Security

Hi all

I am new to Linux, I have worked on it a little before (on Redhat 8 ), but still consider myself a novas and SUSE is completely new to me.

I was told that there are setting that can be applied to the SUSE system that will remove(delete) a specific folder on the system if a threat is defected - see example below

If the "root" user password is reset throw the single user mode (using the passwd function); will the setup (or settings on SUSE 11) automatically remove a "encrypted"(specific) folder and uninstall software.

My questions are as follows: is the above possible? and can it someway be revised?

Thanks in advance for any and everybody that can help.
Johann

First of all, welcome to SuseUnbound, Wolfjmt! Hope you'll stick around. Things are a little slow right now, but we have folks here (not me! I'm just the forum jester) that have years of experience and tons of knowledge in Linux in general and Open Suse in particular. Plus it's a friendly kind of place if you just want to chew the fat a little.

As to your question, I've never heard of this function, but it wouldn't surprise me if someone has written a program to do such a thing. You might take a look at the Packman repository, or search Sourceforge for such an application.

Someone here may drop in and give you a more definitive answer to your question, so check back a few times over the next week or so; not everyone checks in every day.

Again welcome, and looking forward to hearing from you again. Let us know if you find an application that works for you in case someone else has the same need.



Edit: After thinking for a moment, this sounds like something that could be done with a fairly simple script, but I'm not good enough to write one off the top of my head. You could even include running a shredder after deletion, if you're requiring that level of security. I'm sure we've got several folks that could do that if so inclined, so check back.

I've not heard of this either, but it does sound possible. There would be ways of detecting failed login attempts on a certain account, and should be able to trigger events like running a script. It might also be a program that person wrote for their own use.

Certainly on 11.3 and I thought early runlevel 1 prompts for root password.

Any way this is a mute point, why? well even if you do manage it(I looked at apparmor to see if it could enforce a policy in regards to runlevel, I suspect it maybe possible if apparmor calls a profile from /etc/init.d/. Also I wondered about pam but didn't look due next point). The point is even though init 1 asks for password, /bin/bash wouldn't(Just checked 11.3), and that I would imagine would be a complicated profile if even possible. Then the other thing is what's to stop someone chrooting in how would this be detected?

The only way I can see is if pam and apparmor can and maybe even along side(or) you would need to wrap a wrapper around /bin/passwd this would also need to be obfuscated or better still binary(Otherwise you would simply read where the proper binary is being called from). This would need to check runlevel before executing and this fails with /bin/bash as checking it reports 3 and 6.

So the short story it may be possible using pam, apparmor or a wrapper but is easily defeated or extremely complicated to enforce if even possible.

Edit:
Sounds way easier to use a grub password IMHO

hi FeatherMonkey

Thanks for the info, so it may happened but improbable.

So if i lost he root password - and used the /bin/bash command to enter into the single user mode, then used the passwd command to reset the password - tall the information on the system would normally be there - correct??

Sorry for confusing the process but the previous administrator said that this is the case and that I thus deleted all the data off the system - I personally think he removed the data and was hopping nobody would notice it, as all the stall (IT staff) started leaving the company.

Yes using init=/bin/bash gets you into the system it won't decrypt anything though. The only way to decrypt is via the prompt for the correct password(And this is highly unlikely to be crackable beyond bruteforce).

I really can't see why even a competent admin would write a profile or wrapper around /bin/passwd. Not to mention this is a moot point as a competent admin would know there is ways around it.

The other stuff about removing stuff also stinks like a dead rat IMO no admin worth his salt would allow a script/binary/profile to remove stuff(In forensics you do nothing you try to get a snap shot of the running server after pulling the network). Not to mention if a competent admin had actually achieved this you would have an audit trail to follow.

Haha , thanks for confirming my thought and thanks for all the help and responding so quickly.

No problem -- Though I would like to add I'm no competent admin just a curious individual but were I a competent Admin I would have a good audit trail, probably via good usage of sudo. A good backup policy and I certainly would trust the encryption method and password I had chosen was good enough to do the job.