|
Vulnerability Development
mailing list archives
Re: Kernel module for file protection ideas
From: Michael Hendrickx <michael () scanit be>
Date: Fri, 09 Jan 2004 15:28:26 +0100
Any thoughts/ideas?
It is easy to hide files, in all different directories. For unix,
"/tmp/..." looks suspicious, but /usr/local/samba/var not (if you have
samba installed), furthermore it is hard to get *all* directories
Using "directory traversal" techniques it is possible to still create
hidden directories.
If your /tmp has a directory called "devel", it is possible to create
"/tmp/devel/../.X11-unix" (which won't be in the 'blacklist'), which
turns out to be "/tmp/.X11-unix" (which is blacklisted)
Also, imagine having a directory ".. ", or ". ".. which is possible.
Not even mentioning non printable characters..
From a personal point of view, it is better to have a watchdog that
looks for all files created and sends his logs to an external machine..
But these modules exist already, although it is not a bad programming
exercise.
Just a thought,
Regards,
Michael
--
Michael Hendrickx
Security Engineer
Scanit NV/SA
http://www.scanit.be
"Rabbit Run!"
When I see you, I'm seeing you, me and you only
 By Date 
By Thread
Current thread:
|
Intro
