From owner-freebsd-questions Tue May 28 6:25:14 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.liwing.de (mail.liwing.de [213.70.188.162]) by hub.freebsd.org (Postfix) with ESMTP id C6AF337B403 for ; Tue, 28 May 2002 06:25:09 -0700 (PDT) Received: (qmail 14038 invoked from network); 28 May 2002 13:36:10 -0000 Received: from stingray.liwing.de (HELO liwing.de) ([213.70.188.164]) (envelope-sender ) by mail.liwing.de (qmail-ldap-1.03) with SMTP for ; 28 May 2002 13:36:10 -0000 Message-ID: <3CF38383.1732BF6C@liwing.de> Date: Tue, 28 May 2002 15:17:55 +0200 From: Jens Rehsack Organization: LiWing IT-Services X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Rafter Man Cc: questions@freebsd.org Subject: Re: Kernel modules References: <20020528131208.6026.qmail@linuxmail.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG 1st: reply to all, so that the list can read your answers. Rafter Man wrote: > > ----- Original Message ----- > From: Jens Rehsack > > Rafter Man wrote: > > > > > > Hi FreeBSD'ers > > > > > > From a security point of view, I am not so happy about kernel modules being loaded dynamic. > > > > AFAIK linux has many kernel component which are available as module only, too. > > As in linux you can tell freebsd which kernel modules it has to build (and which not). > > Ok, so I can load the mudules and then set the securelevel, so no more can be loaded? read http://www.freeBSD.org/handbook/securing-freebsd.html But this may not useful. Be sure about the consequences of doing that. You never can set a securelevel back. Maybe jails may more useful if you expect being hacked, because root of jail != root of machine. > > > I know you can change the securelevel, so this can't be done, but my question is: In the > > > future, will all kernel modules also be available trough a static kernel? > > ??? Some things doesn't make sense in a static kernel. Another point is uptime, > > it's (as far the interface keeps) more easy reload a kernel module than the kernel :-), > > an if uptime is important (f.e. 99.999% per year) it's more secure having kernel modules. > > Ok, but it is because I don't want a cracker loading modules like linux support for his exploit > or bpf for his sniffers. So (do not compile them and protect /modules) or (set kern.securelevel=1). But remember: you cannot turn this back. A good local firewall (see http://www.ipfilter.org/) may recommented, or starting your daemons in a jail with a public ip address and the machine with a private. It much more difficult hacking a machine with a private ip address, and nearly impossible to do it from jail. And it's impossible to load a kernel module within a jail (AFAIK) Jens > br > rafter > -- > Get your free email from www.linuxmail.org > > Powered by Outblaze -- L i W W W i Jens Rehsack L W W W L i W W W W i nnn gggg LiWing IT-Services L i W W W W i n n g g LLLL i W W i n n g g Friesenstraße 2 gggg 06112 Halle g g g Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message