Firewall Wizards mailing list archives
Re: Boobytraps
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Fri, 25 Aug 2000 15:31:17 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tony Miedaner writes:
Anyone got any suggestions on useful boobytraps to detect unauthorized access for Solaris boxes.
What's the scope of the exercise, and in what sort of environment is it to be conducted? If you detect an unauthorised access (or access attempt), are you interested in just sending an alert to a monitoring console? Automagically halting the processor? Igniting a thermite charge sitting on top of the disk device? Dispatching an armed response team? Operational context is always important when you're looking at making decisions about security policy, and all the moreso when you're talking about things like tricks and traps. For the sake of my response, I'm going to make a few simplifying assumptions about your environment. Feel free to holler if any of them are wide of the mark. -You're worrying about more than your home machine[0] -The failure mode for your security infrastructure doesn't involve people dying or governments collapsing -You're already using something like tripwire(8) -You're already using the builtin auditing widgetry that comes with Solaris, as well as any applications you're running[1] -The machine(s) you're going to be tweaking don't mix with the locals. I.e., {you|your team} are the only ones who log into the box -You don't log into it frequently; and... -You're trainable Some things you might try: -Wrapping or replacing common binaries with something that logs their use. I.e., replacing /usr/bin/ps (and /usr/ucb/ps if it's there) with something that either logs a message and exits or logs a message and exec(2)'s the real (renamed) ps(1) binary. This would involve twiddling all exisiting scripts and suchlike that invoke the wrapped binaries (unless you want to receive alerts during normal system activity), as well as training yourself to use the renamed binaries when you're logged onto the machine. If you create a chroot(1)'d (or chrootuid(1)'d) environment in which to run externally-accessable daemons and processes, playing wrap-the-binaries can be particularly effective. -Rebuild /bin/login to {log|exit immediately|halt the processor} when it's run. Get OpenSSH, compile it to not use login(1), and use it exclusively for remote access to the system. -Rebuild your shells. Use your imagination. Trying implementing logic to force logout and send an alert if ~/.foo.[login shell PID] {doesn't exist|wasn't touched recently|doesn't contain the words `plugh' and `xyzzy'}. The last example above suggests (to my fevered imagination, at any rate) an analogy. Remeber how in old advent(6)-style games there were always `die to find out puzzles'? I.e., puzzles or rules of gameplay so oblique, obfuscated, or outright perverse that they only way you'd figure them out is by trial and error (or dying and restoring, as the case may be). Make the login environment like that. - -Steve - ----- 0 I.e., you're not asking because you pissed off someone on IRC/ICQ/AIM/Quake[II[I]]/EverWhatever and are worried about your desktop becoming a target. 1 I.e., you or a script are looking at what syslogd(8) is saying. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5pvN1G3kIaxeRZl8RAkxKAJ4wVfMXQf6kKzGRRke45SJhVGlr5gCdGewr USH02aSI0/s+vYxujOsqrHk= =xcYs -----END PGP SIGNATURE----- _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Boobytraps Ryan Russell (Aug 26)
- <Possible follow-ups>
- Re: Boobytraps Stephen P. Berry (Aug 26)
- RE: Boobytraps Smith, John (Aug 28)