Author: Mike Liguit Date: To: dtmateo CC: penguignus-2003 Subject: Re: root puppet
On Mon, 2003-05-05 at 12:44, Demosthenes T. Mateo Jr. wrote: >
> Just a suggestion as to how a linux box can be hardened. I call this the
> root puppet.
> Create a normal user account (e.g. puppet). The purpose of this account
> is just to become a dummy. Whenever you need to login as root you have
> to login to this account first then "su -".
Sure. PAM can do this.
> This is just half of the trick. The second half is to create a cronjob
> (every 30 seconds) of a script that checks for root login (e.g. a simple
> `ps aux|grep root|grep bash` to get the root shell) and kill that shell
> if puppet is NOT logged in. That is, for root to have a valid shell,
> puppet must also be logged in or else all root shells will be killed by
> the script. To risk parroting, you have to login with user account
> puppet before you can login as root.
This also can be handled by PAM.
> This is effective for those hacks that need root shell access (e.g.
> erasing security logs, planting trojans, defacing a website, etc...).
> With the script running at 30 second intervals the hacker won't be able
> to do anything useful within that span of time. You can be paranoid and
> run it at 10 second intervals. The hacker who has gained root access
> won't even know what kicked him out of the server.
> I believe the Pluggable Authentication Module is more than capable of
these kinds of restriction and we're sure to include these.