tech-security: Re: PROPOSAL: File flags (LONG)

Subject: Re: PROPOSAL: File flags (LONG)
To: Dr. Lex Wennmacher <wennmach@geo.Uni-Koeln.DE>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 02/03/1999 13:29:50
On Feb 1, Dr. Lex Wennmacher wrote
> [...]
> 3  Flags specifications
> -----------------------
> 
> The flags specifications should be included in /etc/mtree/NetBSD.dist.
> To make it short, here is my suggestion how to set schg and sappnd on
> the NetBSD system files:
> 
> /				sappnd
> 	/boot			schg
> 	/netbsd			schg
> /bin				schg
> 	/bin/*			schg
> /dev				sappnd
> 	/dev/*			schg
> /etc				sappnd
> 	/etc/aliases		sappnd
> 	/etc/aliases.db		none
> 	/etc/bootptab		sappnd
> 	/etc/changelist		sappnd
> 	/etc/csh.cshrc		schg
> 	/etc/csh.login		schg
> 	/etc/csh.logout		schg
> 	/etc/daily		schg
> 	/etc/daily.conf		schg
> 	/etc/defaultdomain	schg
> 	/etc/dhclient-script	schg	(??)
> 	/etc/disktab		sappnd
> 	/etc/disktab.preinstall	none
> 	/etc/dm.conf		none
> 	/etc/dumpdates		none
> 	/etc/floppytab		sappnd
> 	/etc/fstab		schg
> 	/etc/fstab.sd		none
> 	/etc/fstab.wd		none
> 	/etc/ftpchroot		sappnd
> 	/etc/ftpusers		schg
> 	/etc/ftpwelcome		none
> 	/etc/gettytab		none	(??)
> 	/etc/group		none
> 	/etc/hosts		none

I would set this one schg. On a secure system, /etc/hosts is used before
dns, and critical machines are in /etc/hosts.
Adding or changing entries in /etc/hosts can compromise the system.
nsswitch.conf should also be schg (not listed here).


> 	/etc/hosts.equiv	schg
> 	/etc/hosts.lpd		schg
> 	/etc/inetd.conf		schg
> 	/etc/ld.so.conf		schg
> 	/etc/lkm.conf		schg
> 	/etc/localtime		schg
> 	/etc/mail.rc		schg
> 	/etc/man.conf		none
> 	/etc/master.passwd	none
> 	/etc/mk.conf		none
> 	/etc/monthly		schg
> 	/etc/monthly.conf	schg
> 	/etc/motd		none
> 	/etc/mrouted.conf	none	(??)
> 	/etc/mygate		schg
> 	/etc/myname		schg
> 	/etc/netstart		schg
> 	/etc/networks		schg
> 	/etc/newsyslog.conf	schg
> 	/etc/ntp.conf		schg
> 	/etc/ntp.drift		none	(should be moved to /var)
> 	/etc/passwd		none
> 	/etc/phones		sappnd
> 	/etc/printcap		none
> 	/etc/profile		schg
> 	/etc/protocols		schg
> 	/etc/pwd.db		none
> 	/etc/rbootd.conf	schg
> 	/etc/rc			schg
> 	/etc/rc.conf		schg
> 	/etc/rc.lkm		schg
> 	/etc/rc.local		schg
> 	/etc/rc.subr		schg
> 	/etc/remote		sappnd	(??)
> 	/etc/resolv.conf	schg
> 	/etc/rmt		schg
> 	/etc/rpc		schg
> 	/etc/security		schg
> 	/etc/security.conf	schg
> 	/etc/sendmail.cf	schg
> 	/etc/services		schg
> 	/etc/shells		schg
> 	/etc/skeykeys		none	(??)
> 	/etc/spwd.db		none
> 	/etc/syslog.conf	schg
> 	/etc/ttys		schg
> 	/etc/weekly		schg
> 	/etc/weekly.conf	schg
> /etc/mtree			sappnd
> 	/etc/BSD.pkg.dist	schg
> 	/etc/BSD.x11.dist	schg
> 	/etc/NetBSD.dist	schg
> 	/etc/special		schg
> /mnt				none
> /kern				none
> /sbin				schg
> 	/sbin/*			schg
> /tmp				none
> /var				sappnd
> /var/account			sappnd
> 	/var/account/*		sappnd
> /var/at				sappnd
> /var/at/jobs			sappnd
> /var/at/spool			sappnd
> /var/backups			none
> /var/crash			none
> /var/cron			sappnd	(1)
> /var/cron/tabs			none
> /var/db				none
> /var/db/ns			none	(??)
> /var/db/pkg			none
> /var/games			none	(2)
> /var/log			sappnd
> 	/var/log/*		none
> 	/var/log/authlog	sappnd	(1)
> 	/var/log/lastlog	sappnd
> 	/var/log/wtmp		sappnd	(1)
> /var/log/rdist			none
> /var/mail			none
> /var/msgs			none
> /var/preserve			none
> /var/quotas			none
> /var/run			sappnd
> /var/rwho			none
> /var/spool			sappnd
> /var/spool/secretmail		none	(??)
> /var/spool/lock			none
> /var/spool/lpd			sappnd
> 	/var/spool/lpd/*	none
> /var/spool/mqueue		none
> /var/spool/ftp			schg
> /var/spool/ftp/bin		schg
> /var/spool/ftp/etc		schg
> /var/spool/ftp/hidden		schg
> /var/spool/output		none
> /var/spool/sockets		none
> /var/spool/uucp			none	(??)
> /var/spool/uucppublic		none	(??)
> /var/tmp			none
> /var/tmp/vi.recover		none
> /var/yp				sappnd
> /var/yp/binding			none	(??)
> /proc				none
> /altroot			sappnd
> /root				none
> /home				none
> /stand				schg
> 	/stand/*		schg	(3)
> /usr				sappnd
> /usr:	all subdirectories	schg
> /usr:	all files		schg
> 	with the following exceptions:
> /usr/share/man			none	(4)
> /usr/share/sendmail/cf		sappnd
> /usr/pkg			sappnd
> /usr/src/sys/arch/*/compile	none
> /usr/src/sys/arch/*/conf	sappnd
> 

I played with system flags when I set up our firewall. Alone they're useless:
why make /dev immutable if a root user can create devices elsewhere ?
(well, they are not useless, but can be worked around).
The box I set up has / mounted read-only (this needs some tweaks in
/etc and /var, and / is first mounted r/w and remounted ro later, after syslog
has created /dev/log). /usr is mounted nodev , /home and /var nodev,noexec.

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--