Timeline for Methods root can use to elevate itself to kernel mode
Current License: CC BY-SA 4.0
27 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 12, 2020 at 23:10 | comment | added | forest | If the policy prevents root from changing key policy files, it'll do that. | |
| May 23, 2020 at 19:27 | comment | added | Fis | Did you already find how to limit root? And especially how to prevent root to change policies in order to do malicious actions again? | |
| Nov 18, 2019 at 8:36 | comment | added | forest | No one ever claimed that most sysadmins are capable of restricting root effectively. | |
| Nov 18, 2019 at 7:02 | comment | added | Fis | Seems to me you live in another world than I do. There is not enough deeply experienced people in the market and quality of admins differ dramatically. | |
| Nov 18, 2019 at 2:07 | comment | added | forest | Again, if a sysadmin is liable to simply forget something or not keep up with changes for the kernel he's using, he's not fit to manage a system with high enough security requirements that root restrictions are necessary. | |
| Nov 18, 2019 at 1:59 | comment | added | Fis | Just prevent anything rather than blacklist something and forget something else. | |
| Nov 18, 2019 at 1:58 | comment | added | forest | What do you mean? | |
| Nov 18, 2019 at 1:57 | comment | added | Fis | But the approach seems to me opposite than before. | |
| Nov 18, 2019 at 1:53 | comment | added | forest | Lockdown makes it simpler to do this so you don't have to trust that your sysadmin is always sober, but it has been possible for long before that LSM. | |
| Nov 18, 2019 at 1:52 | comment | added | Fis | Also, please note there will land a LSM or "lockdown" module in 5.4 kernel (already RC) so it may help to solve your problem. Seems to me finally good way to go. | |
| Nov 18, 2019 at 1:49 | comment | added | forest | Of course not. But that wasn't the question. | |
| Nov 18, 2019 at 1:48 | comment | added | Fis | sure. can you be 100% sure your employee are always good enough? also, please keep in mind they are focused on business rather on security... | |
| Nov 18, 2019 at 1:47 | comment | added | forest | If your system doesn't have a good sysadmin, they won't know how to restrict root correctly. It requires more than basic system knowledge to do it. | |
| Nov 18, 2019 at 1:45 | comment | added | Fis | we can't trust that our system is maintained by good sysadmin, right? or he didnt get drunk yesterday. Or trust he will never make mistakes and will be in 100% form all the time... | |
| Nov 18, 2019 at 1:43 | comment | added | forest | Changes in abilities to UID 0 are rare. Any good sysadmin will keep track of such changes before they are put in mainline. | |
| Nov 18, 2019 at 1:42 | comment | added | Fis | From my experience, if blacklisting method is in use usually something is forgotten. Its hard to control what is blacklisted and what is not without complete knowledge of the system. Also, any update can bring another features which are not... blackisted. | |
| Nov 18, 2019 at 1:40 | comment | added | forest | That's not the consensus among infosec professionals who regularly deal with root restrictions, capabilities ("caps"), etc. Root is UID 0, but it need not be god. | |
| Nov 18, 2019 at 1:39 | comment | added | Fis | As I said, its bad. Root is root, it is supposed to do anything on the system, thats it. | |
| Nov 18, 2019 at 1:38 | comment | added | forest | Well that's kind of how restrictions on root are done (whitelist, not blacklist). | |
| Nov 18, 2019 at 1:37 | comment | added | Fis | Preventing somebody to so something. Better to prevent him anything and allow just things we want allow him. | |
| Nov 17, 2019 at 22:36 | comment | added | forest | What is the wrong way? | |
| Nov 14, 2019 at 5:09 | comment | added | Fis | Maybe regulrly is but it is completely wrong way. | |
| Sep 14, 2019 at 9:06 | comment | added | forest | Let us continue this discussion in chat. | |
| Sep 14, 2019 at 8:52 | history | edited | Fis | CC BY-SA 4.0 | added 18 characters in body |
| Sep 14, 2019 at 2:54 | comment | added | forest | -1 This is incorrect. Root can be restricted, and regularly is. This doesn't answer the question. | |
| Sep 13, 2019 at 21:38 | history | edited | Joseph Sible-Reinstate Monica | CC BY-SA 4.0 | clarify disabling root |
| Sep 13, 2019 at 19:11 | history | answered | Fis | CC BY-SA 4.0 |