Actually, a defense here is to umount the path then remount it as a part of
running the Aide script. There may be an end-run to this as well- security is a
never-ending battle.
________________________________
From: CentOS <centos-bounces at centos.org> on behalf of Leroy Tennison
<leroy at datavoiceint.com>
Sent: Thursday, November 14, 2019 1:20 PM
To: CentOS mailing list <centos at centos.org>
Subject: Re: [CentOS] how to know when a system is compromised
<sigh> Thanks - I'll keep that in mind...
Harriscomputer
Leroy Tennison
Network Information/Cyber Security Specialist
E: leroy at datavoiceint.com
[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]
2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>
This message has been sent on behalf of a company that is part of the Harris
Operating Group of Constellation Software Inc.
If you prefer not to be contacted by Harris Operating Group please notify
us<http://subscribe.harriscomputer.com/>.
This message is intended exclusively for the individual or entity to which it is
addressed. This communication may contain information that is proprietary,
privileged or confidential or otherwise legally exempt from disclosure. If you
are not the named addressee, you are not authorized to read, print, retain, copy
or disseminate this message or any part of it. If you have received this message
in error, please notify the sender immediately by e-mail and delete all copies
of the message.
________________________________
From: CentOS <centos-bounces at centos.org> on behalf of Chris Adams
<linux at cmadams.net>
Sent: Thursday, November 14, 2019 10:57 AM
To: centos at centos.org <centos at centos.org>
Subject: [EXTERNAL] Re: [CentOS] how to know when a system is compromised
Once upon a time, Leroy Tennison <leroy at datavoiceint.com>
said:> The executable could be placed on mounted read-only media
That's not as secure as you think. Linux bind mounts can mount a file
over another file (plus there's overlay filesystems), so it's possible
to replace a binary even on a read-only device.
--
Chris Adams <linux at cmadams.net>
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos
Harriscomputer
Leroy Tennison
Network Information/Cyber Security Specialist
E: leroy at datavoiceint.com
[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]
2220 Bush Dr
McKinney, Texas
75070
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.datavoiceint.com&c=E,1,2WCvbSNJvmqaxEcIPqawoTvGCYMAZT8KKulxxbmjkGLa2NyJ5IO_EL51Q21yyoZLhvJczf6IGyKITC8kW5WKMrP4AYTtFLWcu5R1E3VMstTAfGRFhCRv0w,,&typo=1<http://www..com>
This message has been sent on behalf of a company that is part of the Harris
Operating Group of Constellation Software Inc.
If you prefer not to be contacted by Harris Operating Group please notify
us<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsubscribe.harriscomputer.com%2f&c=E,1,bJ-3jUtOeY3WPfKHckYn-Ynl3cYkeINegX0H-YsrIDlgsWb1g8GzM6JCS3rmWWxVwOPgOf_AMxvsKjsW_iVVobRWFKpTzsvz4Bfhlu5s&typo=1>.
This message is intended exclusively for the individual or entity to which it is
addressed. This communication may contain information that is proprietary,
privileged or confidential or otherwise legally exempt from disclosure. If you
are not the named addressee, you are not authorized to read, print, retain, copy
or disseminate this message or any part of it. If you have received this message
in error, please notify the sender immediately by e-mail and delete all copies
of the message.
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos