Prevent file to being rewritten at all cost. Help?

Hi,

Imagine you want your family not look on family unfriendly websites with help of OpenDNS.

I am already intercepting all the DNS requests (on AP) and replacing them with OpenDNS but that wont stop them if they can simply VPN away and I can't block VPN because I need it too.

Family members has root access on their machines and my thoughts are to somehow lock down the /etc/resolv.conf and other crutial configs, the problems are that they can unlock it with chattr -i and change it with root permissions.

Is there a way to somehow deadlock few files that could not be modified on filesystem from the current booted operating system??

My thought was to implement some watchdog/module that would kill the kernel if the file was touched by any means.

Then you can't do anything on the local system. You could intercept DNS requests via your router (if it allows it), but that won't help if the user starts using a VPN.


(moving from #general-discussion:rants-and-raves to #technical-issues-and-assistance)

I am already doing that. What I am looking for is somehow make the OS dependant on read only file. What if the files resides on read only filesystem? If the system crashed when attempt was made, that would deter them.

Isn't more easy to set their users as Standard and replace the root password so only you know it, remove any VPN software and the ability to install it?

Yes, but not what I am looking for. I need them to have it sometimes ( don't question the motive ), I just want to deny all DNS servers except this one.

Killing the system if file changed would make me happy.

I can't imagine encryption would help me here.

Setting a DNS server is not the same as filtering traffic at the router. Anything you do on the local machine can be undone by anyone with root access, hence you need to control it via something they don't have root access on.

But, as I said, you can't easily prevent them from using a VPN - unless you run a full firewall appliance like pfSense.

You can provide sudo access to certain commands rather than the whole system. Might be worth looking at.

1 Like

That watchdog would need a watchdog too, if they have root access, even for a remote kill command the solution would be to turn off networking, make the modifications and then connect to VPN ...

I know, I am filtering all on ports 53 to opendns.

Then I guess It's killing of all current VPN solution I know off then. All other solution mentioned here are not for me to do.

I just thought there must be a way of how to freeze few files, I believe even few security guys would need such a thing some times.

The how would setting a file read-only help more?

Root access = root access. Unless you're making physical changes to the hardware, root access is... root access.

Plus you can run VPNs in user-space which you can't do anything about as the system admin. These will even tunnel DNS so even if you somehow could lock down certain files locally it wouldn't make a difference, and even then there are web-based proxy servers. Or you access the sites directly via IP address.

The only way to control internet access is to control the network connection itself, which needs a beefy and invasive firewall with e.g. SPI and DPI, and then you have to MITM the connection to decrypt the payload.

If you're going to these lengths maybe you just need to have a conversation with this person and set some rules about acceptable internet usage...

You even might limit use to a single PC in a public area instead of e.g. providing laptops to be used in bedrooms.

2 Likes

I give up.

Root is god.

What was said before, root access is root access, if they have root access then they can change things. However I believe you could do change detection, i.e. check if the file was changed then you are notified and can law down the law.

You would need to create a script on a SAFE machine, that SSHs into the machines regularly to check the /etc/resolve.conf file. I would have it record things like:

  • sha384sum
  • time of birth (%x using stat)
  • time of last modification (%y using stat)
  • inode number (%i using `stat)
  • maybe time of last status change ($z using stat) I'm not sure if that will be updated by access.

You might also need to collect modification information on the /etc directory, I'm not sure, you would have to check what happens if someone renames resolv.conf then renames it back, you need to make sure you can detect that.

If the data has changed then it alerts you.

If I were trying to get around your restrictions, I might create a custom version of /usr/bin/sha384sum and /usr/bin/stat that reported the correct values for /etc/resolve.conf. So to be safe the script might need to bring over it's own version of sha384sum to run on /usr/bin/sha384sum and /usr/bin/stat to just make sure those weren't monkeyed with.......

1 Like

That's quite clever I will think about this and adopt something similar.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by