Locking Down a Linux Server

From: Björn Eriksson (bjorn@bjornen.nu)
Date: 01/08/02

Date: Tue, 8 Jan 2002 00:20:00 +0100
From: Björn Eriksson <bjorn@bjornen.nu>
To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>

On Mon, Jan 07, 2002 at 02:14:25PM -0000, Pybus, David wrote:
> Agreed, removing editors is a waste of time and just makes it difficult
> to admin the system. For example given shell access, the command cat and
> the re-direction operator '>' it is easy to edit a file.
<...snip editing example...>

 Agreed. Has grsequrity.net, openwall or anyone else produced a kernel-
patch which only allows signed executables to run? Along the lines of:

 [For a server.]

 * Decrypt a cert. on boot (from keyboard, network, special hardware, ...)
 * Use a kernel provided ld.so and disallow user processes to map
   something as exec:able (Sadly stopping all jvms, wine, uml, xfree, ..)
 * And verify all programs against cert. on load.

 The idea being to stop the attacker from installing any elf-
executables on the server. (Module support disabled ofcourse.)

 I haven't looked at many rootkits so this might be a silly idea. (?)

//Björnen. bjorn@bjornen.nu | mdeans@algonet.se | bjorn@pobox.com