boot -s - can i detect intruder
Guy P.
guy at device.dyndns.org
Tue Sep 16 01:56:56 PDT 2003
At 12:57 16/09/2003, you wrote:
>On Tue, 16 Sep 2003, Socketd wrote:
>
> > > The BSD box is shutdown and run again many time at day.
>
>Why is the box shutdown??? Are you doing kernel development or
>advanced devicedriver development? Why are you many persons
>on sutch a system in that case? And if you are doing kernel
>development all must have root access anyway?
>
>There is *no* reason to shut down the system in ordinary
>maintainance!
>
>GH
As far as i understood him, he meant that *someone who should not* is
rebooting his machine, perhaps trying to use "boot -s" to get more access.
To answer the question, i think there is no definitive way to avoid a
motivated "hacker" with physical access to a machine to do whatever he want
- he could even plug another dd to boot from, etc...
If that box need protection, try to find a way to forbid physical access.
I'm not sure about that, but i seem to remenber that default behaviour when
using "boot -s" is to mount only root partition, and read-only, thus the
"nothing logged". If you want to catch that bugger, you could use a
hardware keystroke logger - but then, it's perhaps an oversized solution
(costwise) depending how important it is for you to get him/her.
unserious BOFH suggestion : plug a "specially crafted" keyboard with
CTRL-ALT-DEL key sequence triggering funny events of your choice (alarm
ring, AC power delivery to the cullprit fingers, ...)
--
Guy
More information about the freebsd-security
mailing list