Re: have I been rooted?

To: debian@computerdatasafe.com.au, debian-isp@lists.debian.org
Subject: Re: have I been rooted?
From: Russell Coker <russell@coker.com.au>
Date: Fri, 21 Mar 2003 11:27:10 +0100
Message-id: <200303211127.10308.russell@coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <200303200143.h2K1hBd17565@numbat.computerdatasafe.com.au>
References: <200303200143.h2K1hBd17565@numbat.computerdatasafe.com.au>

On Thu, 20 Mar 2003 02:43, debian@computerdatasafe.com.au wrote:
> 2. Install, setup, learn and use some software such as tripwire, that you
> can use to see whether there are unauthorised changes to system files.

Unless you run tripwire from bootable removable media that doesn't do much 
good.

> 3.
> Consider mounting /usr ro. One way that appeals to me, but I've no actually
> tried it, is to make an ISO of it and mount it on loopback. If you can have
> / ro, so much the better.

If they crack root then they can mount it read-write.  If you want it really 
read-only then consider using a CD-ROM.

> 4. Make sure that writable partitions are mounted noexec. If someone
> breaks, say Apache as was a possibility a few months ago, you don't want
> them running their cracker kit on your box. Note that this is not perfect,
> '/bin/bash -c "source ./kit"' can still do some damage.

If you install SE Linux then you get much better control over your system.  
When Apache can't even see other processes or write to /tmp it makes such 
exploits much more difficult.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

References:
- Re: have I been rooted?
  - From: debian@computerdatasafe.com.au

Prev by Date: mkrootdev: label / not found
Next by Date: Re: QoS and tc
Previous by thread: Re: have I been rooted?
Next by thread: easy lilo question
Index(es):
- Date
- Thread