From owner-freebsd-questions Fri Mar 7 15:16:40 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1185F37B405 for ; Fri, 7 Mar 2003 15:16:38 -0800 (PST) Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9251E43FB1 for ; Fri, 7 Mar 2003 15:16:36 -0800 (PST) (envelope-from barner@in.tum.de) Received: from mailin.informatik.tu-muenchen.de (mailin.informatik.tu-muenchen.de [131.159.0.76]) by mailout.informatik.tu-muenchen.de (Postfix) with ESMTP id C23E061BB for ; Sat, 8 Mar 2003 00:16:35 +0100 (MET) Received: from zi025.glhnet.mhn.de (unknown [129.187.19.157]) by mailin.informatik.tu-muenchen.de (Postfix) with ESMTP id 7BEE2C182 for ; Sat, 8 Mar 2003 00:16:35 +0100 (MET) Received: by zi025.glhnet.mhn.de (Postfix, from userid 1000) id 1201836959; Sat, 8 Mar 2003 00:18:23 +0100 (CET) Date: Sat, 8 Mar 2003 00:18:22 +0100 From: Simon Barner To: freebsd-questions@freebsd.org Subject: Re: A question about kernel modules Message-ID: <20030307231822.GB1340@zi025.glhnet.mhn.de> References: <200303071155.43785.damien@tougas.net> <200303071807.27524.taxman@acd.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DBIVS5p969aUjpLe" Content-Disposition: inline In-Reply-To: <200303071807.27524.taxman@acd.net> User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --DBIVS5p969aUjpLe Content-Type: text/plain; charset=us-ascii Content-Description: Digitally signed message Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > So optimal security would be have every=20 > needed component compiled in, and turn off the ability to load any module= s. =20 > I have no idea if this can be done or how in FreeBSD. This is what securelevel(8) is about: [...] 1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted file systems, /dev/mem, and /dev/kmem may not be opened for writing; kernel modules (see kld(4)) may not be loaded or unloaded. [...] > http://packetstorm.decepticons.org/papers/unix/bsdkern.htm Ah, interesting one! Thanks :-) Simon --DBIVS5p969aUjpLe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+aSi+Ckn+/eutqCoRAgMGAKDRoGbIn8GfTMX6vZDdls8qmHQzZACgzqm7 qB3jucdNO2ie/Mbkkbj/btU= =FRRU -----END PGP SIGNATURE----- --DBIVS5p969aUjpLe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message