In the wise words of Brian Hatch: > > > > ... i created a directory, copied 'ps' et al to it, and used chattr on > > them. having a known good binary outside $PATH is something of a comfort > > ... > > Of course, if the cracker has gotten root, they can chattr it right > back. In fact, the first thing I'd do as an attacker is to find all > chattr'd files on the filesystem since they're probably important.
Errmmmm...not to be a niggling b*stard, but: As long as you don't put all your faith in chattr, it's still a nice step. I mean, it does "raise the bar," confusing some scripts and usually their associated kiddies. With that said, yes, almost the only Read-Only I trust is media in a drive that doesn't have the electronics required to write. > The only way to be absolutely sure you see the real state of the > filesystem is to boot off of pristine read-only media. When you've > verified all the binaries and checked for any unusual startup actions > (/etc/rc?.d, /etc/inittab, initrd device, etc) which could modify things > then you can trust your ps commands -- as long as the attacker doesn't > come in and modify things again. (You should work without the network > plugged in until you're sure things are sane.) Yup. And don't trust the system's kernel unless, at the least, you've checked its integrity from that alternate boot-read-only media. Because execution redirection sucks when you're the one being redirected! - Jay
