Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jul 1999 06:51:58 -0500 (CDT)
From:      Mike Pritchard <mpp@mpp.pro-ns.net>
To:        dillon@apollo.backplane.com (Matthew Dillon)
Cc:        green@FreeBSD.org (Brian F. Feldman), jgreco@ns.sol.net (Joe Greco), hackers@FreeBSD.org, freebsd-ipfw@FreeBSD.org
Subject:   Re: securelevel and ipfw zero
Message-ID:  <199907271151.GAA02583@mpp.pro-ns.net>
In-Reply-To: <199907270348.UAA49943@apollo.backplane.com> from Matthew Dillon at "Jul 26, 1999 08:48:28 pm"

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> :>     There may be some confusion here.  I am advocating that we *allow* the
> :>     zeroing of counters at secure level 3.
> :
> :Which is what I am advocating against.
> 
>     Let me put it a different way:
> 
>     ipfw allows you to clear counters.  It is a feature that already exists.
> 
>     However, it does not allow you to do it if you are sitting at secure
>     level 3.
> 
>     Why not?  I can't think of any good reason why clearing the counters 
>     should be disallowed when sitting at a higher secure level.  The counters
>     are nothing more then statistics.  Clearing statistics is not a security
>     threat.

But it might be hiding a real security threat/attack or a real breakin.  
Say I've spent all night trying to hack into your machine and finally get in.  
If I can reset all of ipfw's counters back to zero, and this is 
something your security checking scripts are checking, you might not 
think that anyone has even been trying to break into your machine, much
less made it into the machine.  If I have some inside information, 
I could probably even get the counters back into the range where you
might expect them to be at.

Hopefully if this were to happen, you might see some other console/syslog
messages or something else that catches your eye, but then again,
maybe not.

Just to help out people running at higher security levels, you could
always implement something that lets you reset the values to some
higher value that is easy to do computations from.  E.g. 

ipfw --increment_counters=20000

Which would bump all of the counters up to the value of "20000", assuming
they are all still less than that value.  That way if you are trying
to do some testing/debugging/counting after setting the counters, at 
least you have a nice round number to subtract from the current values.
-- 
Mike Pritchard
mpp@FreeBSD.ORG or mpp@mpp.pro-ns.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199907271151.GAA02583>