[vox-tech] Linux file/module security proposal.

jim jim at well.com
Thu Aug 21 07:53:58 PDT 2008 

   i'm considering rebuilding my machines on a 
regular basis. in the case of a vital service, 
it seems a clustered set of servers would permit 
taking one out and rebuilding it then putting it 
back in and taking out another, rebuilding, and 
so on. 
   rebuilding would be a matter of copying over 
all executables, probably using the  dd  command. 
   it would be important to partition the hard 
drive and load only the kernel, libraries, 
executables, and config files that were necessary 
to support the service. 
   i'd consider removing or renaming or 
recompiling essential utilities such as ls and 
grep and ps and vi and so on. 

   tho'ts? 




On Thu, 2008-08-21 at 07:43 -0700, Wes Hardaker wrote:
> >>>>> On Wed, 20 Aug 2008 22:29:57 -0700, Bill Broadley <bill at cse.ucdavis.edu> said:
> 
> BB> So would you use such a mirror to protect against trojan binaries
> BB> and kernel modules?  Why?  Why not?  Can you think of a better
> BB> approach?
> 
> Well, it all comes down to how much of the system the hacker owns.  If
> he has root on your machine he's likely inserted a kernel module to hide
> things or change things (many of them actually still report proper
> md5sums for a hacked binary because they've hacked the kernel to be
> different for reading vs executing something).  So online scanning is
> actually not necessarily effective (and taking a machine down on a
> regular basis to boot off a trusted medium to do scanning is obviously
> not ideal, especially for servers).
> 
> You have to trust someone to get your software from.  It may be that you
> can set up a building repository as you've described, but as you say you
> have to trust it (more than you trust the original site).  Unless it's
> more secure than the original distribution site it doesn't help you.
> Plus as you rebuild a ton of packages, what's to say that the sources
> you're pulling from don't have trojans in it?  Rebuilding the package
> doesn't help if it's coming from the same sources.
> 
> Finally, if they have root on your local machine, there is nothing
> preventing them from installing bogus GPG keys or worse binaries that
> report they've checked the signature but actually don't.  The
> cryptographic checks *only* work if your machine hasn't been broken into
> in the first place.  Afterward, it's far too late.
>

More information about the vox-tech mailing list