Mounting filesystems with "noexec"
markzero
mark at darklogik.org
Thu Sep 22 04:59:26 PDT 2005
[ oops, ommitted the CC line to freebsd-security@ ]
May I throw in my two euros?
security.noexec.log_bin: /sbin/trusted_logging_prog
security.noexec.log_maxrate: N
security.noexec.log_enabled: 0
security.noexec.log_enabled refuses to enable itself unless
security.noexec.log_bin exists and has the correct permissions, etc.
security.noexec.log_maxrate is the maximum allowed number of logs
per second. If this rate is exceeded, wait for a preset grace period
and then if logs are still pouring in, stop accepting logs and
periodically write a loud WARNING line to the log (this would be
watched by something like logcheck to alert the administrator).
This would prevent the flood of logging taking out the machine and
the grace period should allow enough logging to make sure we know
who the culprit was.
Of course, this is all theoretical. There's most likely a glaring
error or omission...
M
PS: could this be implemented with the MAC framework somehow? Isn't
this sort of thing exactly what it was meant for?
--
pgp: http://www.darklogik.org/pub/pgp/pgp.txt
0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43
----- End forwarded message -----
--
pgp: http://www.darklogik.org/pub/pgp/pgp.txt
0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 825 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050922/2eb30f46/attachment.bin
More information about the freebsd-security
mailing list