[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root Kit Protection

On Thu, Feb 17, 2000 at 12:27:33PM +0100, Robert Karlsson wrote:
> Hi,
> 
> I have followed the topic for som time now, and would like to out down my thought
> as well. I hope you don't mind that a rookie is doing that.
> 
> As far as I know I thought that "root" could do anything on a system. If I were one
> of those guys sitting around trying to get root-access on a system, the firts thing
> I would do is to get rid of all the auditing systems lying on the machine. And that
> is pretty easy, especially if you are to put it in the crontab or putting it as a
> deamon. It is even more easy if it is put down on a rw-media on the local machine
> and the package is known in the debian-world. Then the "hacker" would know what to
> look for.

this is a valid point, anything that is running automatically could be
removed (which would be somewhat obvious to an attentive admin) or
replaced with a fake version that always returns `all is well' while
we can protect the databases easily from tampering by
cryptographically signing them protecting the utility itself is a bit
more difficult, really you would have to keep gpg and the scanner on a
readonly disk (perhaps a protected floppy) and if the admin makes a
habit of running it manually then any other tampering of this system
would be noticed.

> The only three ways that I see (a rookies eyes), is to either build your own
> thingie-kind-of-auditing-tool and then protect it with your own life. Don't put it
> in the crontab to make it visible, and dont put it as a deamon to make it even more
> visible.

trying to hide it is futile, security through obscurity.

> Or to try to make a special audit computer to audit  through maybe RS-232 and don't
> connect it directly to the same subnet. This would make it almost impossible for
> the "hacker" to not being logged or wiping out the loggs.

remote logging is a very important step to high security machines
(such as firewalls) even better dump the most important logs
(authentication say) to a line printer no matter how much cracking
someone does unless they can convince the printer to run backwords and
eat the page it just printed the log entry can never be destroyed
(without physical access or perhaps a missle...)

> The third way is to use a ro-media. But I dont see how to make this thing work
> correctly. Cause if you are to put in a thing in the cron tab to check if it is
> still the same, then it shouldn't be too hard to change the program that checks
> against the ro-media to fake its answers.

the program is really what must be protected, the database is easy if
you cryptographically sign it and protect the program used to verify
those sigs..  but as someone else mentioned you have to protect the
kernel too.. 

but of course we can never get totall security, except perhaps a
system that is burned to a CDROM and boots into a ramdisk, then all
you do is reboot it if it gets cracked, instantly clean.. (but not
convenient to upgrade/configure) (also ignore physical security which
were not talking about here)

-- 
Ethan Benson
Reply to: