Re: aide or tripwire

From: Kurt Seifried (bugtraq@seifried.org)
Date: 12/21/01


From: "Kurt Seifried" <bugtraq@seifried.org>
To: <focus-linux@securityfocus.com>
Date: Fri, 21 Dec 2001 15:14:40 -0700


> No, using the kernel capabilities (http://pw1.netcom.com/~spoon/lcap/)
> can give an additional layer of security. One can't simply "chattr -i"
> if the specific capability has been removed.
> Phil

a) the attacker can mount a new filesystem overtop (see other post)
b) you must reboot to make configuration changes, which will get very stale
very quick unless you use something like LIDS, lock it down so root can
modify things from the console only, but then you need physical access/kvm
to make changes (not al;ways possible).
c) the attacker can reset the attrib with lcap, and then remove the immute
flag, etc.

Once an attacker gets root it's almost imposible on a Linux (or most any
modern UNIX system) to stop them, unless you make significant changes (like
using NSA SELinux, or PitBull LX). An attacker running as root can insert
modules, patch the kernel running in memory, etc.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/