From secprog-return-490-jm=jmason.org@securityfocus.com Fri Sep 6 11:37:35 2002 Return-Path: Delivered-To: yyyy@localhost.spamassassin.taint.org Received: from localhost (jalapeno [127.0.0.1]) by jmason.org (Postfix) with ESMTP id B0AD116F1F for ; Fri, 6 Sep 2002 11:36:17 +0100 (IST) Received: from jalapeno [127.0.0.1] by localhost with IMAP (fetchmail-5.9.0) for jm@localhost (single-drop); Fri, 06 Sep 2002 11:36:17 +0100 (IST) Received: from webnote.net (mail.webnote.net [193.120.211.219]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id g869rWC29309 for ; Fri, 6 Sep 2002 10:53:32 +0100 Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by webnote.net (8.9.3/8.9.3) with ESMTP id XAA18906 for ; Thu, 5 Sep 2002 23:07:03 +0100 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id D2526A3115; Thu, 5 Sep 2002 14:17:55 -0600 (MDT) Mailing-List: contact secprog-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list secprog@securityfocus.com Delivered-To: moderator for secprog@securityfocus.com Received: (qmail 32494 invoked from network); 5 Sep 2002 18:17:24 -0000 Date: Thu, 5 Sep 2002 11:33:21 -0700 From: Brian Hatch To: Crispin Cowan Cc: Ben Mord , "Webappsec Securityfocus.Com" , SECPROG Securityfocus Subject: Re: use of base image / delta image for automated recovery from attacks Message-Id: <20020905183321.GH4340@ifokr.org> References: <3D76977B.9010606@wirex.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2+N3zU4ZlskbnZaJ" Content-Disposition: inline In-Reply-To: <3D76977B.9010606@wirex.com> User-Agent: Mutt/1.3.28i --2+N3zU4ZlskbnZaJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > Simple approxmation to this: make /usr a separate partion, and mount it= =20 > read-only: >=20 > * The good news: attackers that want to trojan your software have to > reboot, at least. > * The bad news: administrators that want to update your software > have to reboot, at least. No reboot is required, you just need to remount it: # mount -o remount,rw /usr This requires root access, but presumably /usr is safe from non-root users anyway. Only way to disable this is to have the kernel compiled with something that compartmentalizes capabilities (LIDS/etc on Linux for example) or to remove CAP_SYS_ADMIN with lcap, which would definately require a reboot, and possibly break some other functionatily to boot. (Pun intended. My apologies.) -- Brian Hatch "Are you expected?" Systems and "No. Dreaded." Security Engineer www.hackinglinuxexposed.com Every message PGP signed --2+N3zU4ZlskbnZaJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj13o3EACgkQp6D9AhxzHxDMkACfR3m+eBXLfiZUFRd+jlBwu4MH Z/kAnRVbL3IA/m03PVTM6O4h9R4AKqML =k5cA -----END PGP SIGNATURE----- --2+N3zU4ZlskbnZaJ--