Re: Root Kit Protection
Hi,
I have followed the topic for som time now, and would like to out down my thought
as well. I hope you don't mind that a rookie is doing that.
As far as I know I thought that "root" could do anything on a system. If I were one
of those guys sitting around trying to get root-access on a system, the firts thing
I would do is to get rid of all the auditing systems lying on the machine. And that
is pretty easy, especially if you are to put it in the crontab or putting it as a
deamon. It is even more easy if it is put down on a rw-media on the local machine
and the package is known in the debian-world. Then the "hacker" would know what to
look for.
The only three ways that I see (a rookies eyes), is to either build your own
thingie-kind-of-auditing-tool and then protect it with your own life. Don't put it
in the crontab to make it visible, and dont put it as a deamon to make it even more
visible.
Or to try to make a special audit computer to audit through maybe RS-232 and don't
connect it directly to the same subnet. This would make it almost impossible for
the "hacker" to not being logged or wiping out the loggs.
The third way is to use a ro-media. But I dont see how to make this thing work
correctly. Cause if you are to put in a thing in the cron tab to check if it is
still the same, then it shouldn't be too hard to change the program that checks
against the ro-media to fake its answers.
Well well, this is the direct thought I got when reading your letters, but of
course, I might be mistaken and maybe I don't really know what I'm talking about.
Please tell me what YOU think about this.
Regards / Bacon Alias Robert K
Reply to: