Locking Down a Linux Server
From: Björn Eriksson (bjorn@bjornen.nu)Date: 01/08/02
- Previous message: Andrew Hatfield: "RE: DoS"
- In reply to: Pybus, David: "Re: Locking Down a Linux Box"
- Next in thread: Jose Nazario: "Re: Locking Down a Linux Server"
- Next in thread: Jeff Schaller: "Re: Locking Down a Linux Box"
- Reply: Jose Nazario: "Re: Locking Down a Linux Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 8 Jan 2002 00:20:00 +0100 From: Björn Eriksson <bjorn@bjornen.nu> To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>
On Mon, Jan 07, 2002 at 02:14:25PM -0000, Pybus, David wrote:
> Agreed, removing editors is a waste of time and just makes it difficult
> to admin the system. For example given shell access, the command cat and
> the re-direction operator '>' it is easy to edit a file.
<...snip editing example...>
Agreed. Has grsequrity.net, openwall or anyone else produced a kernel-
patch which only allows signed executables to run? Along the lines of:
[For a server.]
* Decrypt a cert. on boot (from keyboard, network, special hardware, ...)
* Use a kernel provided ld.so and disallow user processes to map
something as exec:able (Sadly stopping all jvms, wine, uml, xfree, ..)
* And verify all programs against cert. on load.
The idea being to stop the attacker from installing any elf-
executables on the server. (Module support disabled ofcourse.)
I haven't looked at many rootkits so this might be a silly idea. (?)
-- //Björnen. bjorn@bjornen.nu | mdeans@algonet.se | bjorn@pobox.com
- application/pgp-signature attachment: stored
- Previous message: Andrew Hatfield: "RE: DoS"
- In reply to: Pybus, David: "Re: Locking Down a Linux Box"
- Next in thread: Jose Nazario: "Re: Locking Down a Linux Server"
- Next in thread: Jeff Schaller: "Re: Locking Down a Linux Box"
- Reply: Jose Nazario: "Re: Locking Down a Linux Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
