Re: Proposal "LUID"

• Next message: allbery@kf8nh.apk.net: "Re: Proposal "LUID""
• Previous message: Shawn Cupples: "File Descriptors?"
• In reply to: Austin Schutz: "Re: Proposal "LUID""
• Next in thread: yoann@mandrakesoft.com: "Re: Proposal "LUID""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Austin Schutz wrote:
>
> On Mon, Apr 17, 2000 at 05:13:34PM -0700, law@sgi.com wrote:
> > Austin Schutz wrote:
> > > > 1. The audit trail would show that you modified telnetd.
> > >
> > > No, because I didn't modify it. I found a buffer overrun and exploited
> > > it (or I exploited BIND, or sendmail, etc...) and never modified anything.
> > ---
> > But let's say we configured init to set_luid(daemon). All of
> > a sudden we see user 'daemon' starting a shell. *red flag*. In fact,
> > if you had an event deamon monitoring the audit log, I could see it
> > shutting down that process in under 1 second, for example.
> >
> Go back and read my mail again. I explicitly _did not_ start a shell.
> I merely dumped the contents of /etc/shadow. It would theoretically be possible
> to monitor every file access by every daemon, but that's still just a
> band-aid, since some daemons will have permission to access sensitive files
> to begin with.

---
	If only the pam module has access to /etc/shadow, it could make
it just a bit more difficult. Any access not through pam could trigger
an alarm.  At the very least, it's a suspicious audited event.
> 
> >
> > >         As long as the machine has not been compromised, I agree. But it
> > > should not give one a false sense of being more secure.
> > ---
> >       No it's only designed to measure that a security breach occurred
> > and what the intruder did.
> 
>         And I still argue that if security has been compromised you may not
> have the opportunity to log the breach.
---
	Naw...just log the breach to another computer or a write-once CDROM,
or a...*omigawd*...line printer.  Weeeeee.  Let's see ya overwrite my
line printer output!  :-)  Remember, we are at a physically secure site.
Line printer is connected vi SCSI cable and has buffering.  If line printer
senses 'out of paper' it sends a signal for the system to go into
maintenance mode (single user).
> (fun secure stuff)
>         Sounds nice. Interesting to see how it gets implemented.
---
	Yeah I'll be interested in how it gets implemented too! :-)
    Austin
-- 
Linda A Walsh                    | Trust Technology, Core Linux, SGI
law@sgi.com                      | Voice: (650) 933-5338
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: allbery@kf8nh.apk.net: "Re: Proposal "LUID""
• Previous message: Shawn Cupples: "File Descriptors?"
• In reply to: Austin Schutz: "Re: Proposal "LUID""
• Next in thread: yoann@mandrakesoft.com: "Re: Proposal "LUID""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:12 EST