Re: aide or tripwire

From: Kurt Seifried (bugtraq@seifried.org)
Date: 12/21/01


From: "Kurt Seifried" <bugtraq@seifried.org>
To: <focus-linux@securityfocus.com>
Date: Fri, 21 Dec 2001 15:14:40 -0700


> No, using the kernel capabilities (http://pw1.netcom.com/~spoon/lcap/)
> can give an additional layer of security. One can't simply "chattr -i"
> if the specific capability has been removed.
> Phil

a) the attacker can mount a new filesystem overtop (see other post)
b) you must reboot to make configuration changes, which will get very stale
very quick unless you use something like LIDS, lock it down so root can
modify things from the console only, but then you need physical access/kvm
to make changes (not al;ways possible).
c) the attacker can reset the attrib with lcap, and then remove the immute
flag, etc.

Once an attacker gets root it's almost imposible on a Linux (or most any
modern UNIX system) to stop them, unless you make significant changes (like
using NSA SELinux, or PitBull LX). An attacker running as root can insert
modules, patch the kernel running in memory, etc.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/



Relevant Pages

  • [UNIX] Security Vulnerabilities in OSF1/Tru64 3.x
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... locally exploitable buffer overflow which allows an attacker to gain root ... The executable is installed setuid root ... September 18, 2002 - Public Disclosure ...
    (Securiteam)
  • Re: Secure $PATH for regular user
    ... malicious executables ... in case of the home dir, the euid can be root or the owner (normal ... the attacker has to be able to make a file executable before it's ... giggle, giggle - look at that fool who just mistyped a command, and ...
    (comp.os.linux.security)
  • NSFOCUS SA2002-01: Sun Solaris Xsun "-co" heap overflow
    ... - Sun Solaris 2.6 ... it is configured to have setgid root ... which would be used by an attacker to cause heap overflow. ... THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY ...
    (Bugtraq)
  • Re: Renaming root account
    ... It's not a *good* idea because it's security through obscurity. ... executables use "uid 0" vs "root", so changing the name of the account ... the attacker does not need to know what access he is trying to get (eg. ... root or non-root), only what service her/his attack will use as a vector. ...
    (FreeBSD-Security)
  • Re: PermitRootLogin=yes versus su
    ... You conveniently left out a vulnerability. ... disabled attacker needs to know user name on the system before ... With root login enabled you are ... Also encrypted password transmitted in ssh protocol ...
    (comp.security.ssh)