LKM support (Was: Re: possible compromise or just misreading
logs)
Crist J. Clark
cristjc at comcast.net
Mon Dec 8 20:01:47 PST 2003
On Mon, Dec 08, 2003 at 12:37:15PM -0500, Damian Gerow wrote:
> Thus spake Steve Francis (steve at expertcity.com) [08/12/03 12:30]:
> > And just adding my voice to the "tripwire is good to run, but not a
> > panacea" argument - if a machine gets a KLM loaded in a compromise,
> > there is no way tripwire can be assured it is verifying the binary it
> > asks the kernel for information about. Nothing to stop the compromised
> > kernel returning the original binary for all requests, except for those
> > needed to do Evil. If you get a root compromise so that a KLM can be
> > loaded, all bets are off. Short of that, I think tripwire makes it very
> > very hard to change files on a system w/o being detected. As long as
> > that is all the faith you put in tripwire, and use to verify just that
> > purpose and no more, its great, and it (or something like it, like AIDE)
> > is essential.
>
> On that note, is there any way to disable LKM support in FreeBSD? Or is
> that what NO_MODULES does?
No, it doesn't. I have some really, really old patches that do
this. Check the URL in the .sig. Let me know if they no longer work.
--
Crist J. Clark | cjclark at alum.mit.edu
| cjclark at jhu.edu
http://people.freebsd.org/~cjc/ | cjc at freebsd.org
More information about the freebsd-security
mailing list