Ìá¸ßLinux°²È«µÈ¼¶
LinuxȱʡµÄ°²È«µÈ¼¶ÊÇ0,Èç¹û½«ÆäÉýµ½1,¾Í¿ÉÒÔÒ»¶¨³Ì¶ÈÉÏÌá¸ßϵͳµÄ°²È«ÐÔ.°²È«µÈ¼¶
Ϊ1µÄʱºò,Ëü»á½ûÖ¹ÐÞ¸Äex2fsϵͳÖÐÎļþµÄimmutableºÍappend-onlyλ,ͬʱ½ûÖ¹×°Èë
/ÒƳýmodule.ËùÒÔÎÒÃÇ¿ÉÒÔÏÈÓÃchattr +i <file>½«´ó²¿·ÖµÄ¿ÉÖ´ÐÐÎļþ,¶¯Ì¬Á¬½Ó¿â,
һЩÖØÒªµÄϵͳÎļþ(inetd.conf,securetty,hosts.allow,hosts.deny,rc.dϵÄÆô
¶¯script...)¼ÓÉÏimmutableλ,ÕâÑù"ºÚ¿Í"¾ÍºÜÄÑÔÚÄãµÄ»úÆ÷ÉÏ·ÅÖÃľÂíºÍÁôºóÃÅÁË.
(¼´±ãËûÒѾµÃµ½ÁËrootȨÏÞ,µ±È»Í¨¹ýÖ±½ÓÓ²Å̶ÁдÈÔÈ»¿ÉÒÔÐÞ¸Ä,µ«±È½ÏÂé·³¶øÇÒΣÏÕ
).
"ºÚ¿Í"ÃÇÒ»µ©½øÈëϵͳ»ñµÃroot,Ê×ÏÈ»áÇå³ýϵͳµÄ¼Ç¼Îļþ.Äã¿ÉÒÔ¸øһЩϵͳ¼Ç¼Îļþ
(wtmp,messages,syslog...)Ôö¼Óappend-onlyλ,ʹ"ºÚ¿Í"²»ÄÜÇáÒ×µÄÐÞ¸ÄËüÃÇ.Ҫץ
ËûÃǾÍÈÝÒ׶àÁË.:-)
Ð޸ݲȫµÈ¼¶±È½ÏÖ±½ÓµÄ°ì·¨ÊÇÖ±½ÓÐÞ¸ÄÄÚºËÔ´Âë.½«linux/kernel/sched.cÖеÄ
securelevelÉè³É1¼´¿É.²»¹ýÈç¹ûÒª¸Ä±ä°²È«µÈ¼¶µÄ»°ÐèÒªÖØбàÒëÄÚºË,ÎÒÌ«ÀÁ,²»ÏëÄÇ
ôÂé·³.:-)
Ϊʲô²»ÓÃmoduleÄØ?ÎÒдÁ˸öºÜ¼òµ¥µÄlkmºÍÒ»¸öclient³ÌÐòÀ´Íê³É°²È«µÈ¼¶µÄÇл».
