> I assume that after intruder/script/trojan/virus got root access, there
> is nothing reasonable that can be done except wiping out and reinstalling
> the system IMNSHO efforts should be made only to prevent that from
> happening, not to find a way to fight already lost battle.
AFAIK, sorta.
1) There is a "securelevel" concept used in some Unixen, and I believe
available in Linux through different methods. Basically the idea is that
you boot the system up, and then toggle a kernel flag or several that
disallow changes to crucial parts of the system.
For example, disallow loading modules. Disallow rewriting certain
files (daemons, modules, kernel, configuration files), etc.
This doesn't completely protect you from root-kits, but it severly limits
their usefullness, and a reboot will normally get you back into a known
state.
2) Mandatory Access Control.
One idea is that there is a additional "group" associated with every
process, and the kernel prevents any "downflow" of information between
processes in different groups.
For example one setup might be: any program that reads from an "untrusted"
source is demoted to untrusted status, and is not permitted to write to
any "trusted" file. Set up the console tty's to be trusted, and
network devices to be untrusted...
X is completly busted, but if someone hacks in and obtains root
priviledges, they still can't do jack.
A co-worker of mine has a Linux patch to do basically this. Its the LOMAC
project: ftp://ftp.tislabs.com/pub/lomac
I don't know its exact current state.
Doug
-- dougk@tislabs.com
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/