Re: Common security checks for a base installation - packages reviewed.
On Mon, 30 Dec 2002 21:02, Steve Kemp wrote:
> If you scan the filesystem once looking for, say permissions, and then
> later scan to, say, test MD5 sums the first file you examine could have
> been modified just after you test it - at which point you won't find out
> until the next invocation.
>
> The advantage of having a lightweight scan, though, is that the scan
> could happen hourly without putting the system under undue load.
Is there any real point to such a scan?
If a hostile user can attack the system to change the permissions or contents
of a trusted file (anything in {/usr,}/{s,}bin etc) then surely they can
change the program that checks the permissions, the libc6, the database of
MD5's, or something else to prevent the checks being done properly.
Why not just run SE Linux or one of the other MAC systems to prevent the files
being modified in the first place?
Writing a "no way out" policy for SE Linux that prevents the important files
or the security policy from being changed is easy enough to do.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: