Actually, a defense here is to umount the path then remount it as a part of running the Aide script. There may be an end-run to this as well- security is a never-ending battle.
________________________________ From: CentOS <[email protected]> on behalf of Leroy Tennison <[email protected]> Sent: Thursday, November 14, 2019 1:20 PM To: CentOS mailing list <[email protected]> Subject: Re: [CentOS] how to know when a system is compromised <sigh> Thanks - I'll keep that in mind... Harriscomputer Leroy Tennison Network Information/Cyber Security Specialist E: [email protected] [cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG] 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com<http://www..com> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. If you prefer not to be contacted by Harris Operating Group please notify us<http://subscribe.harriscomputer.com/>. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. ________________________________ From: CentOS <[email protected]> on behalf of Chris Adams <[email protected]> Sent: Thursday, November 14, 2019 10:57 AM To: [email protected] <[email protected]> Subject: [EXTERNAL] Re: [CentOS] how to know when a system is compromised Once upon a time, Leroy Tennison <[email protected]> said: > The executable could be placed on mounted read-only media That's not as secure as you think. Linux bind mounts can mount a file over another file (plus there's overlay filesystems), so it's possible to replace a binary even on a read-only device. -- Chris Adams <[email protected]> _______________________________________________ CentOS mailing list [email protected] https://lists.centos.org/mailman/listinfo/centos Harriscomputer Leroy Tennison Network Information/Cyber Security Specialist E: [email protected] [cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG] 2220 Bush Dr McKinney, Texas 75070 https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.datavoiceint.com&c=E,1,2WCvbSNJvmqaxEcIPqawoTvGCYMAZT8KKulxxbmjkGLa2NyJ5IO_EL51Q21yyoZLhvJczf6IGyKITC8kW5WKMrP4AYTtFLWcu5R1E3VMstTAfGRFhCRv0w,,&typo=1<http://www..com> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. If you prefer not to be contacted by Harris Operating Group please notify us<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsubscribe.harriscomputer.com%2f&c=E,1,bJ-3jUtOeY3WPfKHckYn-Ynl3cYkeINegX0H-YsrIDlgsWb1g8GzM6JCS3rmWWxVwOPgOf_AMxvsKjsW_iVVobRWFKpTzsvz4Bfhlu5s&typo=1>. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. _______________________________________________ CentOS mailing list [email protected] https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list [email protected] https://lists.centos.org/mailman/listinfo/centos
