From owner-freebsd-security Sun Sep 9 4: 7:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 4276A37B403 for ; Sun, 9 Sep 2001 04:07:29 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 545522DDB7C; Sun, 9 Sep 2001 06:07:28 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f89B7NB01178; Sun, 9 Sep 2001 06:07:23 -0500 (CDT) (envelope-from hawkeyd) Date: Sun, 9 Sep 2001 06:07:18 -0500 From: D J Hawkey Jr To: Krzysztof Zaraska Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010909060718.A1135@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20010908171641.A79354@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Sun, Sep 09, 2001 at 10:05:54AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 09, at 10:05 AM, Krzysztof Zaraska wrote: > > On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > > > > On Sep 08, at 08:07 PM, Krzysztof Zaraska wrote: > > > > > > But activity in /tmp is normal and will be ignored by tripwire, right? > > > > Tripwire's policy file can reflect nearly any level of Admin paranoia. > > Ever seen an admin that would observe changes in /tmp on a daily basis? No, but I could see one getting interested in /tmp if events led him or her there. Actually, I rather thought the /tmp thang an example; my reply was therefore in a more generic vein. > > > Or, something LIDS-like. > > > > You're the second to mention LIDS. I know so little about it as to > > refrain from comment (like, why should I let that stop me now?). Based > > on another's description, it strikes me as rather over-engineered, but > > that's an ignorant opinion. Maybe it has to be. > > Well. I heard about it once, went to their site, read the docs and run > away ;). Seriously, it seemed to offer interesting features but all the > complications scared me off. > > > RedHat does seem more dependant on LKMs than FreeBSD and KLDs, at least > > out-of-the-box, so perhaps the modules are more of a security issue? > > This is due to the way Linux bootloader works. The compressed kernel image > must fit within the first 640K of memory, so that imposes a limit on the > kernel size. Since they want plug-and-play they must have all the existing > drivers (save maybe video cards and the like) built. But taking into > account the kernel size limit they must be built as modules. FreeBSD also > has lots of drivers in the GENERIC kernel (for the similar reason) but > this system does not seem to have this kind of limitations. > > IIRC they are some Linux drivers that _must_ be built as modules for some > reason (PPP-related stuff, I guess). > > I hope this discussion won't end up with advocacy of FreeBSD's superiority > to Linux in the area of kernel modules. Not by my hand. Not in public, anyway. ;-, > BTW: is there a way to build linux.ko in the kernel? Or is it a must-be > module? Dunno. I haven't need to run a Linux app under FreeBSD yet, so I don't even enable compatability. SeeYa, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message