|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Kernel module for file protection ideas
From: Michael Hendrickx (michael
scanit.be)
Date: Fri Jan 09 2004 - 08:28:26 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Any thoughts/ideas?
It is easy to hide files, in all different directories. For unix,
"/tmp/..." looks suspicious, but /usr/local/samba/var not (if you have
samba installed), furthermore it is hard to get *all* directories
Using "directory traversal" techniques it is possible to still create
hidden directories.
If your /tmp has a directory called "devel", it is possible to create
"/tmp/devel/../.X11-unix" (which won't be in the 'blacklist'), which
turns out to be "/tmp/.X11-unix" (which is blacklisted)
Also, imagine having a directory ".. ", or ". ".. which is possible.
Not even mentioning non printable characters..
From a personal point of view, it is better to have a watchdog that
looks for all files created and sends his logs to an external machine..
But these modules exist already, although it is not a bad programming
exercise.
Just a thought,
Regards,
Michael
--
Michael Hendrickx
Security Engineer
Scanit NV/SA
http://www.scanit.be
"Rabbit Run!"
When I see you, I'm seeing you, me and you only
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]