Given the following scenario, how do we ensure detection?
- No network logging
- Verification binary replaced
- rpm changed so that a local rpm -V hides detection
- Files changed such that an external rpm's -V hides detection
- Scrubbing logged events of the above (so that logging in and yum.log are silent (yum detects when the rpmdb changed without yum and yum logs any changes it makes))
With local root, this is all possible.
The first step that I can see is to add expected log messages. Every X minutes a new log message is made with a specific message. The attacker can no longer just nuke the end of the log because then expected messages are missing.
Now the attacker must rewrite the logs. I don't know how to prevent this and it is probably impossible (as root can write whatever they want). It's a higher barrier to go undetected. Given that there are those who will go to varying lengths to attack your systems, how many does the higher barrier deter that weren't before? Obviously, there are those that don't care and will go to *any* lengths, so we can't win them all.