Vulnerability Development mailing list archives
Re: Kernel module for file protection ideas
From: Michael Hendrickx <michael () scanit be>
Date: Fri, 09 Jan 2004 15:28:26 +0100
Any thoughts/ideas?
It is easy to hide files, in all different directories. For unix, "/tmp/..." looks suspicious, but /usr/local/samba/var not (if you have samba installed), furthermore it is hard to get *all* directories Using "directory traversal" techniques it is possible to still create hidden directories. If your /tmp has a directory called "devel", it is possible to create "/tmp/devel/../.X11-unix" (which won't be in the 'blacklist'), which turns out to be "/tmp/.X11-unix" (which is blacklisted) Also, imagine having a directory ".. ", or ". ".. which is possible. Not even mentioning non printable characters..
From a personal point of view, it is better to have a watchdog that
looks for all files created and sends his logs to an external machine.. But these modules exist already, although it is not a bad programming exercise. Just a thought, Regards, Michael -- Michael Hendrickx Security Engineer Scanit NV/SA http://www.scanit.be "Rabbit Run!" When I see you, I'm seeing you, me and you only
Current thread:
- Kernel module for file protection ideas Just1n T1mberlake (Jan 08)
- Re: Kernel module for file protection ideas Larry W. Cashdollar (Jan 08)
- Re: Kernel module for file protection ideas Bruno Lustosa (Jan 08)
- Re: Kernel module for file protection ideas George Capehart (Jan 09)
- Re: Kernel module for file protection ideas Michael Hendrickx (Jan 09)
- RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 09)
- Re: Kernel module for file protection ideas Valdis . Kletnieks (Jan 10)
- RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 10)
- Re: Kernel module for file protection ideas Valdis . Kletnieks (Jan 10)
- Re: Kernel module for file protection ideas Vikram Rangnekar (Jan 12)