Re: aide or tripwire
From: Philipp Schulte (pschulte@uni-duisburg.de)Date: 12/21/01
- Previous message: Kurt Seifried: "Re: Locking Down a Linux Box"
- In reply to: bugtraq@seifried.org: "Re: aide or tripwire"
- Next in thread: Kurt Seifried: "Re: aide or tripwire"
- Next in thread: Jason Kohles: "Re: aide or tripwire"
- Reply: Kurt Seifried: "Re: aide or tripwire"
- Reply: Seth Arnold: "Re: aide or tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Dec 2001 15:28:22 +0100 From: Philipp Schulte <pschulte@uni-duisburg.de> To: focus-linux@securityfocus.com
bugtraq@seifried.org wrote:
> > Or you could just set the file(s) immuteable flag with 'chattr -i', and
> > the file cannot be changed or deleted.
>
> Which is essentially useless. The file can be set to be read only, with
> essentially the same result. If the attacker gets root they can unset the
> immutable flag and muck around with it. The immutable attribute is
> essentially pointless for files owned by root unless you want to prevent
> accidental changes (manual edits, or stupid config programs/etc).
No, using the kernel capabilities (http://pw1.netcom.com/~spoon/lcap/)
can give an additional layer of security. One can't simply "chattr -i"
if the specific capability has been removed.
Phil
- Previous message: Kurt Seifried: "Re: Locking Down a Linux Box"
- In reply to: bugtraq@seifried.org: "Re: aide or tripwire"
- Next in thread: Kurt Seifried: "Re: aide or tripwire"
- Next in thread: Jason Kohles: "Re: aide or tripwire"
- Reply: Kurt Seifried: "Re: aide or tripwire"
- Reply: Seth Arnold: "Re: aide or tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
