On Mon, Dec 01, 2003 at 08:25:25PM +1300, Carey Evans wrote:
> # echo 0xFFFCFFFF > /proc/sys/kernel/cap-bound
That will help somewhat. Not quite what I was talking about, but...
> but *don't try it*. This turns off capabilities CAP_SYS_MODULE and
> CAP_SYS_RAWIO, which stops anyone from loading modules, accessing
> /dev/kmem, using ioperm() or iopl(), and a few other things. You
> can't change it back without rebooting.
You being "a well behaved uid=0 user".
> Among other things, this will stop XFree68 and lilo from working.
> However, it will also stop rootkits from hiding themselves by
> installing modules and accessing kernel memory directly, which sounds
> good for a server.
It's not a panacea, but it's easy to do and it raises the bar slightly.
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
