> It doesn't matter. The attacker can, as part of their root kit, > upload a tiny FTP client and ftp precompiled binaries of whatever > software they like onto the machine. Or, they can copy it there > directly if the box is running ssh, and they've created/modified an > account that allows them access. Or they could install a tiny TFTP > server... There are dozens of ways for them to get software on your > machine, once the thing's been compromised.
True. This is, however, assuming that they've been able to compromise the system. I'm guessing the concept behind removing editors is essentially to make compromising the system more of an investment in time, thereby creating a higher liklihood of the attacker triggering something such as a NIDS, or the administrator noticing by some other means. > The bottom line: once your machine is compromised, the attacker can do > whatever they want with it. Unless you've got a lot of spare time on > your hands (and I know few admins for whom that's true), your goal > should be to prevent a compromise from happening, and detecting when > it HAS happened as quickly as possible so that you can react > appropriately, rather than to concentrate much time on limiting > damage. Once they gain root/system level access, all bets are off. I indeed agree. Even with the package manager removed, it's possible for the attacker to use something such as tar, or cpio. As I said in a previous mail, it'd require significant alteration to the operating system to create one that doesn't allow the editing of files. The irony is that all the tools we have to make our lives easier are the ones that make them more difficult, as well. And that's assuming they don't want to take the time to move their goodies binary by binary (although doing so would be more apt to trigger a NIDS). ;) In essence, I believe the only way we'll ever have a truly secure system is through a system that loads the data from read-only media, loads it only once, uses cryptographic signatures on all the drivers and binaries, and doesn't permit the loading of anything that isn't maintained in the cryptographic database stored in RAM. And even then, it'll never be fully secure, let alone the idea of useable. Cheers, ellipse
