On 11/18/2012 2:39 PM, Duncan wrote: > Peter Stuge posted on Sun, 18 Nov 2012 19:00:59 +0100 as excerpted: > >> Forget about the loader. Your knob is in a different configuration, >> specifically CONFIG_MODULES=n in the kernel. > > Just to note now that the specific topic has come up, yes, I am aware of > and have that kernel option set to disable module loading. I was simply > focusing on userland side, and thus didn't believe the kernel option > apropos to that specific discussion. Still, just having a module loading > userland on the system doesn't /increase/ security, and in fact, it > slightly decreases it, on a system where a deliberate choice has been > made to turn kernel module loading functionality off.
Pointing out as a general statement, and not in response to anyone in particular, while I, too, am in the camp of minimalistic userlands, there is a kind of threshold one hits in this regard where keeping or removing something like a couple of module-loading utilities or systemd text files around really isn't going to increase or decrease your security /by that much/. </run-on-sentence> I mean, if someone gains unauthorized access to the userland and somehow uses these unused components to launch an attack, successful or not, well, then there's a LOT of bigger problems to worry about. The goal of security isn't to prevent someone from gaining unauthorized access to a system, it's to deter them or otherwise make the effort required more than the potential gain. Design network firewalls well, audit the user accounts and review logs periodically, enabled hardened options, use PaX/grsec/selinux, deploy an IDS/IPS and a SEIM, etc...there's a lot of other things one can do that will have a bigger ROI on security than gutting module-loading tools or systemd scripts off of a system. Do I like them there? Not really (unless I'm developing a kernel driver, then modules come in handy). But it is what it is. -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
signature.asc
Description: OpenPGP digital signature