suid bit files + securing FreeBSD (new program: LockDown)
Socketd
db at traceroute.dk
Sun Jul 27 09:46:12 PDT 2003
On Sun, 27 Jul 2003 10:29:23 -0500
D J Hawkey Jr <hawkeyd at visi.com> wrote:
> > LockDown could search for ALL suid and gid files and set the
> > permissions accordingly to the conf file, the files not listed there
> > would be disabled (or set to a user specified default)...
>
> Now you're thinking along the lines I'm thinking. Something of a
> system hyper- or super-visor.
Well I don't know if we are thinking along the same lines. LockDown is
not meant to be an IDS or system monitor program, just a quick secure
setup helper.
> I do like the idea of checking /etc... maybe... using cksum(1), or
> something like that. I currently use local periodic(8) scripts,
> similar to /etc/periodic/daily/2*, that backs up /etc, /etc/mail, and
> /etc/namedb.
By /etc support I meant options like rc_conf, login_class and openssh
for "all" files in /etc
> NOTE: I'm not a committer! I only mention the possibility; I can't
> make it so.
Hehe, I know :-)
> I've gotten pretty fluent with sh(1), awk(1), and sed(1). I could
> pro'lly write what you envision in a shell script. I wouldn't want to
> re-write a C++ program though; I'm not well versed in C++'s "nuances".
The program is really easy to write since it only change file
permissions and add text to some files in /etc (and other easy to write
stuff)
br
socketd
More information about the freebsd-security
mailing list