| 1 |
On 11/18/2012 2:39 PM, Duncan wrote: |
| 2 |
> Peter Stuge posted on Sun, 18 Nov 2012 19:00:59 +0100 as excerpted: |
| 3 |
> |
| 4 |
>> Forget about the loader. Your knob is in a different configuration, |
| 5 |
>> specifically CONFIG_MODULES=n in the kernel. |
| 6 |
> |
| 7 |
> Just to note now that the specific topic has come up, yes, I am aware of |
| 8 |
> and have that kernel option set to disable module loading. I was simply |
| 9 |
> focusing on userland side, and thus didn't believe the kernel option |
| 10 |
> apropos to that specific discussion. Still, just having a module loading |
| 11 |
> userland on the system doesn't /increase/ security, and in fact, it |
| 12 |
> slightly decreases it, on a system where a deliberate choice has been |
| 13 |
> made to turn kernel module loading functionality off. |
| 14 |
|
| 15 |
Pointing out as a general statement, and not in response to anyone in |
| 16 |
particular, while I, too, am in the camp of minimalistic userlands, there is |
| 17 |
a kind of threshold one hits in this regard where keeping or removing |
| 18 |
something like a couple of module-loading utilities or systemd text files |
| 19 |
around really isn't going to increase or decrease your security /by that |
| 20 |
much/. </run-on-sentence> |
| 21 |
|
| 22 |
I mean, if someone gains unauthorized access to the userland and somehow |
| 23 |
uses these unused components to launch an attack, successful or not, well, |
| 24 |
then there's a LOT of bigger problems to worry about. The goal of security |
| 25 |
isn't to prevent someone from gaining unauthorized access to a system, it's |
| 26 |
to deter them or otherwise make the effort required more than the potential |
| 27 |
gain. |
| 28 |
|
| 29 |
Design network firewalls well, audit the user accounts and review logs |
| 30 |
periodically, enabled hardened options, use PaX/grsec/selinux, deploy an |
| 31 |
IDS/IPS and a SEIM, etc...there's a lot of other things one can do that will |
| 32 |
have a bigger ROI on security than gutting module-loading tools or systemd |
| 33 |
scripts off of a system. Do I like them there? Not really (unless I'm |
| 34 |
developing a kernel driver, then modules come in handy). But it is what it is. |
| 35 |
|
| 36 |
-- |
| 37 |
Joshua Kinard |
| 38 |
Gentoo/MIPS |
| 39 |
kumba@g.o |
| 40 |
4096R/D25D95E3 2011-03-28 |
| 41 |
|
| 42 |
"The past tempts us, the present confuses us, the future frightens us. And |
| 43 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
| 44 |
|
| 45 |
--Emperor Turhan, Centauri Republic |
Archives