http://www.ranum.com/security/computer_security/editorials/dumb/ explained in detail that filtering badness is a dumb idea, so if we wanted to build a linux antivirus software, we would need a whitelist of programs that would be allowed to execute. We can easily use the rpm database for that. But what is missing, is a mechanism through that the kernel would check before executing $binary if it is OK to run it. There are security modules like apparmor and selinux - maybe parts of those can be used for this purpose? Otherwise we can learn from their implementation.
We need to research open questions about how to handle scripts, home dirs, USB sticks etc... What about modified system binaries (rpm -qfV $binary tells) ?
bmwiedemann is dropping this project with the recommendation of mount -o noexec,nodev /home and such classic methods. You cannot forbid interpreters like bash anyway.
Looking for mad skills in:
Nothing? Add some keywords!
This project is part of:
Hack Week 15
This project is one of its kind!