| 1 |
On Sun, Mar 29, 2009 at 08:43, Alex Efros |
| 2 |
<powerman@××××××××××××××××××.com> wrote: |
| 3 |
> On servers I build kernel without module support. But on workstation it's |
| 4 |
> impossible to avoid using kernel modules: vmware-modules, nvidia-drivers... |
| 5 |
<snip> |
| 6 |
> |
| 7 |
> Is it have sense to patch /etc/vmware/init.d/vmware this way on hardened |
| 8 |
> systems in vmware ebuild by default? |
| 9 |
|
| 10 |
Opinion: module load prevention, like TPE, is an edge case of |
| 11 |
hardening - it has its place but its utility is sufficiently narrow |
| 12 |
that the majority of hardened users I know of don't use it. If you're |
| 13 |
that tightly controlled, you should be vetting the packages |
| 14 |
individually anyway, and should be able to add the patching as an |
| 15 |
acceptance-testing test. Controlling root (via a MAC or otherwise) |
| 16 |
may be a more tenable approach. |
| 17 |
|
| 18 |
FWIW, maintaining a local overlay repository is rather trivial and may |
| 19 |
be an option you want to pursue if you want to just maintain your own |
| 20 |
init scripts in a packaged form. If you do it well enough and in a |
| 21 |
reasonable manner that doesn't overly interfere with other uses for |
| 22 |
the package, you can probably submit it upstream and get it accepted. |
Archives