[FUGSPBR] Fw: Kern Secure Level

Ronan Lucio ronan em melim.com.br
Ter Out 9 15:37:57 BRT 2001 

Pessoal,

Isso rolou na security em freebsd e eu achei interessante.
[ ]´s

Ronan Lucio
Melim Internet Provider

> In my opinion,    secure levels is nly a deterrant.  In fact,  most people
> don't even use it properly.
>
> The idea of secure levels is to set certain files as immutable  (not even
> root or superusers can change the file.)
>
> The problem with it is twofold:
>
> 1) Most people fail to set the proper binaries as immutable,  to stop them
> from being trojaned in the even of a succesful hack.
>
> 2)  FreeBSD doesn't have the appropriate files set as immutable by
> default, nor after a buildworld.  So unless you specifically set the files
> immutable,  securelevels is pointless.   especially when you factor in the
> fact that..   the intruder already has access to your mahine when
> securelevels comes into play.   At this point,  a foresics diagnostic
> should be performed to gain all available data about the intrusion.  and
> then the machine should be formatted and a fresh OS installed.
>
> For those who don't know which files I'm talking about,  when it comes to
> securelevels.   A major one would be /etc/rc.conf.
>
> If the intruder has root access on your machine,  all he has to do is edit
> /etc/rc.conf  to set the securelevel to -1 and upon next reboot,  your
> securelevels didn't do anything but delay his final outcome.
>
> I personally have all binaries that deal with passwords and remote
> authentication set immutable.    My feeling is this:  they already have
> access to my machine,  why allow them to trojan ssh, ftp, telnet, login,
> etc etc  and give them access to OTHER remote machines..  simply because
> mine was vulnerable.
>
>
> Securelevels will not stop your machine from being hacked or even
> attacked.  It may,  with proper configuration, help stop your machine from
> being the reason some other machine was hacked.
>
> Perfect example was the recent apache.org hack.
>
>
> An ISP was hacked  and ssh was trojaned.  An apache.org employee  (or
> developer,  I forget) then logged into the webserver.  Upon doing so, the
> trojaned ssh client gave the attacker the password.   If securelevels had
> been implemented,  the ISP's machine would have still been compromised,
> however  the immutable "ssh"  would not have given the intruder access to
> apache.org
>
>
> Anywho,  sorry for the long post..  all in all,  to average joe blow
> FreeBSD user,  no  securelevels is of little value.   To a security
> concious admin,  who takes the time to research it,  and set the proper
> permissions..  securelevels CAN stop your macine from passing certain
> information on to attackers.
>
>
>
> Another thing to consider..
>
> A lot of newbie  (please,  no flames if this includes anyone reading this
> list)   a lot of newbie admins will read about securelevels,   and make
> the entire /bin /sbin and other directories immutable.   This is a BAD
> THING!
>
> One of the easiest ways to tell if your machine has been compromised,  is
> by using third party utilities to create checksums of all important files
> on the system.  If (in the example above)  you have been compromised,  and
> did NOT have ssh immutable,  but DID have a valid checksum of the file on
> record.  the checksum would change,  and that would be an immediate clue
> that you have a security breach.
>
> If you set entire directories of files immutable,  you effectively
> eliminate that method of intrusion detection.  (Most machines that have
> been hacked,  are noticed because of this method.. or by other admins
> emailing administrators asking why there was a DoS launched or port probes
> from your machine.  Wouldn't you prefer to know BEFORE your machine is
> used to launch other exploits?)
>
>
> Jeff Palmer
> scorpio em drkshdw.org
>
>
>
>
> On Fri, 5 Oct 2001, David S Strait wrote:
>
> >
> > There is a little discussion about kern secure level in the 'man init'
> > page, but its somewhat brief.
> >
> > On Kern level 1, I couldn't get X-windows to work so I wanted to lower
> > it.  (As it turned out later, this was the solution, and X-win worked.)
> >
> > I'm running FreeBSD 4.4 REL and basically:
> > when kern_securelevel="0" in rc.conf, it just hops up to 1???????
> > But if you leave it: kern_securelevel="-1" or kern_securelevel="1", then
> > it will go to -1, 1 respectively.  Why on 0 does the level get bounced
to
> > 1?
> >
> > Is there a *serious* security issue with kern levels -1 and 0?
> >
> >
> > Thanks.
> >
> >
> >
> > To Unsubscribe: send mail to majordomo em FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
> >
>
>
> To Unsubscribe: send mail to majordomo em FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>

----
Para sair da lista envie um e-mail para majordomo em fugspbr.org
com as palavras "unsubscribe fugspbr" no corpo da mensagem.

Mais detalhes sobre a lista de discussão freebsd