Steve Gaarder writes:
>I'm planning to build a dual-homed gateway using TIS's toolkit. I have
>two choices for hardware platform: a Sparcstation 2 running SunOS 4 or
>Solaris 2 or an Intel box running BSD. BSD has the drawback that I'm
>not familiar with it; SunOS 4 has the drawback that source routing is
>impossible (or just hard?) to disable; Solaris 2 has relatively few
>packages ported to it.
>Which do you think is best for this application?
My vote (with 1 reservation - see below) would be for BSD for at least two
1) Its chflags command which can set files as append-only (sappnd) or
"immutable" (schg). With these additional features prudently
applied to critical files, even if root were compromised, the intruder
would be unable to (a) erase any logs that tracked his actions (b)
replace things like /bin/login with a hacked version, etc.
2) In the warm and fuzzy department, it's been used as the base for at
least two reasonably respected commercial firewalls - TIS and
Borderware (though I believe each has performed their own "hardening"
of the kernel).
As for (1), in theory these flags can only be changed when the box is
in single user mode, but the man page for chflags seems to imply there
may be another way:
"If either or both of sappnd or schg is set, however, not even the
super-user can change the flags unless the system is in ``insecure'' mode
(typically, single user). The user flags can be set by the owner or the
super-user; the system flags can only be set by the super-user."
Anyone know of a way an intruder might induce "insecure" mode while in