Re: Positive uses for rootkits

[Berend De Schouwer <bds () jhb ucs co za>]

On Wed, 21 Mar 2001 20:58:31 Daniel McCranie wrote:
| Hi,
|
| I was wondering that since intruders can modify system commands to
| not display certain things, couldn't admins modified the commands
| like cp, mv, rm...  so that they would not be able to replace any
| of the included commands?  These could be made in such a way only to
| work unlimited in single user mode or have the disk mounted to
| another system when there is a legitimate need to change one.

This doesn't help compiling C programs to call the libc functions,
or calling the kernel functions directly.  Even simpler:  if you
replace 'cp', I can still copy files using: "cat fileA > fileB".
There are a lot of ways to copy files.

| I have just enough UNIX knowledge to be dangerous to myself so be
| gentle :)
|
| Questions:
|
| 1. Are most rootkits simply shell scripts or real programs?

Both.

| 2. Would there be anyway to stop programs from overwriting those
| files with programming calls?  (Maybe making them read-only and
| modifying chmod...)

No.  If you are root, you can change permissions back.  To stump
some people you can try:
- Mounting /usr read-only
- 'chattr' (file system dependent)

To actually prevent even root from changing files, on Linux,
try LIDS (www.lids.org).  You can prevent root from, for example,
modifying /bin/login.

| 3,4,5: I know that this probably wouldn't be good in a standard
| distro but what about a hardening kit?  Has this been tried before?
| Is there something blatantly wrong?

There are such kits to some degree. For RedHat Linux, look for Bastille.

| Dan
|
Kind regards,                           
Berend

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berend De Schouwer, +27-11-712-1435, UCS