comments on handbook chapter
R. B. Riddick
arne_woerner at yahoo.com
Fri Sep 8 10:50:54 PDT 2006
--- Bigby Findrake <bigby at ephemeron.org> wrote:
> On Wed, 6 Sep 2006, Travis H. wrote:
> > Wouldn't it be better to detect /and/ prevent an attempt to change the
> > system binaries?
>
> That's how I interpret that passage from the handbook - that you should
> detect *and* prevent. I'm not clear on how anyone is interpreting that
> passage to suggest that unequal weight should be given to one side or the
> other (detection vs. prevention). The above passage all but says, "don't
> do X because that will interfere with Y." I just don't see that advice as
> advocating imbalance.
>
Hmm...
I think, this "schg flag"-thing should be done to all files, but invisible to a
potential attacker... <-- PROTECTION
When some attacker tries to get write access to that file or to move that file
around or so, it should result in a log message (like "BAD SU on ...")... <--
DETECTION (I think one of the first messages in this thread suggested that
already...)
And removing that flag shouldn't be possible so easy, too. Maybe just from the
physically safe console...
-Arne
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the freebsd-security
mailing list