|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: ro (was:Re: Q not found in the archives...)
From: Steffen Dettmer (steffen
DETT.DE)Date: Fri Jul 14 2000 - 00:48:11 CDT
- Next message: Jari Laurila: "Re: ro (was:Re: Q not found in the archives...)"
- Previous message: Steffen Dettmer: "Re: Q not found in the archives..."
- In reply to: sigippWELLA.COM.BR: "Re: ro (was:Re: Q not found in the archives...)"
- Next in thread: Jari Laurila: "Re: ro (was:Re: Q not found in the archives...)"
- Reply: Steffen Dettmer: "Re: ro (was:Re: Q not found in the archives...)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
* sigippWELLA.COM.BR wrote on Thu, Jul 13, 2000 at 11:59 -0300:
> But not very environment friendly :-)
> Imagine the tons of CDROMS created by every single patch or configuration
> change.
Would you secure more that the important servers? The important
servers wouldn't have much services that could need updates.
Configuration may be done via ssh, ok. You could build a boot cd
which loads an image from a fileserver (I would use ssh). Then
you cpio it to the hdd of the machine. For example.
> >It would be a last ressort, but 100% secure defense.
>
> There is no such thing, so why aim for it?
Aim to the best state, even if impossible :)
(BTW:
--------------------------------------------------------------------------
The only secure computer system in the world is unplugged, locked
in a vault at the bottom of the ocean and only one person knows
the location and combination of that vault. And he is dead.
("Applied Cryptography" by Bruce Schneier)
--------------------------------------------------------------------------
sounds secure :) )
> Well, i think, a physically write-protectd HD without any way
> to circumvent that by software would be a 100% secure method
> against installing trojans (indeed, installing _anything_) on
> that device.
IIRC there are (hardware-) RAIDs that support a r/o feature?
> Or do you see _any_ idea how to install a rootkit in /bin, if
> the complete HD, where /bin is located, is physically
> write-protected?
It's hard to remote remove jumpers :)
> The problem is, if someone is logged in as root, then he could
> remount the data directories with exec.
You you need a kernel patch that don't allowing remounting such
devices after a point (maybe loading a protection kernel module).
If it's not implemented in LIDS but possible, this might be an
extesion? What does the list thing about it?
otherwise:
> So it may be necessary to patch mount to allow this only
> under certain circumstances:
You could mount the rw partitions rw on initial mount, and remove
the remount features completly. If you have to remount, you need
to boot from another cd rom.
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
- Next message: Jari Laurila: "Re: ro (was:Re: Q not found in the archives...)"
- Previous message: Steffen Dettmer: "Re: Q not found in the archives..."
- In reply to: sigippWELLA.COM.BR: "Re: ro (was:Re: Q not found in the archives...)"
- Next in thread: Jari Laurila: "Re: ro (was:Re: Q not found in the archives...)"
- Reply: Steffen Dettmer: "Re: ro (was:Re: Q not found in the archives...)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]