Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (no subject)

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 07 Jun 2004 12:09:47 -0400
At 11:58 AM 6/7/2004, Mike Cohen wrote:

Im just trying to make sure that I can try to lock down my sensor as
much as possible. Are there any other parameters like chroot or the
like that would help lock this down?
YES.. chrooting is quite helpful, however make sure you setuid if you chroot. (a root user can break out of a chroot easily)
Make sure you chroot into a jail which doesn't have such useful things like /bin/sh in it. I generally only populate my jails in the most minimal fashion possible.
/dev typicaly only has a few utility items such as null, zero, and random. If I'm using syslog in the jail, I reconfigure my syslog init script to create a second socket in the jail's /dev. 
        /lib typicaly only has enough libraries to load the application.
        /bin and /sbin are typically empty, as is /usr/
        /etc typicaly has just configs for the application at hand.
Other lock-down measures include having a separate read-only interface that snort sniffs on. You can software enforce this by creating an ip-less "stealth" interface (see the snort FAQ). You can hardware enforce it by using a hardware tap, or by using a layer3 managed swithc. 


-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: