[1116] in bugtraq
Re: snooper watchers
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Mon Feb 27 01:19:15 1995
From: Leo Bicknell <bicknell@ussenterprise.async.vt.edu>
To: tim@cs.columbia.edu (Timothy Jones)
Date: Mon, 27 Feb 1995 00:18:16 -0500 (EST)
Cc: bugtraq@fc.net
In-Reply-To: <199502270433.XAA02811@age.cs.columbia.edu> from "Timothy Jones" at Feb 26, 95 11:33:44 pm
> > You really need to do a seperation of the checkee from the checkor.
> > If someone has root access on the machine, the could basicly do anything that
> > is needed to cover their tracks.
I just had a thought. What about makeing it impossible for
even root to cover his/her tracks? My specific thought was writing
things like accounting/audit logs directly to say a WORM drive. Due
to the write once nature any auditing/accounting done by the system
when the hacker obtained root access would be on the disk, and even
root could not erase it after the fact, as it's write once. Of
course, once root they could unmount that drive or something to
disable logging from that point on, but you would always get at least
the process of becoming root.
--
Leo Bicknell - bicknell@vt.edu | Make a little birdhouse
bicknell@csugrad.cs.vt.edu | in your soul......
bicknell@ussenterprise.async.vt.edu | They Might
http://ussenterprise.async.vt.edu/~bicknell/ | Be Giants
