Re: Rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> >> While reading this thread it occurred to me that if disk drives had a
> >> read-only switch, then systems would be uncrackable.

Well, that would go a long way to make intrusion more difficult, but
not impossible. Intruder just mounts something on top of your read
only partition that looks a lot like your partition but with a few
well chosen modifications. He then has to hide evidence of his trick,
which would not be easy (at least for me!), but that's not to say it
could not be done. In fact I have heard of a very similar approach
being used (sort of the opposite - an innocuous partition mounted over
a partition full of rootkit stuff to keep it hidden), though
apparently the intruder had not perfected it yet, since the admin
eventually figured out what was going on.

> There are special filesystems ("unionfs" ?)
> that redirect writes to a read-only file to a copy of the file in a
> writable partition (I think).

Yeah, but wouldn't that defeat the idea? Are you making it read only
so that you know for sure it is good and can use it with confidence or
so that you can easily recover your original files after getting
(expletive deleted)? This "read-only" partition approach is only worth
the trouble if it actually takes some capability away from the
intruder. If the filesystem is read/write but your "originals" are
read only, that only bothers the intruder if he actually wants to
erase them. What does he want to erase? Log files, which do not belong
on a read only filesystem in any case.

You could use it for monitoring - if it was easy to do a check whether
ps and lsof and other critical executables were actually on the
read-only part of disk or had been modified. The utility that does the
check had better be on the read only partition, but what do you use to
check it? If you're totally hacked you can't be sure that the
utilities that you execute are actually coming from that disk.  You
might be logged in to an emulator! Might as well use tripwire or aide
and not bother with the read-onlyness.

This has got me thinking.
Dave


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux