Re: Root Kit Protection

To: Ethan Benson <erbenson@alaska.net>
Cc: debian-devel@lists.debian.org, Robert Karlsson <Robert.Karlsson@Baconsulting.nu>
Subject: Re: Root Kit Protection
From: Anton Ivanov <aivanov@eu.level3.net>
Date: Thu, 17 Feb 2000 14:10:12 -0000 (GMT)
Message-id: <XFMail.20000217141012.aivanov@eu.level3.net>
Reply-to: Anton Ivanov <aivanov@eu.level3.net>
In-reply-to: <20000217044423.A27100@plato.localdomain.local>

-----BEGIN PGP SIGNED MESSAGE-----

[snip]
> 
> remote logging is a very important step to high security machines
> (such as firewalls) even better dump the most important logs
> (authentication say) to a line printer no matter how much cracking
> someone does unless they can convince the printer to run backwords and
> eat the page it just printed the log entry can never be destroyed
> (without physical access or perhaps a missle...)

You may have quoted this as an example of impossibility but I have actually seen
this... Depends how much is at stake... And in btw, on many printers
operating on paper rolls there is a way to roll back and happily print garbage
over printed data. A Drop Only Host as per the classic O'Reily "Building
Internet Firewalls" is a better idea and a good use for an otherwise useless
386. You can analyze these logs easier, faster and better.

I have been following this thread for a while. It is rotating about the fact
that once you gain root privilleges you can do whatever you want. It is just a
matter of effort and qualification on the attacker side. Some solutions like
tripwire and sigs will pick up elementary stuff, some others will pick up more
complex stuff but unless you reboot the machine you never have a completely
trusted path and you are always suspicious.

This has been discussed a few times on BUGTRAQ, a few times in FRAQ, quite a
few times on linux kernel. So far noone has come up with a solution. On a unix
system root is just too powerfull. 

So if you want to run verification of what is actually on the machine, you have
the only real option of making the service fallback transparently to a backup
machine while you do maintenance on the primary. And after you have rebooted
cleanly even a set of MD5s happens to be usually sufficient.

Just my 0.02$

Cheers ;-)

- ----------------------------------
Anton R. Ivanov
IP Engineer Level3 Communications
RIPE: ARI2-RIPE      E-Mail: Anton Ivanov <aivanov@eu.level3.net>
@*** McClaughry's Law of Zoning ***
      Where zoning is not needed, it will work perfectly;
      where it is desperately needed, it always breaks down.

- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQEVAwUBOKwBQylWAw/bM84zAQHO5wgAnjVKzZC8wPuAzX4i8GFksBqKqDu0My/8
ea/qv+4tiaBFYD3objIDr3R4KCxrWtrCI2b5nXXDbs2Z65zvbeQcc4ep0+zhj5qp
zZ0r8HV0lSLgdHoE2YCZ0HYrtTE0HLl5W0RZUCFc6aoDTz01PDWEqulAaGxESJB3
KRAef9wkQKh9QRoD3kfV0oP2SmmSUGfyDy7rybdms1x9hfXh+HqisIWHSirgccnK
2Rf0zySipSBSFwRnBwjMWBCoBz0hpnhQF1/SdcYqm0tkGfGRrYbMeJjQ1dkYRJWX
7Bi0sTsDiBR6unroqGxL7MZjhdw9YKuO5CugjyDBTFVs0m+cdAYlzA==
=Vs0j
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Root Kit Protection
  - From: Johno Sullivan <johno@tornado.ie>

References:
- Re: Root Kit Protection
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: Re: Maintining a package
Next by Date: Re: bug in cursor window control - but which package?
Previous by thread: Re: Root Kit Protection
Next by thread: Re: Root Kit Protection
Index(es):
- Date
- Thread