Re: suid bit files + securing FreeBSD (new program: LockDown)

From: Socketd (db_at_traceroute.dk)
Date: 07/27/03

  • Next message: Peter Rosa: "Re: suid bit files + securing FreeBSD (new program: LockDown)" 
    Date: Sun, 27 Jul 2003 15:52:39 +0200
To: hawkeyd@visi.com, security@freebsd.org

    On Sun, 27 Jul 2003 07:51:36 -0500
    D J Hawkey Jr <hawkeyd@visi.com> wrote:

    > CC'ing security@ now, since you did.

    Oh sorry, didn't see that you only replied to me :-)

    > Would you consider my above suggestion?

    > It could certainly be installed from the ports collection, but it
    > would be most useful to me (and p'raps others?) as a boot-time thang.
    > Think of dedicated firewalls and routers, especially those that boot
    > from custom CDs [and p'raps read floppies for "volatile"
    > configuration].
    >
    > In my mind, the conf could be installed as /etc/rc.whatever, and the
    > program could be installed as /usr/local/etc/rc.d/whatever. In this
    > way, it'd be run on boot, and could be run anytime as
    > "/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too.

    Ah, good idea!

    > I'm thinking of rootkits and whatnot that drop a SUID/SGID program on
    > a box and force a reboot to "kick it in". Your program, by enforcing
    > the"rules" in the conf, could remove the exec bits on the trojan, or
    > just blow the trojan away. I realize I might be widening the scope
    > here...

    Hmm, if an attacker got root and installed a rootkit LockDown would be
    of no help. LockDown was meant to automatically setup a secure machine
    using the facilities that are already in the base system, but you gave
    me an idea! LockDown could search for ALL suid and gid files and set the
    permissions accordingly to the conf file, the files not listed there
    would be disabled (or set to a user specified default). But then again,
    if an admin installs a port with suid files and forget to add them to
    the LockDown conf file, they would be disabled the next time LockDown is
    executed.

    I have also thought about adding these options:
    1. More kernel help, so you quickly can setup a kernel:
            kern_using_RAID="" YES if you are using raid hardware
            kern_using_SCSI="" YES if you are using SCSI hardware
            kern_using_IPv6="" YES if you want to use IPv6
            kern_using_proc="" YES if you want to use /proc
            kern_NIC="" The nic's you use.

    2. Support for most of the files in /etc (and other?)

    3. Give security adwise:
            1. Setting up different daemons
            2. What ports to install
            3. How to setup scripts to be used with cron and what to include in
    them

    > Were you to go this way, I could see where Core might consider adding
    > your work into the base? I'd lobby for it. :-)

    My code in the base system...oh I don't even dare think the beautiful
    thought ;-)

    > > I use C++
    >
    > Oh. I was hoping you'd answer "shell script" (my preference, for quick
    > 'n easy modification), or "C".

    Well, it could be written as a shell script, but I only know C++. If
    someone want to join this project and write the shell script, I would be
    happy to help with the overall design and documentation.

    br
    socketd
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Peter Rosa: "Re: suid bit files + securing FreeBSD (new program: LockDown)"

    Relevant Pages