Date: Mon, 8 Dec 2003 12:37:15 -0500 From: Damian Gerow <damian@sentex.net> To: freebsd-security@freebsd.org Subject: LKM support (Was: Re: possible compromise or just misreading logs) Message-ID: <20031208173715.GH82104@sentex.net> In-Reply-To: <3FD4B58B.9020308@expertcity.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> <20031208164804.GA92121@ergo.nruns.com> <3FD4B58B.9020308@expertcity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Steve Francis (steve@expertcity.com) [08/12/03 12:30]: > And just adding my voice to the "tripwire is good to run, but not a > panacea" argument - if a machine gets a KLM loaded in a compromise, > there is no way tripwire can be assured it is verifying the binary it > asks the kernel for information about. Nothing to stop the compromised > kernel returning the original binary for all requests, except for those > needed to do Evil. If you get a root compromise so that a KLM can be > loaded, all bets are off. Short of that, I think tripwire makes it very > very hard to change files on a system w/o being detected. As long as > that is all the faith you put in tripwire, and use to verify just that > purpose and no more, its great, and it (or something like it, like AIDE) > is essential. On that note, is there any way to disable LKM support in FreeBSD? Or is that what NO_MODULES does?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031208173715.GH82104>