Date: Mon, 8 Dec 2003 20:01:43 -0800 From: "Crist J. Clark" <cristjc@comcast.net> To: freebsd-security@freebsd.org Subject: Re: LKM support (Was: Re: possible compromise or just misreading logs) Message-ID: <20031209040143.GA45736@blossom.cjclark.org> In-Reply-To: <20031208173715.GH82104@sentex.net> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> <20031208164804.GA92121@ergo.nruns.com> <3FD4B58B.9020308@expertcity.com> <20031208173715.GH82104@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 08, 2003 at 12:37:15PM -0500, Damian Gerow wrote:
> Thus spake Steve Francis (steve@expertcity.com) [08/12/03 12:30]:
> > And just adding my voice to the "tripwire is good to run, but not a
> > panacea" argument - if a machine gets a KLM loaded in a compromise,
> > there is no way tripwire can be assured it is verifying the binary it
> > asks the kernel for information about. Nothing to stop the compromised
> > kernel returning the original binary for all requests, except for those
> > needed to do Evil. If you get a root compromise so that a KLM can be
> > loaded, all bets are off. Short of that, I think tripwire makes it very
> > very hard to change files on a system w/o being detected. As long as
> > that is all the faith you put in tripwire, and use to verify just that
> > purpose and no more, its great, and it (or something like it, like AIDE)
> > is essential.
>
> On that note, is there any way to disable LKM support in FreeBSD? Or is
> that what NO_MODULES does?
No, it doesn't. I have some really, really old patches that do
this. Check the URL in the .sig. Let me know if they no longer work.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031209040143.GA45736>