On Mon, 8 May 2000, Igmar Palsenberg wrote:
>
> > > Well my thought was if you are running syslog on another box you would have
> > > somewhat of a temperproof
> > > system. For instance an intruder compromises root. loads a kernel module to
> > > hide his/her activities. If modules are logged there's one more piece of
> > > evidence that the system has been compromised. Right now (under 2.2 kernels)
> > > I do not see any logs when I load (or remove) modules.
> >
> > It was discussed zillion times already. It was just called "non-executable
> > stack". "One more layer of toilet paper" (instead of reliable lock) is NOT
> > acceptable in mainstream kernel. It's security via obscurity. It WORKS.
> > Really. But ONLY as long as it's not in mainstream kernel. Once such feature
> > is in mainstream kernel it's in VERY short time added to "automagic cracker
> > toolset" and then we have only bloat in kernel and no additional security
> > at all. So implement it as local patch if you wish -- it'll help you more
> > this way.
>
> It doesn't work.
It works beautifully. As long as intruder does not know where exactly
traps are placed he can not avoid traps. Will it work as long time defence
against scilled cracker SPECIALLY directed against you ? Probably not.
Will it stop most crackers ? For sure. As long as traps are NOT common and
thus not known to majority of crackers!
> The main 'problem' is that someone that has root is god.
For now (till "Trusted Linux" not invented).
> The only was to make sure we nail the guy is to make sure we can
> trace what he did.
>
Exactly.
> If the guy (girl) really know what he is doing he is able to wipe his
> traces..
>
Hah. ONLY if he (she) will feel NEED to track "that style traces as well".
See above.
> > > I thinking about including a unique ID in the kernel that is generated
> > > during compile time. All modules that are built must reference this ID. If I
> > > transfer a kernel module binary from a different system it would be refused.
> > > In order for me to build a new kernel module, I would have to build that
> > > module under my kernel. If the systems doesn't have compiler tools, new
> > > modules can't be easily installed.
>
> Nothing is safe agains an editor and someone who has root and know about
> /dev/kmem
>
Again: if /dev/kmem is readable on system :-)
> Keeping the guy outside is a better start to focus on.
>
For sure.
> > Compiler tools can be easily transferred and even magic number can be moved
> > to aleady cracked host (it can be easier). The only bullet-proof way here is
> > PGP-like signatures and I doubt we want THAT in kernel.
>
> Ah well... At least I then have some time to get some coffee during a ls
> :-)
>
:-))
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:21 EST