From owner-freebsd-security  Sat Sep  8  5:25:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100])
	by hub.freebsd.org (Postfix) with ESMTP id 7A7E137B407
	for <freebsd-security@FreeBSD.ORG>; Sat,  8 Sep 2001 05:25:50 -0700 (PDT)
Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193])
	by brea.mc.mpls.visi.com (Postfix) with ESMTP
	id 45D112DDBBF; Sat,  8 Sep 2001 07:25:49 -0500 (CDT)
Received: (from hawkeyd@localhost)
	by sheol.localdomain (8.11.1/8.11.1) id f88CPhn63017;
	Sat, 8 Sep 2001 07:25:43 -0500 (CDT)
	(envelope-from hawkeyd)
Date: Sat, 8 Sep 2001 07:25:42 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: Alexander Langer <alex@big.endian.de>
Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG
Subject: Re: Kernel-loadable Root Kits
Message-ID: <20010908072542.A57605@sheol.localdomain>
Reply-To: hawkeyd@visi.com
References: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.net@ns.sol.net> <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010908141700.A53738@fump.kawo2.rwth-aachen.de>; from alex@big.endian.de on Sat, Sep 08, 2001 at 02:17:00PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sep 08, at 02:17 PM, Alexander Langer wrote:
> 
> Thus spake D J Hawkey Jr (hawkeyd@visi.com):
> 
> > If you're dealing with a "fixed purpose" server, the kernel may not
> > need any KLD. On two of my servers, only blank_saver.ko is loaded,
> > and that could be eliminated too, by not using a screensaver.
> 
> This still lets you load own kernel modules.

Not if you blow away the /modules directory (note that I haven't tried
this).

> And from what I've heard, there are also ways to load kernel modules
> if securelevel > 1, though I can't imagine, how.

Don't know.

> Alex

Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message