From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 20:01:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BE9416A4CE for ; Mon, 8 Dec 2003 20:01:47 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF95743D1D for ; Mon, 8 Dec 2003 20:01:45 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-186-224.client.comcast.net[24.6.186.224]) by comcast.net (rwcrmhc11) with ESMTP id <2003120904014501300mrf2re>; Tue, 9 Dec 2003 04:01:45 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hB941i43045865 for ; Mon, 8 Dec 2003 20:01:44 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hB941h4U045864 for freebsd-security@freebsd.org; Mon, 8 Dec 2003 20:01:43 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Mon, 8 Dec 2003 20:01:43 -0800 From: "Crist J. Clark" To: freebsd-security@freebsd.org Message-ID: <20031209040143.GA45736@blossom.cjclark.org> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> <20031208164804.GA92121@ergo.nruns.com> <3FD4B58B.9020308@expertcity.com> <20031208173715.GH82104@sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031208173715.GH82104@sentex.net> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ Subject: Re: LKM support (Was: Re: possible compromise or just misreading logs) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2003 04:01:47 -0000 On Mon, Dec 08, 2003 at 12:37:15PM -0500, Damian Gerow wrote: > Thus spake Steve Francis (steve@expertcity.com) [08/12/03 12:30]: > > And just adding my voice to the "tripwire is good to run, but not a > > panacea" argument - if a machine gets a KLM loaded in a compromise, > > there is no way tripwire can be assured it is verifying the binary it > > asks the kernel for information about. Nothing to stop the compromised > > kernel returning the original binary for all requests, except for those > > needed to do Evil. If you get a root compromise so that a KLM can be > > loaded, all bets are off. Short of that, I think tripwire makes it very > > very hard to change files on a system w/o being detected. As long as > > that is all the faith you put in tripwire, and use to verify just that > > purpose and no more, its great, and it (or something like it, like AIDE) > > is essential. > > On that note, is there any way to disable LKM support in FreeBSD? Or is > that what NO_MODULES does? No, it doesn't. I have some really, really old patches that do this. Check the URL in the .sig. Let me know if they no longer work. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org