From owner-freebsd-security Fri Oct 5 11:25:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from robin.mail.pas.earthlink.net (robin.mail.pas.earthlink.net [207.217.120.65]) by hub.freebsd.org (Postfix) with ESMTP id ACF2C37B407 for ; Fri, 5 Oct 2001 11:25:46 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.136.241.Dial1.SanJose1.Level3.net [209.247.136.241]) by robin.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f95IPi922163; Fri, 5 Oct 2001 11:25:44 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f95I0ZH00391; Fri, 5 Oct 2001 11:00:35 -0700 (PDT) (envelope-from cjc) Date: Fri, 5 Oct 2001 11:00:35 -0700 From: "Crist J. Clark" To: Rasputin Cc: security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20011005110034.A310@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011004023034.U8391@blossom.cjclark.org> <20011004173535.0A2DE3B19D@gemini.nersc.gov> <20011005100832.A547@shikima.mine.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011005100832.A547@shikima.mine.nu>; from rasputin@submonkey.net on Fri, Oct 05, 2001 at 10:08:32AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Oct 05, 2001 at 10:08:32AM +0100, Rasputin wrote: > * Eli Dart [011004 19:30]: > > > > In reply to "Crist J. Clark" : > > > > [snip] > > > > > Have fun. Unless there is outpouring from people who love the idea, > > > I'm not going to commit these to FreeBSD. > > > > Please consider this as part of an outpouring of support from people > > who love the idea. > > "me too". > > Isn't this fairly common among the other BSDs as well? > > An alternative to securelevel is sometimes useful, > and KLDs are a fairly well-known attack method against *BSD. > > I don't see any harm in adding it as an option - it's doesn't have to > (definitely shouldn't be) the default, of course. The potential harm, and the reason I hesitated before doing it and still hesitate to add it to the code base, is that it may give a false sense of security. It blocks the kldload(2) syscall. That's it. This prevents someone from using the convenient KLD interface to hook code into the running kernel, it does not, - Stop someone from modifying the running kernel (through /dev/mem), or - Stop someome from putting a modified kernel (like one that allows KLDs, eep!) on your hard drive and rebooting the box. Both of these can potentially be stopped by the proper use of securelevel(8) (with all of its faults, it's still better). That's what people who really want to lock down their box should be doing, not this. But as I said originally, this may stop a script kiddie or two... until someone with a clue writes them a script that loads the kernel modifications via /dev/mem instead of kldload(8). -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message