Re: snooper watchers

bicknellussenterprise.async.vt.edu

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Nicholas West: "No Subject"
• Previous message: bobunix.worldcom.com: "8-bit characters in addresses"
• In reply to: Timothy Jones: "Re: snooper watchers"
• Next in thread: Christopher Samuel: "Re: snooper watchers"

> > You really need to do a seperation of the checkee from the checkor.
> > If someone has root access on the machine, the could basicly do anything that
> > is needed to cover their tracks.

	I just had a thought.  What about makeing it impossible for
even root to cover his/her tracks?  My specific thought was writing
things like accounting/audit logs directly to say a WORM drive.  Due
to the write once nature any auditing/accounting done by the system
when the hacker obtained root access would be on the disk, and even
root could not erase it after the fact, as it's write once.  Of 
course, once root they could unmount that drive or something to
disable logging from that point on, but you would always get at least
the process of becoming root.

-- 
Leo Bicknell - bicknellvt.edu                     | Make a little birdhouse
               bicknellcsugrad.cs.vt.edu          | in your soul......
               bicknellussenterprise.async.vt.edu | They Might
http://ussenterprise.async.vt.edu/~bicknell/       | Be Giants

• Next message: Nicholas West: "No Subject"
• Previous message: bobunix.worldcom.com: "8-bit characters in addresses"
• In reply to: Timothy Jones: "Re: snooper watchers"
• Next in thread: Christopher Samuel: "Re: snooper watchers"