[lug] newbie question - rc.sysinit

D. Stimits stimits at idcomm.com
Thu Jul 12 17:18:11 MDT 2001


"Scott A. Herod" wrote:
> 
> "D. Stimits" wrote:
> >
> > "Scott A. Herod" wrote:
> > >
> > > I've seen one attack that added start-up code in rc.sysinit ( or
> > > maybe it was rc.local ).  I keep "clean-room" versions of ls,
> > > ps, rpm, lsof and netstat on floppies.  Whenever I see anything
> > > at all unexpected on a machine I use them to look around.
> >
> > This is where stealth modules come into the picture...it is possible for
> > an unmodified lsof and rpm to lie and say nothing is wrong, if the right
> > kernel module is present. Even tripwire is useless if the kernel has a
> > module to lie. In which case you could run tripwire or other progs from
> > an independent boot CD to avoid tampered kernels.
> >
> 
> ( As you can see I didn't follow that discussion well. )
> 
> Stealth modules would even corrupt the /proc file system, correct?
> There goes my comparison of /proc/#/cmdline against the output of ps.

It probably depends only on the skill and creativity of the author.
Putting the module in means having root access and root privileges;
beyond that it means doing anything that can be done with a module.

> 
> Could you keep a clean copy of all of the md5 sums for the kernel
> and relevant modules?  The executable md5sum as well, obviously.

You could, but to guarantee your sums work, you'd have to store them and
execute from an independent kernel. This is what I was mainly aiming at
when I suggested a modification to the kernel that simply refuses
modules that do not pass a PGP style signature test. There are other
things that would have to be done in conjunction, such as securing the
boot sector via bios protection (anti virus feature of most bios' these
days), but it would allow full system access and module updates without
reboot...provided any modules had been signed properly with a private
key. Then you may have tricks to worry about like directly altering some
portion of memory on a live system, but the cracks to do that start
getting tough (especially if you've managed to use some form of
steganography for the memory that is relevant). The easiest thing to do
though is to keep your system up to date, and firewall any port not
needed.

D. Stimits, stimits at idcomm.com

> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list