Re: aide or tripwireFrom: Kurt Seifried (firstname.lastname@example.org)
- Previous message: Kurt Seifried: "Re: aide or tripwire"
- In reply to: Philipp Schulte: "Re: aide or tripwire"
- Next in thread: Seth Arnold: "Re: aide or tripwire"
- Next in thread: Jason Kohles: "Re: aide or tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kurt Seifried" <email@example.com> To: <firstname.lastname@example.org> Date: Fri, 21 Dec 2001 15:14:40 -0700
> No, using the kernel capabilities (http://pw1.netcom.com/~spoon/lcap/)
> can give an additional layer of security. One can't simply "chattr -i"
> if the specific capability has been removed.
a) the attacker can mount a new filesystem overtop (see other post)
b) you must reboot to make configuration changes, which will get very stale
very quick unless you use something like LIDS, lock it down so root can
modify things from the console only, but then you need physical access/kvm
to make changes (not al;ways possible).
c) the attacker can reset the attrib with lcap, and then remove the immute
Once an attacker gets root it's almost imposible on a Linux (or most any
modern UNIX system) to stop them, unless you make significant changes (like
using NSA SELinux, or PitBull LX). An attacker running as root can insert
modules, patch the kernel running in memory, etc.