[Linux-aus] Stand up for Linux. Stop Microsoft killing Desktop Linux.
russell at coker.com.au
Sat Sep 24 12:15:54 EST 2011
On Sat, 24 Sep 2011, Adam Nielsen <a.nielsen at shikadi.net> wrote:
> This is going to go a little off topic, but I'm not so worried about
> preventing root from doing bad things, I'm more interested in preventing
> root from doing something that makes disinfection difficult.
You mean like reconfiguring PAM, adding accounts, changing passwords, or
finding a daemon that starts as root and reconfiguring it to be insecure?
> The rootkit
> in question replaced /bin/ls and a bunch of other system commands with
> compromised versions, so that running one of those files would immediately
> reinstall the whole rootkit.
If you take an image of the system (via a snapshot from the Dom0 if it's a VM
or by booting from trusted media otherwise) then you can compare checksums to
deal with this.
> Now granted I haven't thought this through in every minor detail, but if
> there were signatures being verified from the new-BIOS down, then a
> compromised kernel wouldn't run, compromised modules wouldn't load, and
> compromised commands wouldn't reinstall any infection.
But you could have all manner of open daemon configurations.
> Scripts of course would still run, but I think it would be much easier if
> you could boot to single-user mode (where you can be certain there is no
> malicious code running), clean up your initscripts then reboot to go back
> to your normal system minus any live infection.
What about all the custom scripts?
> Now you can tell me what I'm missing ;-)
As you have the source code for everything, why don't you create a proof of
concept and publish it for everyone to test. Ruxcon is coming up soon, I'm
sure they would give you a late entry speaker position if you get this done in
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the linux-aus