[plug] The Community's gone Crackers
Christian
christian at amnet.net.au
Wed Aug 23 11:13:22 WST 2000
On Wed, Aug 23, 2000 at 10:57:48AM +0800, skribe wrote:
> Is it technically possible to forge the rpmdb so that even this doesn't
> show up the compromised progs? For example, installing your own version of
> the rpm package. Or rewriting the info in the db so the discrepancies
> don't show up. I'm not sure the later is even possible practically, but
> theoretically it is something to consider.
>
It's absolutely possible. In fact, there quite possibly is a root kit
out there which does this. There are several solutions to getting
verifiably secure audit trails and not all of them are 100% foolproof.
The BSD securelevels and file flags is a good, practical and effective
approach. Mark your system logs as "append only" and make other
important system files "immutable". Linux capabilities will be more
flexible than this but I think it's got a way to go. Another practical
approach is using a "secure" log host (OpenBSD running only syslogd is a
good candidate). There are also solutions for cryptographic protection
of log files which will protect you right up until the compromise.
More information about the plug
mailing list