[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: And now for something completely different... etch!

On Friday 17 June 2005 22:06, Steve Langasek <vorlon@debian.org> wrote:
> > But if someone can change the cache of data written by prelink then why
> > couldn't they also change the program that does the md5 checks to make it
> > always return a good result?
>
> They can, but I've never seen a rootkit with that level of sophistication;

There have been root-kits that hide files and show the original versions to 
programs that do checks.  This is not really difficult to do with a kernel 
module.

> and if there was one, there's still the option of booting from read-only
> media to check (which is the only safe way to audit your system anyway).

True.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
Reply to: