[lug] R00tKIT!! Raah!

Zan Lynx zlynx at acm.org
Tue Jun 14 21:21:56 MDT 2005


On Tue, 2005-06-14 at 21:08 -0600, Sebastian Sobolewski wrote:
> As a general rule I run my / filesystem mounted Read-Only.  Only my data 
> partitions which are mounted noexec are writable.
> 
> IE:
> /dev/md0 on / type ext3 (ro)
> /dev/hda1 on /boot type ext2 (ro)
> /dev/md1 on /data type ext3 (rw,noexec)
> 
> /tmp & /var are symlinked to /data/tmp and /data/var respectively
> 
> This reduces the risk of a rootkit being able to install itself.  For 
> extra paranoia my /dev/md0 device is a READ-ONLY mirror so a simple 
> remount,rw won't work.

Good precautions, but if the attackers have root, they can use debugfs
on the block device if they have to.  If your drives have it, you could
set the hardware read-only pins :-)

But nothing wrong with being a harder target.
-- 
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20050614/556630ee/attachment.pgp>


More information about the LUG mailing list