[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Attempted inside job. A report.
- Subject: Re: [cobalt-security] Attempted inside job. A report.
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Thu, 20 Sep 2001 21:25:29 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Kevin,
> What IDS?
It's a set of freely available tools which have either been modified to meet
our specific needs, or which have been extended a little bit here and there.
I also threw in some shell scripts to automate stuff or to make more sense of
the generated output.
It basically consists of the following tools:
- KSTAT (Tool useful to find an attacker in your system by a direct analysis
of the kernel through /dev/kmem and bypassing the hiding techniques of the
intruder (kernel static recompilation/use of LKMs). Kstat can find the
syscalls which were modified by a LKM, list the linked LKMs, query one or all
the network interfaces of the system, list all the processes and much more)
- Demarc 1.05 with Snort 1.8 and customized ruleset base on one from
Whitehats.org
- Fcheck (similar to Tripwire, but less cumbersome to install and to analyze)
- Chkrootkit, automated through a cronjob and shellscript which will run it
once per day and email a report to admin if there is anything noteworthy.
- Portsentry with Ipchains, together with a cronjob and shellscript to reset
the blocks after a certain while.
- Logcheck (with modified configuration to report just the really essential
stuff)
The compiler warning message which caught your curiosity is an ingenious
addition from a friend who modified the compiler sources and helped me to
build a new one for the RaQ. So it's the compiler itself which will write to
syslog who called him. From there it's Logcheck who mails the report.
Another (much, much easier) option would be to change the permissions on the
compiler executable so that only user "root" can run it in first place. Or to
set the groups wisely so that only one selected group of trusted users can
access the compiler. This has to be done outside the Cobalt specs and of
course without the GUI, but hey, everything useful has to be done that way.
;o)
Another option which I've also seen on a customers machine once was this: The
guy had zipped up the kernel header files and put them into hiding somewhere
deep in the directory tree under an obfuscated filename. That effectively
disabled the compiler as well - for everyone. He could have done away with
the gcc executable, but then someone could have reinstalled it from an RPM.
But without proper kernel header files you'll have a very hard time getting
the darn thing to compile anything more complicated than a "Hello world!"
script. Unless you have access to a similar RaQ and move the header files
over to the other machine.
> I'd like to see an IDS that watches the command line, but not of the packet
> sniffer variety. Something that logs keystrokes (kindof like a bash_history
> typof thing) that will look for certain commands, like SU, or ftp, etc.
Properly configured Logcheck can do some aspects of that, like reporting any
SU calls or the monitoring of ftp, but for the rest of that you have to look
elsewhere. A keylogger should be the least problem. I've already seen a few
for Linux, but I think that would be of little value and too much of spying.
One word of warning: As useful as Logcheck can be, once the system has been
penetrated it is (like anything else) of little value. That was the reason
for me to throw this package together, as I didn't want to put all eggs into
one basket.
--
With best regards,
Michael Stauber
SOLARSPEED.NET