Subject: Re: verified executable kernel modification committed
To: Perry E. Metzger <perry@piermont.com>
From: Chris Jepeway <jepeway@blasted-heath.com>
List: tech-security
Date: 10/31/2002 11:51:35
> Chris Jepeway <jepeway@blasted-heath.com> writes:
> > > to stop someone else who may choose to have their file executable on
> > > your machine something like a DDoS zombie.
> > OK, so verified execs stop rootkits from running?
> > How can chflags do that?
> 
> If you can't replace /bin/sh or whatever with the executable of your
> choosing because it is marked immutable, well, then it doesn't matter
> if you verify the MAC on it.
I was thinking more along the lines of not being able to
run a set of execs that discover/probe vulnerabilities,
do network scans, and the like.

But, as you say, using verexec with a list of inodes instead of
fingerprints along w/ chflags covers that, too.

Hm....that's just changing the hash function from "mangle up all
the bits in the file" to "use the file's inode."

> > > Brett
> > Me
> Perry
Chris <jepeway@blasted-heath.com>.