1 |
Hi! |
2 |
|
3 |
On Fri, Feb 24, 2006 at 11:37:08AM +0100, Daniel Struck wrote: |
4 |
> "*Kernel-Guard:* It is a sort of rootkit, that prevent anyone include |
5 |
> the root from loading or unloading modules...." |
6 |
> |
7 |
> Is it wise to run this "kernel-guard" |
8 |
> (http://www.informatik.uni-freiburg.de/~alsbiha/code.htm)? |
9 |
> |
10 |
> Amir Alsbih, who found out how to write a rootkit for the 2.6 series of |
11 |
> the Linux kernel, now proposes a module, which uses the same method to |
12 |
> prevent any other module to load into memory. |
13 |
|
14 |
Last version of hardened-sources has GrSecurity option for this: |
15 |
|
16 |
---cut--- |
17 |
Runtime module disabling (GRKERNSEC_MODSTOP) [N/y/?] (NEW) ? |
18 |
|
19 |
If you say Y here, you will be able to disable the ability to (un)load |
20 |
modules at runtime. This feature is useful if you need the ability |
21 |
to load kernel modules at boot time, but do not want to allow an |
22 |
attacker to load a rootkit kernel module into the system, or to remove |
23 |
a loaded kernel module important to system functioning. You should |
24 |
enable the /dev/mem protection feature as well, since rootkits can be |
25 |
inserted into the kernel via other methods than kernel modules. Since |
26 |
an untrusted module could still be loaded by modifying init scripts and |
27 |
rebooting the system, it is also recommended that you enable the RBAC |
28 |
system. If you enable this option, a sysctl option with name |
29 |
"disable_modules" will be created. Setting this option to "1" disables |
30 |
module loading. After this option is set, no further writes to it are |
31 |
allowed until the system is rebooted. |
32 |
---cut--- |
33 |
|
34 |
-- |
35 |
WBR, Alex. |
36 |
-- |
37 |
gentoo-hardened@g.o mailing list |