[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: single module compile

Mensaje citado por Shango Oluwa <debw@wenzani.worldonline.co.uk>:

> José,
> 
> Apreciar tus consejo, but I don't get your meaning completely...
> (problema de semantico)
> 
> Do you mean that drivers should be compiled _into_ the kernel (statically)
> or
> as modules (dynamic?) ? So, what practice are you suggesting and what are
> the benefits (more or less) ?
> 

   The practice of compiling statically _into_ the kernel, and disabling the
loading of modules feature in the linux kernel, won't allow loading of certain
rootkits that work as modules.

   These rootkits can work without being detected, as they are part of the
kernel, they have all the privileges, and can do everything.

   As mentioned by Bernd, the practice of disabling loadable modules alone,
won´t secure the box by itself, but it aids in reducing risk, especially when
combined with a properly configured Intrusion Detection System (IDS) like
integrit (apt-get install integrit), and remote logging to a dedicated machine
(man syslog), like mentioned in a previous message.

   As a side note, I´ve found that usb pendrives with a read-only switch, work
wonderfully as integrity database containers, for when the database needs to be
updated, it´s just a matter of flipping the switch while updating/rotating the
record files. Although there´s always a window of time in which the integrity
databases are writeable, it can be reduced by scripting this update process and
having quick fingers.

  Properly configured IDSs won´t secure a box either, they´ll merely inform you
that everything is OK, or otherwise in case the box has been compromised.




José



---
Reply to: