementing this or not under FreeBSD. 2. The patch relies on a /proc filesystem. The proc filesystem has had security issues in the past, a reason why some don't use it. At the very least the patch should be #ifdef'd or should check for the existence of proc being mounted before proceeding. Any other ideas? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message