[Plug-security] Once cracked
Craig White
plug-security@lists.PLUG.phoenix.az.us
Sun, 09 Sep 2001 23:50:00 -0700
"David A. Sinck" wrote:
>
> \_ SMTP quoth Craig White on 9/9/2001 11:41 as having spake thusly:
> \_
> \_ Assuming that you didn't use tripwire, on a system that uses rpm
> \_ (Mandrake - RedHat) - you can try rpm -Va which should list all [...]
>
> One of these hypothetical days, I'm going to take the best of breed
> rootkits (loadable kernel modules, trojans, etc) and make a nice RPM
> of all of them, so you can easily see if your rootkit is up-to-date
> without effort.
>
> rpm -Va rootkit
>
> Which I would suppose be shortly followed by
>
> rpm -Va script-kiddie
>
> The loadable kernel modules are really scary as a compromise. If you
> can't trust the kernel, who can you trust?
>
> David
>
-------------------
Were you planning on making this a noarch rpm?
Well, if you used an rpm to install a rootkit, it wouldn't show up in
rpm -VA until you changed the /etc/rootkit.conf or
/etc/script-kiddie.conf - at least with redhat, it's proper to put conf
files in the /etc path.
I see some amall bits of education coming my way on this...so I have to
ask...why are the loadable modules such a security risk? - Is this
because someone with local access could replace one of them or are they
just as scary/scarier if there is only remote access?
I suppose that if one were to compile a kernel without loadable modules,
if it got rooted, someone oculd still install their own binaries and
libraries anyway - it's a question of how secure any particular box
needs to be and how easy it is to crack into. I know that the boxes that
I've been setting up are at least a little more difficult than most
windows boxes and many of the other linux boxes so I have contented
myself there - worrying more about the exposed services -
sendmail/apache/ftp.
Craig