Date: Sat, 8 Sep 2001 20:47:34 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: Giorgos Keramidas <charon@labs.gr> Cc: Alexander Langer <alex@big.endian.de>, deepak@ai.net, freebsd-security@freebsd.org Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908204734.A80568@sheol.localdomain> In-Reply-To: <20010909003011.B6949@hades.hell.gr>; from charon@labs.gr on Sun, Sep 09, 2001 at 12:30:11AM %2B0300 References: <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20010908203935.B54535@fump.kawo2.rwth-aachen.de> <20010909003011.B6949@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 09, at 12:30 AM, Giorgos Keramidas wrote:
>
> From: Alexander Langer <alex@big.endian.de>
> Subject: Re: Kernel-loadable Root Kits
> Date: Sat, Sep 08, 2001 at 08:39:35PM +0200
>
> > Thus spake D J Hawkey Jr (hawkeyd@visi.com):
> >
> > > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading
> > > altogether, it should be a build-time option, and it should have nothing
> > > to over-ride this.
> > > Or am I still being too simplistic? I haven't been using KLD- or LKM-
> >
> > You'd have to remove the whole kld code then, including all
> > linker_file stuff.
> >
> > And, given that, you can still use /dev/mem to manipulate the kernel.
>
> Simple fix to all this is: sysctl kern.securelevel=1.
>
> The manpage (and the code of both kldload() syscall and
> linker_load_file()) explains it clearly:
>
> % man 8 init
>
> 1 Secure mode - the system immutable and system append-only flags may
> not be turned off; disks for mounted filesystems, /dev/mem, and
> /dev/kmem may not be opened for writing; kernel modules (see
> kld(4)) may not be loaded or unloaded.
>
> So, on securelevels >=1 neither modules can be loaded, nor /dev/mem
> and /dev/kmem tampered with.
>
> Guys, this has a simple and elegant solution. Raise your securelevel,
> if you are worried so much. You don't have to do some special
> kernel-hacker magic.
As I wrote to someone else "off line", there are instances where
securelevel cannot be used. An X server is the most documented instance.
At >1, log rotation (and/or other O_CREAT open()s) may well be broken.
Maybe at =1 too? I haven't messed with securelevel (no spare box |-( ),
so I have no experience; I'm just going by the man page. Does "system
append-only flags may not be turned off" at >=1 prevent file creation?
Having said that, I'm certainly not demeaning or bemoaning securelevel's
usefulness and power.
> -giorgos
Dave
--
______________________ ______________________
\__________________ \ D. J. HAWKEY JR. / __________________/
\________________/\ hawkeyd@visi.com /\________________/
http://www.visi.com/~hawkeyd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908204734.A80568>