From owner-freebsd-security Sun Sep 19 12:34: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id F034014BF6 for ; Sun, 19 Sep 1999 12:34:00 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id NAA16212; Sun, 19 Sep 1999 13:33:49 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id NAA25843; Sun, 19 Sep 1999 13:33:48 -0600 Date: Sun, 19 Sep 1999 13:33:48 -0600 Message-Id: <199909191933.NAA25843@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Brett Glass Cc: Wes Peters , "Rodney W. Grimes" , Warner Losh , security@FreeBSD.ORG Subject: Re: Real-time alarms In-Reply-To: <4.2.0.58.19990918201409.047f9f00@localhost> References: <199909180612.AAA00597@harmony.village.org> <4.2.0.58.19990918093306.047917c0@localhost> <37E4449B.ADDD68EE@softweyr.com> <4.2.0.58.19990918201409.047f9f00@localhost> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >This is what we're talking about with the auditing facility. There are > >a lot of architectural issues to be solved, starting with "what is an > >alarm" and ending with "how do I securely transmit the alarms to those > >who need to know about them"? > > > >Fun stuff, eh? > Loads. My company is doing alot of research work in this area, and I'm involved on the periphery on a number of them. Suffice it to say that there are some huge hurdles to cross that no-one has any good ideas on how to solve the problems. > Indeed. Fortunately, many of the tools are already available. E-mail comes > to mind as the simplest solution to the above, though certainly not the > only one. And a very poor one. Email is trivial to forge and/or snarf, and is not secure by any stretch of the imagination. One of the rules that you must think is that 1) They have root, you just don't know it. No system is 100% secure (except one that is smashed into billions of tiny pieces), and there is no way to completely protect a system from being broken into. If you believe that it is possible, then the conversation can stop. 2) You want to be informed that they *have* broken into the system ASAP. The bottom line is that you want to make your system difficult to get into, as well as make it *very* hard for them to do anything bad on the system before you have a chance to respond. Case in point. Tripwire is *NOT* a breakin-avoidance system, it's a breakin-detection system. Breakin detection systems are at best poor and at worst useless, and so far no-one has found a way to make them any better. :( Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message