Hi, Joachim
I've got that you wanted to say.
There are some tools for that are available.
The main problem is that they detect an intrusion *after* the server is
compromised.
Intrusion detection systems are good but intrusion prevention systems
are better.
Joachim Schipper wrote:
On Sun, May 17, 2009 at 03:04:18AM +0200, Ingo Schwarze wrote:
Hi Joachim, hi Yurij,
Joachim Schipper wrote on Sat, May 16, 2009 at 01:23:20PM +0200:
On Fri, May 15, 2009 at 10:39:06PM +0500, Yuriy Grishin wrote:
I've installed OpenBSD 4.5 on my home gateway.
Random pids and critical files permission are really cool.
I just confused a little bit because I haven't found any way
to check the vulnerabilities of my configuration.
Are there any?
This is not what you are asking for, but security(8) will run nightly
and check various files. This detects unsophisticated intruders and -
more importantly - makes it easy to spot and fix misconfigurations.
But be aware of this:
$ man security | tail -n 7
BUGS
The name of this script may provide a false sense of security.
There are perhaps an infinite number of ways the system can be
compromised without this script noticing.
Of course.
Of course, it can be extended with your own critical files, if desired.
Actually, security(8), in contrast to daily(8)/weekly/monthly, does not
support security.local additions right now. I don't see a pressing need
to implement that hook, either; it would be easy enough, though, just
adding the two lines
next_part "Running /etc/security.local:"
run_script "security.local"
at the very end of /etc/security does the trick.
Apart from that, i would recommend against locally modifying the script
/etc/security itself. You can use daily.local for local additions.
Of course, you can also add files to the changelist(5).
Perhaps the latter is what you were hinting at.
Oh, I'm sorry, I should have been more clear.
security(8) runs mtree(8) on, amongst others, /etc/mtree/*.secure. Such
files can be freely added, no?
That is what I intended to say, but I didn't actually say it... sorry
for any confusion that may have resulted!
Joachim