·½·¨: insmod lkm; clt -h;
¡¡
×¢Òâ:ÆÕͨÓû§Ò²¿ÉÒÔÖ´ÐÐcltÀ´Çл»°²È«µÈ¼¶,ËùÒÔ×îºÃÊÇÔÚcltºÍlkmÖмӶÎÃÜÂë¼ì²é,
Èç¹ûÃÜÂë²»¶Ô¾Í²»ÔÊÐíÖ´ÐÐ.:-)
ÕâÁ½¸ö³ÌÐòÔÚRedhat 5.2(2.0.36)ϱàÒëÔËÐÐͨ¹ý.¶ÔÓÚ2.2.xµÄÄÚºË,securelevel
±ä³ÉÁËsecurebits,¼òµ¥µÄ½«Ëü¸Äµ½1,»áÁ¬setuid()¶¼±»½ûÖ¹ÁË,ÕâÑùÆÕͨÓû§¾Í²»ÄÜ
µÇ½ÁË.Èç¹û˶Ô2.2.x±È½ÏÊìϤ,Çë²»ÁߴͽÌ,¹²Í¬Ìá¸ßÂï.:)
<ÔÚ²âÊÔÕâЩ³ÌÐòÒÔÇ°,Ç뱸·ÝÖØÒªÊý¾Ý.±¾È˲»ÎªÔËÐд˳ÌÐò´øÀ´µÄÈκÎËðʧ¸ºÔð.>
(Ò»µ©securelevel=1,kernel½«²»ÔÊÐí×°Èëmodlue,ËùÒÔÄãµÄkerneld¿ÉÄܲ»ÄÜÕý
³£¹¤×÷£¬¶øÇÒ½ûÖ¹Äã·ÃÎÊ/dev/kmem,ËùÒÔÓÐЩÓõ½svgalibµÄ³ÌÐòÒ²²»ÄÜÕý³£¹¤×÷
£¬ÏózgvʲôµÄ¡£²»¹ýÕâ±¾À´¾ÍÊÇ°²È«Òþ»¼£¬ËùÒÔ²»¹¤×÷¾Í²»¹¤×÷ºÃÁË£¬ºÇºÇ)
(¹ØÓÚchattr,lsaddrÇëman chattrºÍman lsattr)
warning3@hotmail.com
/**************************** lkm.c ********************************/
/* Simple lkm to secure Linux.
* This module can be used to change the securelevel of Linux.
* Running the client will switch the securelevel.
*
* gcc -O3 -Wall -c lkm.c
* insmod lkm
*
* It is tested in Redhat 5.2 (2.0.36).
* (It should be modified if you want to run it in 2.2.x kernel).
* It is really very simple,but we just for educational purposes.:-)
*
* warning3@hotmail.com
*/
#define MODULE
#define __KERNEL__
#include <linux/config.h>
#include <linux/module.h>
#include <linux/version.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/fs.h>
#include <linux/string.h>
#include <linux/mm.h>
#include <linux/proc_fs.h>
#include <asm/segment.h>
#include <asm/unistd.h>
#include <linux/dirent.h>
#include <asm/unistd.h>
#include <linux/sockios.h>
#include <linux/if.h>
#define __NR_secureswitch 250
extern void *sys_call_table[];
int sys_secureswitch(int secure)
{
if(secure==0) securelevel=0;
if(secure==1) securelevel=1;
return securelevel;
}
int init_module(void)
{
sys_call_table[__NR_secureswitch] = (void *)sys_secureswitch;
return 0;
}
void cleanup_module(void)
{
sys_call_table[__NR_secureswitch] = NULL;
return;
}
/************************ clt.c **************************/
/*
* This client can switch the secure level of Linux.
*
* gcc -O3 -Wall -o clt clt.c
* Usage: clt -h/-l
* -h switch to the high secure level.
* -l switch to the low secure level.
*
* Most of codes are ripped from smiler@tasam.com,thanks smiler.:)
* warning3@hotmail.com
*/
#include <asm/unistd.h>
#include <stdio.h>
#include <errno.h>
#define __NR_secureswitch 250
static inline _syscall1(int, secureswitch, int, command);
int main(int argc,char **argv)
{
int ret,level = 0;
if (argc < 2)
{
fprintf(stderr,"Usage: %s [-h/-l]\n",argv[0]);
exit(-1);
}
if (argv[1][1] == 'h') level++;
else if (argv[1][1] != 'l')
{
fprintf(stderr,"Usage: %s [-h/-l]\n",argv[0]);
exit(-1);
}
ret = secureswitch(level);
if (ret < 0)
printf("Hmmm...It seemed that our lkm hasn't been loaded.;-)\n");
else {
if (ret == 0) {
puts("Now the secure level is changed to 0!\n");
} else {
puts("Now the secure level is chagned to 1!\n");
}
}
return(1);
}
| 
