Re: comments on handbook chapter

--- Bigby Findrake <bigby@ephemeron.org> wrote:
> On Wed, 6 Sep 2006, Travis H. wrote:
> > Wouldn't it be better to detect /and/ prevent an attempt to change the
> > system binaries?
> 
> That's how I interpret that passage from the handbook - that you should 
> detect *and* prevent.  I'm not clear on how anyone is interpreting that 
> passage to suggest that unequal weight should be given to one side or the 
> other (detection vs. prevention).  The above passage all but says, "don't 
> do X because that will interfere with Y."  I just don't see that advice as 
> advocating imbalance.
> 
Hmm...

I think, this "schg flag"-thing should be done to all files, but invisible to a
potential attacker... <-- PROTECTION

When some attacker tries to get write access to that file or to move that file
around or so, it should result in a log message (like "BAD SU on ...")... <--
DETECTION (I think one of the first messages in this thread suggested that
already...)

And removing that flag shouldn't be possible so easy, too. Maybe just from the
physically safe console...

-Arne

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"