| 1 |
Hi! |
| 2 |
|
| 3 |
On Fri, Feb 24, 2006 at 11:37:08AM +0100, Daniel Struck wrote: |
| 4 |
> "*Kernel-Guard:* It is a sort of rootkit, that prevent anyone include |
| 5 |
> the root from loading or unloading modules...." |
| 6 |
> |
| 7 |
> Is it wise to run this "kernel-guard" |
| 8 |
> (http://www.informatik.uni-freiburg.de/~alsbiha/code.htm)? |
| 9 |
> |
| 10 |
> Amir Alsbih, who found out how to write a rootkit for the 2.6 series of |
| 11 |
> the Linux kernel, now proposes a module, which uses the same method to |
| 12 |
> prevent any other module to load into memory. |
| 13 |
|
| 14 |
Last version of hardened-sources has GrSecurity option for this: |
| 15 |
|
| 16 |
---cut--- |
| 17 |
Runtime module disabling (GRKERNSEC_MODSTOP) [N/y/?] (NEW) ? |
| 18 |
|
| 19 |
If you say Y here, you will be able to disable the ability to (un)load |
| 20 |
modules at runtime. This feature is useful if you need the ability |
| 21 |
to load kernel modules at boot time, but do not want to allow an |
| 22 |
attacker to load a rootkit kernel module into the system, or to remove |
| 23 |
a loaded kernel module important to system functioning. You should |
| 24 |
enable the /dev/mem protection feature as well, since rootkits can be |
| 25 |
inserted into the kernel via other methods than kernel modules. Since |
| 26 |
an untrusted module could still be loaded by modifying init scripts and |
| 27 |
rebooting the system, it is also recommended that you enable the RBAC |
| 28 |
system. If you enable this option, a sysctl option with name |
| 29 |
"disable_modules" will be created. Setting this option to "1" disables |
| 30 |
module loading. After this option is set, no further writes to it are |
| 31 |
allowed until the system is rebooted. |
| 32 |
---cut--- |
| 33 |
|
| 34 |
-- |
| 35 |
WBR, Alex. |
| 36 |
-- |
| 37 |
gentoo-hardened@g.o mailing list |
Archives