[Plug-security] Once cracked

[Craig White]

"David A. Sinck" wrote:
> 
> \_ SMTP quoth Craig White on 9/9/2001 11:41 as having spake thusly:
> \_
> \_ Assuming that you didn't use tripwire, on a system that uses rpm
> \_ (Mandrake - RedHat) - you can try rpm -Va which should list all [...]
> 
> One of these hypothetical days, I'm going to take the best of breed
> rootkits (loadable kernel modules, trojans, etc) and make a nice RPM
> of all of them, so you can easily see if your rootkit is up-to-date
> without effort.
> 
> rpm -Va rootkit
> 
> Which I would suppose be shortly followed by
> 
> rpm -Va script-kiddie
> 
> The loadable kernel modules are really scary as a compromise.  If you
> can't trust the kernel, who can you trust?
> 
> David
>
-------------------
Were you planning on making this a noarch rpm? 

Well, if you used an rpm to install a rootkit, it wouldn't show up in
rpm -VA until you changed the /etc/rootkit.conf or
/etc/script-kiddie.conf - at least with redhat, it's proper to put conf
files in the /etc path.

I see some amall bits of education coming my way on this...so I have to
ask...why are the loadable modules such a security risk? - Is this
because someone with local access could replace one of them or are they
just as scary/scarier if there is only remote access? 

I suppose that if one were to compile a kernel without loadable modules,
if it got rooted, someone oculd still install their own binaries and
libraries anyway - it's a question of how secure any particular box
needs to be and how easy it is to crack into. I know that the boxes that
I've been setting up are at least a little more difficult than most
windows boxes and many of the other linux boxes so I have contented
myself there - worrying more about the exposed services -
sendmail/apache/ftp.

Craig