On Mon, 2004-11-08 at 10:40 +1100, Jeff Waugh wrote: > <quote who="O Plameras"> > > For example, it should have taken the break-in longer from the time the > > attempt was first tried to the time it succeeded. And so, SysAdmin would > > have longer window to realise there has been attempts on the servers ? It > > should have confined the first break-in to within a limited set of > > functionalities ? > > Note that the entire break-in started with a sniffed password, which SELinux > could not help with in the slightest. It may have kept the intruder stuck > with no where to go.
I am still confused why SELlinux would have prevented the escalation to root? There was a method by which a common program could intrude on the kernel, does it stop you from executing code? Also note that the only reason the break-in was noticed was because of a modification to the system. There was no indication prior to that point. The time that the intruder had was not the issue here. So boxing them in longer may have discouraged them and they gave up, but assume that they were persistent. -- Ken Foskey -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
