Re: root puppet

Top Page
Author: Mike Liguit
Date:  
To: dtmateo
CC: penguignus-2003
Subject: Re: root puppet
On Mon, 2003-05-05 at 12:44, Demosthenes T. Mateo Jr. wrote:
>
> Just a suggestion as to how a linux box can be hardened. I call this the
> root puppet.
>
> Create a normal user account (e.g. puppet). The purpose of this account
> is just to become a dummy. Whenever you need to login as root you have
> to login to this account first then "su -".


Sure. PAM can do this.

>
> This is just half of the trick. The second half is to create a cronjob
> (every 30 seconds) of a script that checks for root login (e.g. a simple
> `ps aux|grep root|grep bash` to get the root shell) and kill that shell
> if puppet is NOT logged in. That is, for root to have a valid shell,
> puppet must also be logged in or else all root shells will be killed by
> the script. To risk parroting, you have to login with user account
> puppet before you can login as root.


This also can be handled by PAM.

>
> This is effective for those hacks that need root shell access (e.g.
> erasing security logs, planting trojans, defacing a website, etc...).
> With the script running at 30 second intervals the hacker won't be able
> to do anything useful within that span of time. You can be paranoid and
> run it at 10 second intervals. The hacker who has gained root access
> won't even know what kicked him out of the server.
>

I believe the Pluggable Authentication Module is more than capable of
these kinds of restriction and we're sure to include these.


> Just my two cents (idea is copylefted :-)


Thanks!
>
> ___________________________________________________________
> ManilaCon 2003 GNU/Linux Hardening Team Coordination List
> PenguiGnus-2003@??? (#PLUG @ irc.free.net.ph)
> http://lists.free.net.ph/mailman/listinfo/penguignus-2003
> Searchable Archives: http://marc.free.net.ph



___________________________________________________________
ManilaCon 2003 GNU/Linux Hardening Team Coordination List
PenguiGnus-2003@??? (#PLUG @ irc.free.net.ph)
http://lists.free.net.ph/mailman/listinfo/penguignus-2003
Searchable Archives: http://marc.free.net.ph