Re: use of base image / delta image for automated recovery from attacks

• Previous message: George Dinwiddie: "Re: use of base image / delta image for automated recovery from attacks"
• In reply to: Crispin Cowan: "Re: use of base image / delta image for automated recovery from attacks"
• Next in thread: Andrey Kolishak: "Re: use of base image / delta image for automated recovery from attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Simple approxmation to this: make /usr a separate partion, and mount it 
> read-only:
> 
>    * The good news: attackers that want to trojan your software have to
>      reboot, at least.
>    * The bad news: administrators that want to update your software
>      have to reboot, at least.

No reboot is required, you just need to remount it:

	# mount -o remount,rw /usr

This requires root access, but presumably /usr is safe from non-root
users anyway.

Only way to disable this is to have the kernel compiled with something
that compartmentalizes capabilities (LIDS/etc on Linux for example) or to
remove CAP_SYS_ADMIN with lcap, which would definately require a reboot,
and possibly break some other functionatily to boot.  (Pun intended.  My
apologies.)

--
Brian Hatch                  "Are you expected?"
   Systems and               "No.  Dreaded."
   Security Engineer
www.hackinglinuxexposed.com

Every message PGP signed

• application/pgp-signature attachment: stored

• Next message: Crispin Cowan: "Re: FW: use of base image / delta image for automated recovery from attacks"
• Previous message: George Dinwiddie: "Re: use of base image / delta image for automated recovery from attacks"
• In reply to: Crispin Cowan: "Re: use of base image / delta image for automated recovery from attacks"
• Next in thread: Andrey Kolishak: "Re: use of base image / delta image for automated recovery from attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 13:26:47 PDT