Linux default security level is 0, if it is raised to 1, you can improve the security of the system to 1 degree. When the level is 1, it disables the Immutable and Append-ONLY bits of the file in the EX2FS system, It also prohibits loading / removal Module. So we can use Chattr i first.
Putting most of the executables, dynamic connection libraries, some important system files (inetd.conf, securetty, hosts.allow, hosts.deny, rc.d ... "," Script ... " "Hake" is very difficult to place Trojans on your machine and stay behind. (Even if he has already got root privilege, of course, you can still modify it through direct hard disk reading, but more and dangerous). "Hacker" once entered the system Get root, first clear the record file of the system. You can add Append-Only bits to some system log files (WTMP, Messages, syslog ...), making "hackers" can not modify them easily. To catch them, you can easily . Direct method for modifying security is to directly modify the kernel source code. Set the SecureElevel in Linux / kernel / Sched.c to 1. However, if you want to change the security level, you need to recompile the kernel, I am too lazy, I don't want to Trouble. Why don't you use Module? I wrote a very simple LKM and a Client program to complete the security level.
Method: Insmod LKM; CLT -H;
Note: Ordinary users can also perform CLT to switch security levels, so it is best to check in CLT and LKM, if the password is not allowed to execute. These two programs are compiled under RedHat 5.2 (2.0.36). By. For the 2.2.x kernel, SecureLevel has become SecureBits, and it will change it to 1, which will even be banned, so that ordinary users can not log in. If you are more familiar with 2.2.x, Please enlighten me, we will improve.
Before testing these programs, back up important data. I don't be responsible for any loss brought by running this program.
Once SECURELEVEL = 1, Kernel will not allow MODLUE, so your kernel may not work properly, but it is forbidden to access / dev / kmem, so some svgalib can not work properly, like ZGV. However, this is a safety hazard, so I don't have a good job, huh, huh. (For questions about Chattr, Lsaddr, please man chattr and man lsattr).
/ ************************************************* ************* /
/ * Simple LKM to Secure Linux.
* This module can be used to change the secondelease of linux.
* Running The Client Will Switch The SecureLevel.
*
* gcc -o3 -wall -c lkm.c
* Insmod LKM
*
* IT IS TESTED IN
RedHat 5.2 (2.0.36).
* (IT Should Be Modified if You Want To Run It in 2.2.x kernel).
* IT is really us, but we just for educational purposes. :-)
*
* WARNING3@hotmail.com
* /
#define module
#define __kernel__
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __nr_secureswitch 250
EXTERN VOID * SYS_CALL_TABLE [];
Int sys_secureswitch (int Secure)
{
IF (secure == 0) secureLevel = 0;
IF (secure == 1) SecureLevel = 1;
Return SecureLevel;
}
INT init_module (void)
{
SYS_CALL_TABLE [__ NR_SECURESWITCH] = (void *) sys_secureswitch;
Return 0;
}
Void Cleanup_Module (Void)
{
SYS_CALL_TABLE [__ nr_secureswitch] = NULL;
Return;
}
/ ************** CLT.c ******************************** **** /
/ *
* This Client CAN Switch The Secure Level of Linux.
*
* gcc -o3 -wall -o catclt.c
* USAGE: CLT -H / -L
* --H switch to the high secret.
* -l switch to the low secret.
*
* Most of Codes Are Ripped from smiler @ Tasam.com, thanks smiler. :)
* WARNING3@hotmail.com
* /
#include
#include
#include
#define __nr_secureswitch 250
Static Inline_syscall1 (int, secureswitch, int, command);
INT main (int Argc, char ** argv)
{
INT RET, Level = 0;
IF (Argc <2)
{
FPRINTF (stderr, "usage:% s [-h / -l] n", argv [0]);
EXIT (-1);
}
IF (argv [1] [1] == h) Level ;
ELSE IF (Argv [1] [1]! = L)
{
FPRINTF (stderr, "usage:% s [-h / -l] n", argv [0]);
EXIT (-1);
}
RET = Secureswitch (Level);
IF (RET <0)
Printf ("Hmmm ... it see our lkm Hasn been loaded. ;-) n");
Else {
IF (RET == 0) {
PUTS ("Now The Secure Level IS Changed to 0! N");
} else {
PUTS ("Now The Secure Level IS Chagned to 1! N");
}
Return (1);
}
