Re: [cobalt-security] eggdrop and monitoring

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Eddy,

> Yep... agreed on all counts... which is why I said "look into"
> instead of "here's a miracle cure". :-)

Yeah, I thought so. :o)

> Note also that one could play with FollowSymlinks in Apache to go
> to another partition, but that gets ugly in a hurry.  Quota
> issues and the extra precautions required to deal with symlinks
> make this a bad idea.

Yes, symlinks are ugly, but what would we do without 'em? ;o)

> FWIW, I'm not fond of the default RaQ partitioning scheme.  I
> usually run a 128 MB root partition, and put /tmp, /var, /home,
> and /usr on their own partitions. 

It makes a lot of sense to split these directories off to separate partitions 
which you can then mount with a lot more restrictions in place. Who needs 
executables in /var or /tmp? So these partitions could use a nodev, noexec 
and nosuid, provided the MySQL socket file is not located in /tmp/

> Going a bit OT, I think *ix kernels eventually will have more
> "triggers" to check events such as execution.  FreeBSD has had
> kqueue() for several years now, which is very well suited to
> tasks like this.

Something along the lines of strong ACLs would indeed be a big security plus. 
Jails can provide 'em, but they're not always the best answer.

A while ago I found an interesting kernel module somewhere on a security site. 
It creates a new device which can then be polled by applications - even Perl 
scripts. Every time a file is accessed you get a line of who calls what and 
can either deny or allow the request based on self defined ACLs.

That allows to enforce restrictions like "Kill off the process if user httpd 
accesses /usr/bin/gcc" or "Kill and report process if user with UID > 100 
opens a network socket". 

That stuff was buggy alpha software not suited for a production environment, 
but it showed some potential.

-- 

With best regards,

Michael Stauber