Re: LKM Trojan installed
From: Brian Hatch (focus-linux@ifokr.org)
Date: 02/11/03
- Previous message: lists@rak.radio.cz: "Re: LKM Trojan installed"
- In reply to: Zow: "Re: LKM Trojan installed"
- Next in thread: Rivanor P. Soares: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Feb 2003 08:34:52 -0800 From: Brian Hatch <focus-linux@ifokr.org> To: Zow Terry Brugger <zow@llnl.gov>
> > Of course, if the cracker has gotten root, they can chattr it right
> > back. In fact, the first thing I'd do as an attacker is to find all
> > chattr'd files on the filesystem since they're probably important.
>
> I seem to recall a few years back reading about a utility that sets the
> kernel such that attributes can not be further modified until the box is
> rebooted. Can anyone confirm, hopefully with a pointer?
IIRC, the ext2/ext3 code checks for CAP_LINUX_IMMUTABLE before allowing
changes to immutable and append only flags. So if you remove this from
your capability bounding set you are probably fine. On 2.4 kernels
you'd need to remove CAP_SYS_MODULE too, s.t. root can't re-enable
CAP_LINUX_IMMUTABLE.
Usually if I need to have immutable files, I go the whole way and
patch the kernel to use a hardened security module[1]. Besides, chattr
doesn't work on non ext2/ext3 filesystems, and I have reiserfs on
many systems.
[1] LIDS, Grsecurity, yada yada yada.
--
Brian Hatch "I thought the purpose of filing
Systems and these reports was to provide
Security Engineer accurate intelligence."
www.hackinglinuxexposed.com "Vir, intelligence has nothing to
do with politics."
Every message PGP signed
- application/pgp-signature attachment: stored
- Next message: Brian Hatch: "Re: LKM Trojan installed"
- Previous message: lists@rak.radio.cz: "Re: LKM Trojan installed"
- In reply to: Zow: "Re: LKM Trojan installed"
- Next in thread: Rivanor P. Soares: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
