Re: suid bit files + securing FreeBSD (new program: LockDown)

From: Socketd (db_at_traceroute.dk)
Date: 07/30/03

  • Next message: twig les: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
    Date: Wed, 30 Jul 2003 01:54:31 +0200
    To: <lee@critesclan.com>, security@freebsd.org
    
    

    On Tue, 29 Jul 2003 16:53:17 -0500
    <lee@critesclan.com> wrote:

    > I might be willing to tinker with a lockdown type shell script to
    > handle that part of it.
    >
    > Another thing: the script/program/process/whatever could send an email
    > to root with a list of the files it found which had improper settings.
    > List the ones without the suid/sgid bit which were changed, and list
    > the ones with them which were changed. That would cover the
    > possibility of a port being installed and having him forget to add it
    > into the list - this would serve as a reminder to actually stick it
    > in.

    Yes, if LockDown finds suid/gid files not listed in the conf file, the
    admin should get a message/mail.

    > Also: perhaps those found with the bits set which were not listed as
    > being allowed could be moved into an obscure subdirectory, sort of the
    > way the PC virus protection programs do. Not only would it not have
    > the bits set, but it would be gone. Then the next time the process
    > runs, if it finds the program out there again, it might assume an
    > attack of some type and send warning emails stating that is the case.
    >
    > And: Since this is a security thing, perhaps we could have a separate
    > daemon which checks the conf file and program periodically, reporting
    > to root when/if either changes. If the conf file changes, then an
    > email might be okay. If the program changes, depending upon some
    > security setting, you might just send an email and you might shut down
    > the network interfaces or some such thing.
    >
    > Perhaps a makefile for the port could update the system so if you
    > installed a new version then this panic attack wouldn't happen.
    >
    > And, optionally, you could let the new unauthorized version sit for a
    > short while, then replace it with the last known good version and run
    > it. Thus if someone hacked the system and noticed the lockdown program
    > and made changes to the conf file, root would be notified of the conf
    > file change by the daemon. But then if they wanted to hack the
    > lockfile script itself, then root would get a message showing the
    > diffs and, say, 5 minutes later, the last known good version would be
    > put back and run - with, perhaps, the last known good version of the
    > conf file being used as well. That would lock out the hacker and he
    > wouldn't even know why or how - and would assume the sysadmin caught
    > him. Make sense?
    >
    > Just some ramblings that you might think about...

    Well again I have to say that LockDown was not meant to be an IDS. If
    you want a program to monitor suid files, tripwire is good.
    Anyway, having a daemons keeping an eye on the system is a good idea,
    but an attacker with root powers could just kill the process and install
    a rootkit. If you want a program to detect rootkits we have
    /usr/ports/security/chkrootkit.

    br
    socketd
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: twig les: "Re: suid bit files + securing FreeBSD (new program: LockDown)"

    Relevant Pages

    • Re: dgamelaunch help
      ... and the conf file actually exists in that place. ... I did compile with ... Now when I telnet in, it says "cannot change root directory: ...
      (rec.games.roguelike.nethack)
    • Re: root user
      ... > a conf file or something like that I login as root and use Kate then log ... > back in as my normal user, that way I know for sure that the rott ... You don't have to login as root. ...
      (alt.os.linux.suse)
    • Re: Starting vsftpd as a non-privileged user
      ... > I have vsftpd running fine but want to switch running it from root to a ... > set the username up in the .conf file and thought it would move to this ... > grep vsftpd shows that it is running under root. ...
      (alt.os.linux)
    • Cant stop Solaris services.
      ... sure the services is not run on the server. ... # pass the given daemon an AF_INET6 socket. ... time stream tcp6 nowait root internal ...
      (comp.unix.solaris)
    • How to stop solaris services.
      ... sure the services is not run on the server. ... # pass the given daemon an AF_INET6 socket. ... time stream tcp6 nowait root internal ...
      (comp.unix.solaris)