Matthew Gregan <[EMAIL PROTECTED]> writes:
> You can load a module that disables any later module loading to achieve
> the same sort of thing. It's totally pointless, though, because root
> can still write to kernel memory and load modules/patch the kernel that
> way. Disabling moduling loading makes very little difference.
You don't need a separate module -- all you need to do is:
# echo 0xFFFCFFFF > /proc/sys/kernel/cap-bound
but *don't try it*. This turns off capabilities CAP_SYS_MODULE and
CAP_SYS_RAWIO, which stops anyone from loading modules, accessing
/dev/kmem, using ioperm() or iopl(), and a few other things. You
can't change it back without rebooting.
Among other things, this will stop XFree68 and lilo from working.
However, it will also stop rootkits from hiding themselves by
installing modules and accessing kernel memory directly, which sounds
good for a server.
(I got this from http://www.wiggy.net/debian/developer-securing/.)
--
"Hanging is too good for a man who makes puns; he should be drawn and quoted."
-- Fred Allen
