Date: Tue, 28 May 2002 15:17:55 +0200 From: Jens Rehsack <rehsack@liwing.de> To: Rafter Man <rafter@linuxmail.org> Cc: questions@freebsd.org Subject: Re: Kernel modules Message-ID: <3CF38383.1732BF6C@liwing.de> References: <20020528131208.6026.qmail@linuxmail.org>
next in thread | previous in thread | raw e-mail | index | archive | help
1st: reply to all, so that the list can read your answers. Rafter Man wrote: > > ----- Original Message ----- > From: Jens Rehsack <rehsack@liwing.de> > > Rafter Man wrote: > > > > > > Hi FreeBSD'ers > > > > > > From a security point of view, I am not so happy about kernel modules being loaded dynamic. > > > > AFAIK linux has many kernel component which are available as module only, too. > > As in linux you can tell freebsd which kernel modules it has to build (and which not). > > Ok, so I can load the mudules and then set the securelevel, so no more can be loaded? read http://www.freeBSD.org/handbook/securing-freebsd.html But this may not useful. Be sure about the consequences of doing that. You never can set a securelevel back. Maybe jails may more useful if you expect being hacked, because root of jail != root of machine. > > > I know you can change the securelevel, so this can't be done, but my question is: In the > > > future, will all kernel modules also be available trough a static kernel? > > ??? Some things doesn't make sense in a static kernel. Another point is uptime, > > it's (as far the interface keeps) more easy reload a kernel module than the kernel :-), > > an if uptime is important (f.e. 99.999% per year) it's more secure having kernel modules. > > Ok, but it is because I don't want a cracker loading modules like linux support for his exploit > or bpf for his sniffers. So (do not compile them and protect /modules) or (set kern.securelevel=1). But remember: you cannot turn this back. A good local firewall (see http://www.ipfilter.org/) may recommented, or starting your daemons in a jail with a public ip address and the machine with a private. It much more difficult hacking a machine with a private ip address, and nearly impossible to do it from jail. And it's impossible to load a kernel module within a jail (AFAIK) Jens > br > rafter > -- > Get your free email from www.linuxmail.org > > Powered by Outblaze -- L i W W W i Jens Rehsack L W W W L i W W W W i nnn gggg LiWing IT-Services L i W W W W i n n g g LLLL i W W i n n g g Friesenstraße 2 gggg 06112 Halle g g g Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: <rehsack@liwing.de> Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CF38383.1732BF6C>