Outstanding issues

Russell Fulton r.fulton at auckland.ac.nz
Mon Sep 25 16:09:25 EDT 2006


Carter Bullard wrote:

  And really, once we do the chroot(), we really
> don't
> want to go back, so to speak.  In most installations, argus opens a device
> and a privledged socket, and syslog, and thats it.  It never opens another
> device, doesn't create output files, and only services sockets that it has
> opened.  When this is the case, does chroot() make any sense at all?
>

Chroot makes sense in that it is a fairly effective defence against
automated attacks.  Programs that delve into packets on the wire are
vulnerable to bugs in the code that deal with those packets.  Snort has
had bugs of this nature some of which lead to code execution.  Such
network sensors make a tempting target for the current attacker as they
can't be firewalled and once compromised you have a secure base inside
the network.

Simple chroot to the directory where your data files are makes it very
difficult for an *automated* compromise to establish control over the
machine or do anything like scanning.

I class being able to chroot the server as being desirable but not
essential.  If it can be done without much effort then I believe it
should be.  The jail does not have to be foolproof, I would be happy
with anything that makes automated attacks too expensive to be worthwhile.

Cheers, Russell



More information about the argus mailing list