[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: from / to /usr/: a summary

On Mon, Dec 26, 2011 at 11:38:10AM +0100, Iustin Pop wrote:
> On Sun, Dec 25, 2011 at 12:08:57PM +0000, Philipp Kern wrote:
> > On 2011-12-25, Stephan Seitz <stse+debian@fsing.rootsland.net> wrote:
> > > All admins I know have at least some servers with custom kernels (in the
> > > past it was said, to build your firewall/server kernels without module
> > > support, so that no rootkit module could be loaded).
> > No longer needed.  See /proc/sys/kernel/modules_disabled.
> That's not equivalent - an attacker that can load modules can also
> remove the init script that sets this variable to 1 and reboot the
> machine.
> For proper safeguarding you still want no module support in the kernel
> at all.

Sorry, but what kind of argumentation is that?  If the admin doesn't notice
reboots and/or file tampering, I could just replace the kernel with my modified
one and reboot.  Now of course you could increase your paranoia and boot the
kernel from an immutable disc.  But then I'd just load all relevant modules in
the initramfs and set modules_disabled there instead of doing custom built
kernels just to get rid of modules.

Kind regards
Philipp Kern

Attachment: signature.asc
Description: Digital signature

Reply to: