Re: How efficient is mounting /usr ro?
Getting rid of root kits?
Recently I've been thinking about this sort of thing as part of a
project for work.
The answer we came up with was to update boxes by rsync
with --delete
The centralised server that holds the root filesystems to be synced out
obviously has to be kept secure, but anything on the target that
isn't on the source gets removed.
Obviously its a *little* more complicated than just
rsync -a /target/ target:/
:)
but its reasonably well guaranteed to wipe out anything that someone
might have secreted under /etc/cron.d for example.
For completeness and added security, before the rsync takes place,
we upload statically linked rsync and md5sum binaries. This way,
the remote rsync program (set with --rsync-path) should be trustworthy.
Also, the rsync process runs some scripts on the target machine,
so any binaries used by these scripts are compared with
a record of what they are supposed to be (these are held
on the server), using the uploaded statically linked md5sum binary.
On Fri, 10 Oct 2003 11:38, Phillip Hofmeister wrote:
> On Thu, 09 Oct 2003 at 01:58:40PM -0400, Brandon High wrote:
> > On Thu, Oct 09, 2003 at 08:06:46AM -0400, Phillip Hofmeister wrote:
> > > If I r00t your system I'll have access to remount it rw anyhow. Any
> > > "hacker" who doesn't know how to remount a file system is really lame.
> > > You may slow someone down for 3 seconds until they type:
> >
> > It'll stop a worm or automated intrusion though...
>
> Maybe not...A worm may write itself to somewhere it has access (not
> /tmp, that gets cleared...) and then place a cron entry to start itself.
Reply to: