Date: Sun, 9 Sep 2001 06:07:18 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010909060718.A1135@sheol.localdomain> In-Reply-To: <Pine.BSF.4.21.0109090918050.457-100000@lhotse.zaraska.dhs.org>; from kzaraska@student.uci.agh.edu.pl on Sun, Sep 09, 2001 at 10:05:54AM %2B0200 References: <20010908171641.A79354@sheol.localdomain> <Pine.BSF.4.21.0109090918050.457-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 09, at 10:05 AM, Krzysztof Zaraska wrote: > > On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > > > > On Sep 08, at 08:07 PM, Krzysztof Zaraska wrote: > > > > > > But activity in /tmp is normal and will be ignored by tripwire, right? > > > > Tripwire's policy file can reflect nearly any level of Admin paranoia. > > Ever seen an admin that would observe changes in /tmp on a daily basis? No, but I could see one getting interested in /tmp if events led him or her there. Actually, I rather thought the /tmp thang an example; my reply was therefore in a more generic vein. > > > Or, something LIDS-like. > > > > You're the second to mention LIDS. I know so little about it as to > > refrain from comment (like, why should I let that stop me now?). Based > > on another's description, it strikes me as rather over-engineered, but > > that's an ignorant opinion. Maybe it has to be. > > Well. I heard about it once, went to their site, read the docs and run > away ;). Seriously, it seemed to offer interesting features but all the > complications scared me off. > > > RedHat does seem more dependant on LKMs than FreeBSD and KLDs, at least > > out-of-the-box, so perhaps the modules are more of a security issue? > > This is due to the way Linux bootloader works. The compressed kernel image > must fit within the first 640K of memory, so that imposes a limit on the > kernel size. Since they want plug-and-play they must have all the existing > drivers (save maybe video cards and the like) built. But taking into > account the kernel size limit they must be built as modules. FreeBSD also > has lots of drivers in the GENERIC kernel (for the similar reason) but > this system does not seem to have this kind of limitations. > > IIRC they are some Linux drivers that _must_ be built as modules for some > reason (PPP-related stuff, I guess). > > I hope this discussion won't end up with advocacy of FreeBSD's superiority > to Linux in the area of kernel modules. Not by my hand. Not in public, anyway. ;-, > BTW: is there a way to build linux.ko in the kernel? Or is it a must-be > module? Dunno. I haven't need to run a Linux app under FreeBSD yet, so I don't even enable compatability. SeeYa, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010909060718.A1135>