Re: Review: sect. 4.16.2 of the Securing Debian manual
Note that you must also prevent raw disk access by the superuser as
well.
If I were securing a system, I think I'd opt for offline storage of logs
(line printer, serial line, WORM/CDR driver, write-only network logging
to a "secure" machine.)
Trying to protect the local system from the superuser is a rotten battle
to fight. Better to avoid it to begin with, because you will probably
lose. (It only takes one hole that you miss. And disabling superuser
functionality would probably cause more suffering then any possible
benefit.)
This might change once we have hardware support for "protected
applications". (depending on how the TCPA stuff falls out and assuming
mere mortals get access to such controls).
Regards,
Adam
On Thu, 2003-03-13 at 22:41, Peter Cordes wrote:
> On Thu, Mar 13, 2003 at 10:22:19PM +1100, Frederic Schutz wrote:
> > Does it answer your questions or did I miss a real loophole in the
> > strategy that I described ?
>
> If an attacker gets root and loads a kernel module, that module could
> restore the immutable capability. You'd have to disable loadable modules
> for that to be bulletproof. (unless the commonly used rootkits already do
> this, it would slow down an attacker and cause them to make more noise.)
Reply to: