[GLLUG] monilithic kernel (debian 3.0) and ethernet devices

Ben Pfaff blp@cs.stanford.edu
21 Mar 2002 11:37:38 -0800


djf2 <djf2@danu.ili.net> writes:

> On Thu, 21 Mar 2002, Matt Graham wrote:
> 
> > On Thursday 21 March 2002 11:54, you wrote:
> > > So for security reasons i've compiled my IPSec enabled (freeswan) and
> > > Masquerading enabled kernel monolithically
> > 
> > I've never understood why people would do that.  It doesn't provide any 
> > security benefits that I can see, since you have to be root anyway to 
> > load a module.  If a malicious attacker gets root on your machine, 
> > you're screwed whether or not the attacker loads a new module.  
>    
>      I know at least one reason that people do it is because a rogue
> module can make it awfully hard to tell if you've been rooted.
> [...]

According to Alan Cox, IIRC, many rootkits now can modify the
kernel by hand with an included linker whether modules are
enabled or not, so that the "security" that this provides is
really just a false feeling.
-- 
"[I]n this era of constant innovation,
 it takes a special kind of person to look evolution in the eye
 and say "huh?"."
--Chris Hacking