[GLLUG] monilithic kernel (debian 3.0) and ethernet devices

djf2 djf2@danu.ili.net
Thu, 21 Mar 2002 14:30:17 -0500 (EST)

Previous message: [GLLUG] monilithic kernel (debian 3.0) and ethernet devices
Next message: [GLLUG] monilithic kernel (debian 3.0) and ethernet devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 21 Mar 2002, Matt Graham wrote:

> On Thursday 21 March 2002 11:54, you wrote:
> > So for security reasons i've compiled my IPSec enabled (freeswan) and
> > Masquerading enabled kernel monolithically
> 
> I've never understood why people would do that.  It doesn't provide any 
> security benefits that I can see, since you have to be root anyway to 
> load a module.  If a malicious attacker gets root on your machine, 
> you're screwed whether or not the attacker loads a new module.  
> 
   
     I know at least one reason that people do it is because a rogue
module can make it awfully hard to tell if you've been rooted.  Its a
matter of damage control after a compromise, some of those rogue modules
can hide files, logins, netstat info, and provide a backdoor for people to
get back in to your system without creating an account.  I can't remember
for certain, but I do seem to recall that at least one older module
exploit didn't require the attacker to be root.  Also, there have been
several exploits that will allow an attacker to overwrite arbitrary files.
With an exploit like that it'd be fairly trivial to figure out which
module a system loads and really simple to cause a reboot.  The attacker
wouldn't have had root before that, but he would after it. 


--
"Is that sound you're hearing the trumpeting of St. Peter's angels
 or the screams of Memnoch's tortured souls?"
Don Flynn        djf2@ili.net                   Sayge@IRC

Previous message: [GLLUG] monilithic kernel (debian 3.0) and ethernet devices
Next message: [GLLUG] monilithic kernel (debian 3.0) and ethernet devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]