Re: Boobytraps

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Tony Miedaner writes:

> Anyone got any suggestions on useful boobytraps to detect unauthorized
> access for Solaris boxes.   

What's the scope of the exercise, and in what sort of environment is
it to be conducted?  If you detect an unauthorised access (or access
attempt), are you interested in just sending an alert to a monitoring
console?  Automagically halting the processor?  Igniting a thermite
charge sitting on top of the disk device?  Dispatching an armed response
team?

Operational context is always important when you're looking at making
decisions about security policy, and all the moreso when you're
talking about things like tricks and traps.

For the sake of my response, I'm going to make a few simplifying
assumptions about your environment.  Feel free to holler if any of
them are wide of the mark.

        -You're worrying about more than your home machine[0]
        -The failure mode for your security infrastructure doesn't
         involve people dying or governments collapsing
        -You're already using something like tripwire(8)
        -You're already using the builtin auditing widgetry
         that comes with Solaris, as well as any applications
         you're running[1]
        -The machine(s) you're going to be tweaking don't mix
         with the locals.  I.e., {you|your team} are the
         only ones who log into the box
        -You don't log into it frequently; and...
        -You're trainable

Some things you might try:

        -Wrapping or replacing common binaries with something that
         logs their use.

         I.e., replacing /usr/bin/ps (and /usr/ucb/ps
         if it's there) with something that either logs a message
         and exits or logs a message and exec(2)'s the real (renamed)
         ps(1) binary.

         This would involve twiddling all exisiting scripts and suchlike
         that invoke the wrapped binaries (unless you want to receive
         alerts during normal system activity), as well as training
         yourself to use the renamed binaries when you're logged
         onto the machine.

         If you create a chroot(1)'d (or chrootuid(1)'d) environment
         in which to run externally-accessable daemons and processes,
         playing wrap-the-binaries can be particularly effective.


        -Rebuild /bin/login to {log|exit immediately|halt the processor}
         when it's run.

         Get OpenSSH, compile it to not use login(1), and use it
         exclusively for remote access to the system.


        -Rebuild your shells.
         
         Use your imagination.  Trying implementing logic to force
         logout and send an alert if ~/.foo.[login shell PID] {doesn't
         exist|wasn't touched recently|doesn't contain the
         words `plugh' and `xyzzy'}.


The last example above suggests (to my fevered imagination, at any
rate) an analogy.  Remeber how in old advent(6)-style games there
were always `die to find out puzzles'?  I.e., puzzles or rules
of gameplay so oblique, obfuscated, or outright perverse that they
only way you'd figure them out is by trial and error (or dying and
restoring, as the case may be).

Make the login environment like that.






- -Steve

- -----
0     I.e., you're not asking because you pissed off someone
      on IRC/ICQ/AIM/Quake[II[I]]/EverWhatever and are worried
      about your desktop becoming a target.
1     I.e., you or a script are looking at what syslogd(8) is
      saying.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5pvN1G3kIaxeRZl8RAkxKAJ4wVfMXQf6kKzGRRke45SJhVGlr5gCdGewr
USH02aSI0/s+vYxujOsqrHk=
=xcYs
-----END PGP SIGNATURE-----

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards