| 1 |
Yes, but: |
| 2 |
|
| 3 |
- "bash -c 'source abc'" still works, and does not require abc to be |
| 4 |
executable. Hence, protecting against setting the x bit does not prevent |
| 5 |
execution. |
| 6 |
|
| 7 |
- All commands needed to compromise the system are already signed and +x'd. |
| 8 |
|
| 9 |
Overall, this scheme doesn't seem to give any more security than a regular |
| 10 |
tripwire does. Giving access denied on a chmod() only educates a hacker on |
| 11 |
what does and does not work, and all he has to do is figure out how to |
| 12 |
compromise the system to the point where he can safely replace executables. |
| 13 |
|
| 14 |
All you can do while he's doing that is read log files and hope you'll catch |
| 15 |
the failed attempts he might have made. |
| 16 |
|
| 17 |
Very similar to tripwire, where a cracker would have to jump through the same |
| 18 |
hoops to avoid detection.... and the detection process isn't any faster. |
| 19 |
|
| 20 |
>From what I understand, SELinux and the new security framework in the 2.5 |
| 21 |
kernels do a waaaaay better job at detecting all the various things one can |
| 22 |
screw with, and actually stopping crackers. |
| 23 |
|
| 24 |
Alain |
| 25 |
|
| 26 |
|
| 27 |
On Tue, Mar 11, 2003 at 04:37:40PM -0500, lists@×××.org wrote: |
| 28 |
> Yes, I used tripwire before. Although all it does is warn. I like the idea of blocking. |
| 29 |
> Also, it merely tracks executables, it does not permit signed access to certain operations. |
| 30 |
> This method they gave has its problems. No code signatures, only tracks single system call, apparently hardcoded passphrase (even if hashed), but unlike tripwire where it'd be up to *me* to notice the breakin based on the report, their system is more about preventing certain rights in the first place. |
| 31 |
> |
| 32 |
> This is very interesting to me as I like giving people accounts on my machine, and something like rbash simply doesn't cut it. |
| 33 |
> For large systems, the ability to tightly restrict user rights would be very cool. |
| 34 |
> |
| 35 |
> ---------------------------------------- |
| 36 |
> Free Mickey! |
| 37 |
> http://randomfoo.net/oscon/2002/lessig/ |
| 38 |
> My key: http://m8y.org/keys.html |
| 39 |
> |
| 40 |
> On Tue, 11 Mar 2003, Alain Penders wrote: |
| 41 |
> > There's a whole company based around this: http://www.tripwire.com/ |
| 42 |
> > |
| 43 |
> > tripwire is a standard part of most linux distributions these days, and we're |
| 44 |
> > looking at adding tripwire-like functionality into portage. |
| 45 |
> > |
| 46 |
> > As for the paper... had the authors been familiar with tripwire, they might |
| 47 |
> > have described some other security risks related to their implementation. :) |
| 48 |
> > |
| 49 |
> > Alain |
| 50 |
> > |
| 51 |
> > -- |
| 52 |
> > gentoo-hardened@g.o mailing list |
| 53 |
> > |
| 54 |
> > |
| 55 |
> |
| 56 |
> -- |
| 57 |
> gentoo-hardened@g.o mailing list |
| 58 |
> |
| 59 |
|
| 60 |
-- |
| 61 |
gentoo-hardened@g.o mailing list |
Archives