On Tue, Aug 19, 2003 at 11:42:03AM -0700, Michael Halcrow wrote: > Keeping the vendor's shutdown procedure from getting hijacked by an > attacker seems to be my challenge. One challenge at a time! :) > Ideally, I suppose that I would like to have physical access to the > machine be a prerequisite for a shutdown request to be honored. Ok. This sounds like a reasonable policy; at least, it is concrete enough to work with. :) > Perhaps that would mean several things. Once shutdown has initiated: > - No new processes may be created (would this break the shutdown > process?) This would break shutdown spectacularly. :) > - All login sessions must be terminated > - No new logins will be accepted > - ...? > > The trick is, what is the best criteria that defines, ``the shutdown > has initiated''? If it were my problem, I'd have an interface to the LSM module in a proc file, sysctl, or character device, that when presented with a well-formed string, initiates your "shutdown has started" policy. Insert a line in the first shutdown script that triggers this interface, and go from there. It might not make corner-case rebooting very friendly; sysadmins are used to being able to telinit 0, or other quick-n-dirty methods, to get the system down semi-cleanly. (Well, if it were my problem more directly, I'd just punt on the whole rebooting issue. :) > Actually, Robb recently transfered to another team in the LTC, and I > am an intern who inherited the project (and his nice modular desk :-) Ah, cool. :) -- "In God we trust, all others we monitor." -- NSA, Intercept Operators's motto, 1970
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 10:50:30 PDT