Vulnerability Development mailing list archives

Re: Kernel module for file protection ideas

From: Michael Hendrickx <michael () scanit be>
Date: Fri, 09 Jan 2004 15:28:26 +0100

Any thoughts/ideas?


It is easy to hide files, in all different directories.  For unix,
"/tmp/..." looks suspicious, but /usr/local/samba/var not (if you have
samba installed), furthermore it is hard to get *all* directories

Using "directory traversal" techniques it is possible to still create
hidden directories.

If your /tmp has a directory called "devel", it is possible to create
"/tmp/devel/../.X11-unix" (which won't be in the 'blacklist'), which
turns out to be "/tmp/.X11-unix" (which is blacklisted)

Also, imagine having a directory ".. ", or ". ".. which is possible.

Not even mentioning non printable characters..

From a personal point of view, it is better to have a watchdog that

looks for all files created and sends his logs to an external machine..
But these modules exist already, although it is not a bad programming
exercise.

Just a thought,

Regards,
 Michael

-- 
Michael Hendrickx
Security Engineer
Scanit NV/SA
http://www.scanit.be

  "Rabbit Run!"
   When I see you, I'm seeing you, me and you only

Current thread:

Kernel module for file protection ideas Just1n T1mberlake (Jan 08)
- Re: Kernel module for file protection ideas Larry W. Cashdollar (Jan 08)
- Re: Kernel module for file protection ideas Bruno Lustosa (Jan 08)
  - Re: Kernel module for file protection ideas George Capehart (Jan 09)
- Re: Kernel module for file protection ideas Michael Hendrickx (Jan 09)
- RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 09)
  - Re: Kernel module for file protection ideas Valdis . Kletnieks (Jan 10)
    - RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 10)
- Re: Kernel module for file protection ideas Vikram Rangnekar (Jan 12)