LKM support (Was: Re: possible compromise or just misreading logs)
Damian Gerow
damian at sentex.net
Mon Dec 8 09:37:39 PST 2003
Thus spake Steve Francis (steve at expertcity.com) [08/12/03 12:30]:
> And just adding my voice to the "tripwire is good to run, but not a
> panacea" argument - if a machine gets a KLM loaded in a compromise,
> there is no way tripwire can be assured it is verifying the binary it
> asks the kernel for information about. Nothing to stop the compromised
> kernel returning the original binary for all requests, except for those
> needed to do Evil. If you get a root compromise so that a KLM can be
> loaded, all bets are off. Short of that, I think tripwire makes it very
> very hard to change files on a system w/o being detected. As long as
> that is all the faith you put in tripwire, and use to verify just that
> purpose and no more, its great, and it (or something like it, like AIDE)
> is essential.
On that note, is there any way to disable LKM support in FreeBSD? Or is
that what NO_MODULES does?
More information about the freebsd-security
mailing list