From secprog-return-490-jm=jmason.org@securityfocus.com Fri Sep 6 11:37:35 2002
Return-Path: <secprog-return-490-yyyy=spamassassin.taint.org@securityfocus.com>
Delivered-To: yyyy@localhost.spamassassin.taint.org
Received: from localhost (jalapeno [127.0.0.1])
by jmason.org (Postfix) with ESMTP id B0AD116F1F
for <jm@localhost>; Fri, 6 Sep 2002 11:36:17 +0100 (IST)
Received: from jalapeno [127.0.0.1]
by localhost with IMAP (fetchmail-5.9.0)
for jm@localhost (single-drop); Fri, 06 Sep 2002 11:36:17 +0100 (IST)
Received: from webnote.net (mail.webnote.net [193.120.211.219]) by
dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id g869rWC29309 for
<jm@jmason.org>; Fri, 6 Sep 2002 10:53:32 +0100
Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com
[66.38.151.27]) by webnote.net (8.9.3/8.9.3) with ESMTP id XAA18906 for
<jm@jmason.org>; Thu, 5 Sep 2002 23:07:03 +0100
Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id
D2526A3115; Thu, 5 Sep 2002 14:17:55 -0600 (MDT)
Mailing-List: contact secprog-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <secprog.list-id.securityfocus.com>
List-Post: <mailto:secprog@securityfocus.com>
List-Help: <mailto:secprog-help@securityfocus.com>
List-Unsubscribe: <mailto:secprog-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:secprog-subscribe@securityfocus.com>
Delivered-To: mailing list secprog@securityfocus.com
Delivered-To: moderator for secprog@securityfocus.com
Received: (qmail 32494 invoked from network); 5 Sep 2002 18:17:24 -0000
Date: Thu, 5 Sep 2002 11:33:21 -0700
From: Brian Hatch <secprog@ifokr.org>
To: Crispin Cowan <crispin@wirex.com>
Cc: Ben Mord <bmord@icon-nicholson.com>,
"Webappsec Securityfocus.Com" <webappsec@securityfocus.com>,
SECPROG Securityfocus <SECPROG@securityfocus.com>
Subject: Re: use of base image / delta image for automated recovery from
attacks
Message-Id: <20020905183321.GH4340@ifokr.org>
References: <NAEOJLMPJMJDFPLHIOJOMEGLDBAA.bmord@icon-nicholson.com>
<3D76977B.9010606@wirex.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="2+N3zU4ZlskbnZaJ"
Content-Disposition: inline
In-Reply-To: <3D76977B.9010606@wirex.com>
User-Agent: Mutt/1.3.28i
--2+N3zU4ZlskbnZaJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
> Simple approxmation to this: make /usr a separate partion, and mount it=
=20
> read-only:
>=20
> * The good news: attackers that want to trojan your software have to
> reboot, at least.
> * The bad news: administrators that want to update your software
> have to reboot, at least.
No reboot is required, you just need to remount it:
# mount -o remount,rw /usr
This requires root access, but presumably /usr is safe from non-root
users anyway.
Only way to disable this is to have the kernel compiled with something
that compartmentalizes capabilities (LIDS/etc on Linux for example) or to
remove CAP_SYS_ADMIN with lcap, which would definately require a reboot,
and possibly break some other functionatily to boot. (Pun intended. My
apologies.)
--
Brian Hatch "Are you expected?"
Systems and "No. Dreaded."
Security Engineer
www.hackinglinuxexposed.com
Every message PGP signed
--2+N3zU4ZlskbnZaJ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj13o3EACgkQp6D9AhxzHxDMkACfR3m+eBXLfiZUFRd+jlBwu4MH
Z/kAnRVbL3IA/m03PVTM6O4h9R4AKqML
=k5cA
-----END PGP SIGNATURE-----
--2+N3zU4ZlskbnZaJ--