From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 09:37:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10E5616A4CE for ; Mon, 8 Dec 2003 09:37:39 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 095EF43F85 for ; Mon, 8 Dec 2003 09:37:37 -0800 (PST) (envelope-from damian@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.10/8.12.10) with ESMTP id hB8HbXxT066129 for ; Mon, 8 Dec 2003 12:37:33 -0500 (EST) (envelope-from damian@sentex.net) Received: from pegmatite.sentex.ca (pegmatite.sentex.ca [192.168.42.92]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hB8HbaUq037426 for ; Mon, 8 Dec 2003 12:37:36 -0500 (EST) (envelope-from damian@sentex.net) Received: by pegmatite.sentex.ca (Postfix, from userid 1001) id 9C8401716A; Mon, 8 Dec 2003 12:37:15 -0500 (EST) Date: Mon, 8 Dec 2003 12:37:15 -0500 From: Damian Gerow To: freebsd-security@freebsd.org Message-ID: <20031208173715.GH82104@sentex.net> Mail-Followup-To: freebsd-security@freebsd.org References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> <20031208164804.GA92121@ergo.nruns.com> <3FD4B58B.9020308@expertcity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3FD4B58B.9020308@expertcity.com> X-GPG-Key-Id: 0xB841F142 X-GPG-Fingerprint: C7C1 E1D1 EC06 7C86 AF7C 57E6 173D 9CF6 B841 F142 X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i X-Virus-Scanned: by amavisd-new Subject: LKM support (Was: Re: possible compromise or just misreading logs) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 17:37:39 -0000 Thus spake Steve Francis (steve@expertcity.com) [08/12/03 12:30]: > And just adding my voice to the "tripwire is good to run, but not a > panacea" argument - if a machine gets a KLM loaded in a compromise, > there is no way tripwire can be assured it is verifying the binary it > asks the kernel for information about. Nothing to stop the compromised > kernel returning the original binary for all requests, except for those > needed to do Evil. If you get a root compromise so that a KLM can be > loaded, all bets are off. Short of that, I think tripwire makes it very > very hard to change files on a system w/o being detected. As long as > that is all the faith you put in tripwire, and use to verify just that > purpose and no more, its great, and it (or something like it, like AIDE) > is essential. On that note, is there any way to disable LKM support in FreeBSD? Or is that what NO_MODULES does?