Bugtraq mailing list archives
Re: snooper watchers
From: bicknell () ussenterprise async vt edu (Leo Bicknell)
Date: Mon, 27 Feb 1995 00:18:16 -0500 (EST)
You really need to do a seperation of the checkee from the checkor. If someone has root access on the machine, the could basicly do anything that is needed to cover their tracks.
I just had a thought. What about makeing it impossible for
even root to cover his/her tracks? My specific thought was writing
things like accounting/audit logs directly to say a WORM drive. Due
to the write once nature any auditing/accounting done by the system
when the hacker obtained root access would be on the disk, and even
root could not erase it after the fact, as it's write once. Of
course, once root they could unmount that drive or something to
disable logging from that point on, but you would always get at least
the process of becoming root.
--
Leo Bicknell - bicknell () vt edu | Make a little birdhouse
bicknell () csugrad cs vt edu | in your soul......
bicknell () ussenterprise async vt edu | They Might
http://ussenterprise.async.vt.edu/~bicknell/ | Be Giants
Current thread:
- Re: snooper watchers, (continued)
- Re: snooper watchers Charles Stephens (Feb 23)
- Re: snooper watchers mascarkp () cc3 adams edu (Feb 24)
- Re: snooper watchers Eiji Hirai (Feb 24)
- Re: snooper watchers Gene Rackow (Feb 25)
- Re: snooper watchers Timothy Newsham (Feb 25)
- Re: snooper watchers Darren Reed (Feb 25)
- Re: snooper watchers Dr. Frederick B. Cohen (Feb 25)
- Re: snooper watchers Gene Rackow (Feb 25)
- Re: snooper watchers smb () research att com (Feb 26)
- Re: snooper watchers der Mouse (Feb 26)
- Re: snooper watchers Timothy Jones (Feb 26)
- Re: snooper watchers Leo Bicknell (Feb 26)
- Re: snooper watchers Christopher Samuel (Feb 27)
- No Subject Nicholas West (Feb 26)
- Re: snooper watchers Peter Wemm (Feb 27)
- Re: snooper watchers Leo Bicknell (Feb 26)