Note that you must also prevent raw disk access by the superuser as well. If I were securing a system, I think I'd opt for offline storage of logs (line printer, serial line, WORM/CDR driver, write-only network logging to a "secure" machine.)
Trying to protect the local system from the superuser is a rotten battle to fight. Better to avoid it to begin with, because you will probably lose. (It only takes one hole that you miss. And disabling superuser functionality would probably cause more suffering then any possible benefit.) This might change once we have hardware support for "protected applications". (depending on how the TCPA stuff falls out and assuming mere mortals get access to such controls). Regards, Adam On Thu, 2003-03-13 at 22:41, Peter Cordes wrote: > On Thu, Mar 13, 2003 at 10:22:19PM +1100, Frederic Schutz wrote: > > Does it answer your questions or did I miss a real loophole in the > > strategy that I described ? > > If an attacker gets root and loads a kernel module, that module could > restore the immutable capability. You'd have to disable loadable modules > for that to be bulletproof. (unless the commonly used rootkits already do > this, it would slow down an attacker and cause them to make more noise.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
