some kernel modules are made bad by being able to
intercept and replace any kernel system call
with a liar. for instance, it hides backdoor processes
from 'ps' and even from /proc listings without ever
relying on modifying/trojaning any binary on the system.
this means that conventional tools like netstat, ps, find,
wont even work anymore as the kernel can lie to it.
so to be able to trust these tools again, we simply prevent any
module from loading into the kernel after all valid
modules have been loaded. stock kernels since 2.2 allows you to do this
by poking into a 32-bit integer located at
/proc/sys/kernel/cap-bound
to disable any more kernel modules from loading, do it like:
echo 0xFFFCFFFF > /proc/sys/kernel/cap-bound
each bit in cap-bound represents a kernel capability enumerated
in /usr/include/linux/capability.h
by clearing a particular bit, you disable the corresponding
kernel capability forever until a reboot. it's irreversible and not even a
runlevel change will do.
in the above command, you will notice that i actually disabled
two capabilities. it not only prevents 'module loading' but also prevents
writing directly to memory. it's because it will still be possible to
load a module by messing around with kernel memory directly. the only
drawback by disabling writing to memory is that X will no longer run.
the beauty of this trick is that it's builtin with linux already.
you dont need third party software to do it.
pong
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
