boot -s - can i detect intruder

Jason Stone freebsd-security at dfmm.org
Tue Sep 16 02:12:02 PDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Several people have physical access to my FreeBSD box and I have the feeling
> that somebody try to get access with boot -s options . Can I log activity
> after boot -s option (change user password, install software and etc.).
> I use boot -s and change user password, but after reboot i can't find this
> atcivity in log files.
> The BSD box is shutdown and run again many time at day.

Well, there might be some stuff you can do - maybe you can mod the kernel
to log every execve(2) to a serial port or a line printer - maybe you
could even log over the net or something.

I've seen some patches to bash floating around that make logging of
command history mandatory - this is a pretty useless approach if your
attacker is at all sophisticated, but if the attacker is really clueless,
it might help.  Of course in this case, writing to disk will be
problematic, because when you start up, the filesystem will be mounted
read-only, and you can't necesarily count on any particular filesystem
ever being read-write, and if a filesystem does become read-write, you'll
have to take advantage of it quickly, because you don't know how long it's
going to stay read-write.

You could get a hardware keystroke logger - thinkgeek.com has one, and
another company I forget the name of - find the tinfoilhat linux webpage,
and start following links.  If the attacker doesn't think to look for
something like this, and if you have the money to spend, this might be the
easiest approach for you.


If someone has physical access to your machine, though, there's only so
much you can do.  The attacker can boot external media like floppies or
cd's, and then alter your disk from there.  You could configure the
machine not to boot external media and set a bios password, but then the
attacker could just open the machine, take the hard disk out, plug it into
another computer and alter it there.

Really the only thing you can do is to limit physical access - unless you
are prepared to shell out for tamper-proof machines with crypto hardware,
anyone with physical access can take over your system.


 -Jason

 --------------------------------------------------------------------------
 Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
 that he was insufficiently fondled when he was an infant.
	-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE/ZtPhswXMWWtptckRAiqUAJ0a3fkvuPh2Vxj4veQSeQIBw5X7qACfR3WM
GnNSEeKaC08vpJHMM/BQE3k=
=6Nxn
-----END PGP SIGNATURE-----

More information about the freebsd-security mailing list