On Mon, 2 Jul 2001, Derek Martin wrote: >> At the same time, if an attacker has penetrated your security to the point >> where they can successfully load a new kernel module, I think the game is >> pretty much up. They are patching the running system. Game over, man. > > I would agree, but the point is, you need to KNOW that you've been > compromised before you can do anything to fix the problem. These modules > make it all but impossible to realize that, by hiding all the nasty stuff > they did/are doing. If you can't tell you've been compromised, you're not > likely to do anything about it. You don't need a kernel module to do that. I've heard of at least one rootkit that subverts the C library. I've heard of attacks on other (non-Linux) systems that patched the running kernel in a similar manner. If an attacker can load a module, they've got full access to the kernel. They can subvert it at that point, whether you're running a modular kernel or not. If you are worried about this kind of attack (and I'm not saying it isn't worth worring about), you need to do more than just build a kernel without loadable module support. Something like LIDS would be appropriate. I understand LIDS actually tries to protect the running system from subversion, e.g., by preventing even the root user from writing to un-approved kernel memory. On another note, it is recommended that you periodically boot from trusted media, using a trusted IDS program and database, and audit your system. That is the only way you can be absolutely sure nothing has been modified. (Until someone finds a way to subvert the hardware, too.) No comment on how often people actually do this. ;-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************