Re: Root Kit Protection
-----BEGIN PGP SIGNED MESSAGE-----
> remote logging is a very important step to high security machines
> (such as firewalls) even better dump the most important logs
> (authentication say) to a line printer no matter how much cracking
> someone does unless they can convince the printer to run backwords and
> eat the page it just printed the log entry can never be destroyed
> (without physical access or perhaps a missle...)
You may have quoted this as an example of impossibility but I have actually seen
this... Depends how much is at stake... And in btw, on many printers
operating on paper rolls there is a way to roll back and happily print garbage
over printed data. A Drop Only Host as per the classic O'Reily "Building
Internet Firewalls" is a better idea and a good use for an otherwise useless
386. You can analyze these logs easier, faster and better.
I have been following this thread for a while. It is rotating about the fact
that once you gain root privilleges you can do whatever you want. It is just a
matter of effort and qualification on the attacker side. Some solutions like
tripwire and sigs will pick up elementary stuff, some others will pick up more
complex stuff but unless you reboot the machine you never have a completely
trusted path and you are always suspicious.
This has been discussed a few times on BUGTRAQ, a few times in FRAQ, quite a
few times on linux kernel. So far noone has come up with a solution. On a unix
system root is just too powerfull.
So if you want to run verification of what is actually on the machine, you have
the only real option of making the service fallback transparently to a backup
machine while you do maintenance on the primary. And after you have rebooted
cleanly even a set of MD5s happens to be usually sufficient.
Just my 0.02$
Anton R. Ivanov
IP Engineer Level3 Communications
RIPE: ARI2-RIPE E-Mail: Anton Ivanov <email@example.com>
@*** McClaughry's Law of Zoning ***
Where zoning is not needed, it will work perfectly;
where it is desperately needed, it always breaks down.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----