[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Security. Allow to run only executables with certain hash

Thank you, Steve! It is not for me but for everybody for the common
good. I`ve made just an idea, somebody must make the result. For all
companies who uses Debian OS and their customers against data
(personal, banking) thefts, persecution of oppositions in countries,
elections interferenses, for making the democracy and the humans
prosperity.

2020-02-28 20:56 GMT+02:00, Steve Kemp <steve@steve.fi>:
> Good luck finding somebody to write this for you.  If you're interested in
> kernel security you might enjoy this module which makes it possible to do
> most of what you want - but it'll require hacking:
>
> https://github.com/skx/linux-security-modules/tree/master/security/can-exec
>
> In general what you want is hard, you'll need to compromise (no pun
> intended), or pay a lot of money to get it developed for you.
>
> Steve
>
> On Fri, Feb 28, 2020 at 8:42 PM Dmytro Spivak <obyavus@gmail.com> wrote:
>
>> sorry, delete, please ***** after 1-hour living
>> password
>>
>> 2020-02-28 20:22 GMT+02:00, Dmytro Spivak <obyavus@gmail.com>:
>> > Please make a system app, that will prevent strange executables and
>> > wrappers to be launched.
>> >
>> > For developers:
>> >
>> > 1. this app must allow an execution only executables with certain
>> > hashes and deny execution of files, hashes of which are not prescribed
>> > in a control file.
>> >
>> > 2. the control file (of list of allowed executables and their hashes)
>> > and a configuration file of the app may be changed by 2 factor
>> > authentication (by sending an email with 8-digits 1-hour living
>> > password***** (do not forget a delay of 5 seconds against guessing the
>> > password)) after a first configuration.
>> >
>> > 3. by installation of the app there must be a prompt to enter an email
>> > for 2 factor authentication process, email server settings for ability
>> > to send an email for 2 factor authentication.
>> >
>> > 4. for building a control file the app scans for all executables in
>> > the os, makes their (for example, sha1) hashes and writes full path
>> > and hash of each of them to the control file.
>> >
>> > 5. for stopping or killing the app must be the 2 factor authentication
>> > I suppose, too (or write the source code of /bin/kill binary so that
>> > if it is the app then nothing to do (pretermit action), but the
>> > original `/bin/kill` binary one can copy to a usb flash drive with a
>> > different name (for example, /media/ubuntu/usbflash/flwr) and if one
>> > needs to kill the app then he connects the usb flash and copies that
>> > binary /media/ubuntu/usbflash/flwr to the system and launches against
>> > the app (but for prevent a theft of /media/ubuntu/usbflash/flwr using
>> > for example, sh -c "while:; do sleep 10; inotifywait -rmq -e access
>> > /media/ubuntu/usbflash/ | while read line; do cp $line /path/to/;done;
>> > done" source code of /bin/cp or /bin/mv files can be written so that
>> > they can copy or move  /media/ubuntu/usbflash/flwr file only to
>> > special path on the system not to somewhere else)).
>> >
>>
>>
>
Reply to: