[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#605090:

For those following along at home, I would suggest booting the grsec
enabled kernel once - then saving the output of `sudo lsmod` into a
file. Take every module you want (ie: all of them) and put the list
into /etc/initramfs-tools/modules - then you'll need to run
`dpkg-reconfigure linux-image-4.3.0-1-grsec-amd64` to ensure that
those modules are in the initramfs at boot time.

This should allow you to disable all module loading and thus close a
rather serious vulnerability: the ability to load kernel modules if
you are root. If the attacker has to force you to reboot, it also
means that the attacker has to leave a trace behind... First reboot
and make sure that it works and if it does, then set the sysctl
'kernel.modules_disabled=1' in /etc/sysctl.d/grsec.conf to stop all
module loading after that sysctl is set. This is also probably a fine
time to have finished your grsec tuning and so you can also probably
set `kernel.grsecurity.grsec_lock=1` as well.

The above may not work for everyone - and you may want to trim the
/etc/initramfs-tools/modules file to be less than the full output of
`lsmod` - ykmmv...
Reply to: