Re: a cd key
On Fri, 18 May 2007 18:16:03 -0400 Clint M. Sand [EMAIL PROTECTED] wrote: On Fri, May 18, 2007 at 08:47:21PM +1000, Timothy Wilson wrote: Had you thought about mounting certain areas as read only? For example, /etc, /local can be mounted as read only. When you want to make changes, such as installing a new package or whatever, just remount the file systems read/write. You can also use jails. Timothy I think the point is that if someone roots your machine because you are running a vulnerable service, they can't really install rootkits and things if your binaries are on a filesystem that CAN'T be remounted r/w. If you just mount your harddisks (or portions like /etc) ro and someone roots your box, they just re-mount it, install rootkit, then re-mount back ro. Does nothing really. Of course, they could just chflags schg *. That way, an attacker couldn't just remove the schg flags from the files he wants to modify. The big advantage to using a CD or DVD is that one could create the CD/DVD from a more secure site while leaving the live site running. When ready to upgrade, just change the CD or DVD and reboot. Eric Johnson
Re: a cd key
Had you thought about mounting certain areas as read only? For example, /etc, /local can be mounted as read only. When you want to make changes, such as installing a new package or whatever, just remount the file systems read/write. You can also use jails. Timothy
Re: a cd key
On Fri, May 18, 2007 at 08:47:21PM +1000, Timothy Wilson wrote: Had you thought about mounting certain areas as read only? For example, /etc, /local can be mounted as read only. When you want to make changes, such as installing a new package or whatever, just remount the file systems read/write. You can also use jails. Timothy I think the point is that if someone roots your machine because you are running a vulnerable service, they can't really install rootkits and things if your binaries are on a filesystem that CAN'T be remounted r/w. If you just mount your harddisks (or portions like /etc) ro and someone roots your box, they just re-mount it, install rootkit, then re-mount back ro. Does nothing really.
Re: a cd key
On 5/17/07, BradenM - Sonoma Computer [EMAIL PROTECTED] wrote: Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? Thank you; Bray. I think this article explains it. http://geodsoft.com/howto/harden/OpenBSD/remove_files.htm -- Sean Malloy Registered GNU/Linux User #417855 www.catgrepsort.com
a cd key
Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? Thank you; Bray.
Re: a cd key
BradenM - Sonoma Computer [EMAIL PROTECTED] writes: Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? Erm. What's the problem you're trying to solve? If you remove some binaries and put them on a CD, what prevents someone from just getting those binaries somewhere else and putting them on the machine? //art
Re: a cd key
On Thu, 17 May 2007 10:40:11 -0700 BradenM - Sonoma Computer [EMAIL PROTECTED] wrote: Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? I've heard about someone wanting to do that with compilers and other development utilities. The logic was that if someone broke in, they could not write a small program, compile, and link it on the spot. But, in reality, if an attacker broke in, they'd be more likely to just copy what they wanted from their own machine. Years ago, I considered putting web pages on a CD or DVD for a Windows NT machine so that in order to deface the page, the attacker would have to get to the configuration files and do a lot more work instead of just replacing a few html files. An added advantage would be that since most attacks traversed directories on the same hard drive, they wouldn't be able to get into any system programs by that method. I never did try it, though. Eric Johnson
Re: a cd key
On Thu, May 17, 2007 at 10:40:11AM -0700, BradenM - Sonoma Computer wrote: Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? Aside from the answers you've already received, I've heard quite a few people running the entire system from CD for security-sensitive things like firewalls, mostly when using Linux. (The argument is that it is very hard to compromise a machine in a way that survives reboots if you can't write to the system disk.) Of course, this is an OpenBSD list, and I am sure we can all imagine the easy Linux-bashing remark that follows. It's not entirely unjustified, either; if an attacker can compromise your system once, he can comprose it twice. Also, I've found that anything that makes upgrading the system harder, including removing the compiler, is very likely to be a net security loss. Joachim -- TFMotD: dirname (1) - return directory portion of pathname