On Wed, Nov 21, 2012 at 11:21:59AM +0000, Stuart Henderson wrote: > On 2012/11/21 12:01, Mike Belopuhov wrote: > > On Wed, Nov 21, 2012 at 11:50 AM, Alexey E. Suslikov > > <[email protected]> wrote: > > > Hello tech@. > > > > > > Following this > > > http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html > > > > > > Besides of doing "#option LKM", is there any other way to disable > > > modload(8)? > > > > > > Cheers, > > > Alexey > > > > > > > modules can't be loaded during multiuser operation when > > securelevel is above 0. but that doesn't prevent someone > > with root privileges to modify /etc/rc.securelevel and load > > the module during boot. > > rc.securelevel could be marked schg with chflags.. >
and /bsd too... And don't forget that an Xorg exploit could overwrite securelevel directly in the running kernel's memory (see Loic Dufflot's paper at cansecwest 2006) But with all those scenarios, disbling LKMs won't help. -- Matthieu Herrb
