Date: Fri, 8 Sep 2006 10:50:45 -0700 (PDT) From: "R. B. Riddick" <arne_woerner@yahoo.com> To: Bigby Findrake <bigby@ephemeron.org> Cc: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter Message-ID: <20060908175046.71795.qmail@web30313.mail.mud.yahoo.com> In-Reply-To: <20060908101441.V90396@home.ephemeron.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Bigby Findrake <bigby@ephemeron.org> wrote: > On Wed, 6 Sep 2006, Travis H. wrote: > > Wouldn't it be better to detect /and/ prevent an attempt to change the > > system binaries? > > That's how I interpret that passage from the handbook - that you should > detect *and* prevent. I'm not clear on how anyone is interpreting that > passage to suggest that unequal weight should be given to one side or the > other (detection vs. prevention). The above passage all but says, "don't > do X because that will interfere with Y." I just don't see that advice as > advocating imbalance. > Hmm... I think, this "schg flag"-thing should be done to all files, but invisible to a potential attacker... <-- PROTECTION When some attacker tries to get write access to that file or to move that file around or so, it should result in a log message (like "BAD SU on ...")... <-- DETECTION (I think one of the first messages in this thread suggested that already...) And removing that flag shouldn't be possible so easy, too. Maybe just from the physically safe console... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060908175046.71795.qmail>