Re: general questions

From: Amon Ott <ao@rsbac.org>
Subject: Re: general questions
Date: Thu, 16 Aug 2001 09:59:08 +0200

Next Article (by Date): v1.1.1 and 2.4.8 Amon Ott
Previous Article (by Date): RE: general questions Jörgen_Sigvardsson
Top of Thread: general questions Justus Pendleton
Articles sorted by: [Date] [Author] [Subject]

On Mit, 15 Aug 2001 Fabrice MARIE wrote:
> On Wednesday 15 August 2001 10:51, Amon Ott wrote:
> > [...]
> > > I was also looking at the malware scanner.  I think it is a pretty
> > > nifty idea but I was thinking it would be even better if it could act
> > > like tripwire.  Like generate a SHA-1 hash of the executable and then
> > > check it against a database.  If the hash doesn't match the expected
> > > result the kill the program and notify the user.  I'm not sure how
> > > easy it would be to put SHA-1 in the kernel (well, pretty easy if you
> > > have the international kernel patch, I guess) or how easy it would be
> > > to have a decent database lookup in the kernel.
> > Jörgen meant to implement this scheme as an RSBAC module, but I have not
> > looked into any code yet.
> 
> It would be a good feature to have, but it would most probably
> make the system crawl, unless like tripwire, it runs once periodically.
> However, this defeats the purpose of having it in the kernel...
> What do you guys think ?

No, it could actually be pretty fast, like the MS scanning:
- Set a checksum as attribute value for all binaries (access controlled, of
course).
- Check program once, cache the result and invalidate on all write
accesses. Only few write accesses are to be expected for binaries.
- Of course, a default policy 'allow' or 'deny' must be applied for all
binaries without checksum.

Taking the MS module as a basis, implementation could be done in a few days. I
will put it into the 1.2.0 to do list as a maybe.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Go to Compuniverse LWGate Home Page.