1 |
On 11/18/2012 2:39 PM, Duncan wrote: |
2 |
> Peter Stuge posted on Sun, 18 Nov 2012 19:00:59 +0100 as excerpted: |
3 |
> |
4 |
>> Forget about the loader. Your knob is in a different configuration, |
5 |
>> specifically CONFIG_MODULES=n in the kernel. |
6 |
> |
7 |
> Just to note now that the specific topic has come up, yes, I am aware of |
8 |
> and have that kernel option set to disable module loading. I was simply |
9 |
> focusing on userland side, and thus didn't believe the kernel option |
10 |
> apropos to that specific discussion. Still, just having a module loading |
11 |
> userland on the system doesn't /increase/ security, and in fact, it |
12 |
> slightly decreases it, on a system where a deliberate choice has been |
13 |
> made to turn kernel module loading functionality off. |
14 |
|
15 |
Pointing out as a general statement, and not in response to anyone in |
16 |
particular, while I, too, am in the camp of minimalistic userlands, there is |
17 |
a kind of threshold one hits in this regard where keeping or removing |
18 |
something like a couple of module-loading utilities or systemd text files |
19 |
around really isn't going to increase or decrease your security /by that |
20 |
much/. </run-on-sentence> |
21 |
|
22 |
I mean, if someone gains unauthorized access to the userland and somehow |
23 |
uses these unused components to launch an attack, successful or not, well, |
24 |
then there's a LOT of bigger problems to worry about. The goal of security |
25 |
isn't to prevent someone from gaining unauthorized access to a system, it's |
26 |
to deter them or otherwise make the effort required more than the potential |
27 |
gain. |
28 |
|
29 |
Design network firewalls well, audit the user accounts and review logs |
30 |
periodically, enabled hardened options, use PaX/grsec/selinux, deploy an |
31 |
IDS/IPS and a SEIM, etc...there's a lot of other things one can do that will |
32 |
have a bigger ROI on security than gutting module-loading tools or systemd |
33 |
scripts off of a system. Do I like them there? Not really (unless I'm |
34 |
developing a kernel driver, then modules come in handy). But it is what it is. |
35 |
|
36 |
-- |
37 |
Joshua Kinard |
38 |
Gentoo/MIPS |
39 |
kumba@g.o |
40 |
4096R/D25D95E3 2011-03-28 |
41 |
|
42 |
"The past tempts us, the present confuses us, the future frightens us. And |
43 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
44 |
|
45 |
--Emperor Turhan, Centauri Republic |