From owner-freebsd-security Sat Sep 8 18:47:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 7E66D37B405 for ; Sat, 8 Sep 2001 18:47:36 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 64D622DDBC0; Sat, 8 Sep 2001 20:47:35 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f891lYA80717; Sat, 8 Sep 2001 20:47:34 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 20:47:34 -0500 From: D J Hawkey Jr To: Giorgos Keramidas Cc: Alexander Langer , deepak@ai.net, freebsd-security@freebsd.org Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908204734.A80568@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20010908203935.B54535@fump.kawo2.rwth-aachen.de> <20010909003011.B6949@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909003011.B6949@hades.hell.gr>; from charon@labs.gr on Sun, Sep 09, 2001 at 12:30:11AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 09, at 12:30 AM, Giorgos Keramidas wrote: > > From: Alexander Langer > Subject: Re: Kernel-loadable Root Kits > Date: Sat, Sep 08, 2001 at 08:39:35PM +0200 > > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > > > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading > > > altogether, it should be a build-time option, and it should have nothing > > > to over-ride this. > > > Or am I still being too simplistic? I haven't been using KLD- or LKM- > > > > You'd have to remove the whole kld code then, including all > > linker_file stuff. > > > > And, given that, you can still use /dev/mem to manipulate the kernel. > > Simple fix to all this is: sysctl kern.securelevel=1. > > The manpage (and the code of both kldload() syscall and > linker_load_file()) explains it clearly: > > % man 8 init > > 1 Secure mode - the system immutable and system append-only flags may > not be turned off; disks for mounted filesystems, /dev/mem, and > /dev/kmem may not be opened for writing; kernel modules (see > kld(4)) may not be loaded or unloaded. > > So, on securelevels >=1 neither modules can be loaded, nor /dev/mem > and /dev/kmem tampered with. > > Guys, this has a simple and elegant solution. Raise your securelevel, > if you are worried so much. You don't have to do some special > kernel-hacker magic. As I wrote to someone else "off line", there are instances where securelevel cannot be used. An X server is the most documented instance. At >1, log rotation (and/or other O_CREAT open()s) may well be broken. Maybe at =1 too? I haven't messed with securelevel (no spare box |-( ), so I have no experience; I'm just going by the man page. Does "system append-only flags may not be turned off" at >=1 prevent file creation? Having said that, I'm certainly not demeaning or bemoaning securelevel's usefulness and power. > -giorgos Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message