root puppet

Top Page
Author: Demosthenes T. Mateo " "Jr.
Date:  
To: penguignus-2003
Subject: root puppet

Just a suggestion as to how a linux box can be hardened. I call this the
root puppet.

Create a normal user account (e.g. puppet). The purpose of this account
is just to become a dummy. Whenever you need to login as root you have
to login to this account first then "su -".

This is just half of the trick. The second half is to create a cronjob
(every 30 seconds) of a script that checks for root login (e.g. a simple
`ps aux|grep root|grep bash` to get the root shell) and kill that shell
if puppet is NOT logged in. That is, for root to have a valid shell,
puppet must also be logged in or else all root shells will be killed by
the script. To risk parroting, you have to login with user account
puppet before you can login as root.

This is effective for those hacks that need root shell access (e.g.
erasing security logs, planting trojans, defacing a website, etc...).
With the script running at 30 second intervals the hacker won't be able
to do anything useful within that span of time. You can be paranoid and
run it at 10 second intervals. The hacker who has gained root access
won't even know what kicked him out of the server.


Just my two cents (idea is copylefted :-)

___________________________________________________________
ManilaCon 2003 GNU/Linux Hardening Team Coordination List
PenguiGnus-2003@??? (#PLUG @ irc.free.net.ph)
http://lists.free.net.ph/mailman/listinfo/penguignus-2003
Searchable Archives: http://marc.free.net.ph