From: George Capehart (gwcacm.org)
Date: Thu Jan 08 2004 - 20:47:25 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 08 January 2004 11:20 am, Bruno Lustosa wrote:
> * Just1n T1mberlake <hotpacketshellokitty.com> [08-01-2004 13:50]:
> > I have been thinking of ideas to stop many file attacks on Unix
> > systems. When you find rootkits or other attack files on many Unix
> > systems they will often try to hide their tracks by using filenames
> > such as '...' and '/tmp/.X11-unix' etc. I wish to write a kernel
> > module (for linux initially) that will prevent such attacks. The
> > kernel module in pseudo code:
>
> This would help against a few of them, but just until they start
> using some name not in the bad names list.
> For example, suckit uses something in /usr/share/locale. If it's
> tagged as bad, one could just name it something else. Hiding a file
> isn't really hard after all, at least if you are hiding from someone
> not searching for it.

White lists are always better than blacklists. It's usually *much*
easier to provide a list of acceptable options/values/whatever than it
is to provide a list of the unacceptable ones. The number of elements
in that set approaches infinity . . . ;-)

/g

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]