Re: read-only linux and /etc

From: Juha Laiho (Juha.Laiho@iki.fi)
Date: 05/09/02


From: Juha Laiho <Juha.Laiho@iki.fi>
Date: Thu, 09 May 2002 07:17:01 GMT

g.news@tlarson.com (Tyler Larson) said:
>Wojtek Walczak <gminick@hacker.pl> wrote in message
>news:<slrnadgg6f.15j.gminick@hannibal.localdomain>...
>> Dnia 7 May 2002 12:26:10 -0700, Tyler Larson napisał(a):
>> > I'm about to set up a linux box that needs to be as secure as
>> > possible, so I intend on going for the read-only linux configuration,
>> > where everything but /var, /home, /tmp, and /etc are on a partition
>> > mounted read-only, making it virtually impossible to install any sort
>> > of rootkit.
>> try
>> chattr +i /bin/* /sbin* /usr/bin/* /usr/sbin/* /etc/passwd /etc/shadow
>> /etc/rc.d/* /etc/inetd.conf
>
>Interesting, but I don't see how that adds any more security than
>chmod a-w. After all, if the intruder has root, he can just chattr
>-i. On the other hand, if the filesystem is read only, well then too
>bad for him.

Hmm.. I haven't seen any rootkit (not offering public services on my
machine, so can keep the network interface rather completely shut),
but making files immutable might be enough to foil some of the less
sophisticated ones that just assume that as they're run as root, there
will be no permissions problems.

As for what could be imagined as the more sophisticated ones, not only
would it be possible for them to reset the immutable attribute, but
they'd also be able to remount the root fs read-write. So, I see these
solutions as more-or-less equal in terms of protection against
a determined and knowledgeable intruder.

So, the solution would be to have security levels in the kernel, and
one-way latches to set them, so that they cannot be reset once the
kernel is running - making system reboot the only way to reduce the
security level. After this, there could f.ex. be a security level
that denies remounting of ro-mounted filesystems as rw. I understand
the hard part with security levels (when adhering to Unix way of doing
things) is to prevent root from modifying the security level setting
in the running kernel image (as root does have access to kernel
memory, too).

As I haven't had the need for this kind of security, I haven't been
doing any "market research" as to what the different products (like
LIDS, or the NSA-variant of Linux) can offer for these needs.

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)



Relevant Pages

  • Re: Re: Kernel Rootkits
    ... > (specifically the ones that modify the kernel) can get installed on ... > I know that SucKIT is a rootkit that gets loaded as a kernel module ... Getting enough access to the machine to load the rootkit ... The first part basically involves getting root access to the machine. ...
    (Linux-Kernel)
  • Re: cannot login as root directly
    ... >> I cannot login with the root account. ... > Start up Mandrake Control Center and change your security level to ...
    (comp.os.linux.security)
  • Re: [SLE] R: [SLE] Administrator root cant login
    ... > I want to login in local. ... From when i install it to 3 day ago i haven't ... > Ok it isn't correct to login with the root. ... > I don' remember if i modify some wizard that can go up the security level ...
    (SuSE)
  • Re: HELP! cant access USB hard drive
    ... I believe, with sufficiently high ... >> level only root is allowed to access removable devices. ... > How do I change the security level in Mandriva? ...
    (comp.os.linux)