Re: what is means ? + rootkits..

To: debian-security@lists.debian.org
Subject: Re: what is means ? + rootkits..
From: "Sam Couter" <scouter@bigpond.net.au>
Date: Sat, 20 Apr 2002 21:53:20 +1000
Message-id: <[🔎] 20020420115320.GA616@yosamite.tekno.house>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] E823FA92099E6C4C854CE791DFA1A3D2957603@got02.vikingtelecom.com>
References: <[🔎] E823FA92099E6C4C854CE791DFA1A3D2957603@got02.vikingtelecom.com>

Jan Johansson <jan.johansson@viking-telecom.com> wrote:
> Now, run AIDE check periodically (nightly) against that db. And all is well.

Here's a weakness: The attacker can replace AIDE (or any libraries it
links to, if any exist, or even the kernel) with a fake that just says
"Everything's OK" without really checking.

> When i patch the system, just make sure the AIDE check is "clean" before the upgrade. Do the patches, do a new AIDE database and do an incremental burn of the CD. Then keep that routine up.

Another weakness: If your CD is in a burner in the attacked machine, the
attacker can update the database with false information. You haven't
made it clear where the burner is in relation to the mounted CD, so I
don't know if this applies.

> That, and keeping the kernel monolithical to prevent the "module type" exploits, and you have a pretty good setup.

Module support is not needed to modify the running kernel, it just makes
it easier.

> Add to this logging of key elements to an old matrix printer.. Good luck in manipulating those logs remotely.

Is that "old matrix printer" susceptible to fires if worked hard for a
while? ;)

> Frankly, i would actually like to see how to taint such a system...

The attacker can modify your running kernel. From that point, all bets
are off.

The attacker can also modify any software that's not on read-only media,
which can include your IDS software itself.

You need to boot from trusted media and run only trusted programs to
check untrusted media. You can't test the untrusted software using the
untrusted software.

> Now, a fun thought would be to use a mirrored disk on either shared SCSI or fiber scsi for the system. Then break the mirror, mount one disk to a "secure" system and run the analyze from there, thereby bypassing ALL elements of the original object. (Okay, overkill).

Whether or not it's overkill depends on your threat analysis, but the
system you've described here could actually be secure if done right, and
avoids the downtime of booting the machine from trusted media. Your
current system is vulnerable to (an unlikely) attack.
-- 
Sam "Eddie" Couter  |  mailto:scouter@bigpond.net.au
Debian Developer    |  mailto:eddie@debian.org
                    |  jabber:sam@jabber.topic.com.au
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C

Attachment: pgp8s158uHxki.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Many Virtual Hosts security problem with PHP
  - From: "Gustavo Felisberto" <humpback@felisberto.net>

References:
- RE: what is means ? + rootkits..
  - From: "Jan Johansson" <jan.johansson@viking-telecom.com>

Prev by Date: unsubscribe
Next by Date: Many Virtual Hosts security problem with PHP
Previous by thread: RE: what is means ? + rootkits..
Next by thread: Many Virtual Hosts security problem with PHP
Index(es):
- Date
- Thread