On Sun, Jun 17, 2001 at 01:21:45PM +0300, Juha Jäykkä wrote: > > lcap CAP_SYS_MODULE CAP_SYS_RAWIO > > which will disable module loading entirely as well as access to > > /dev/mem (which can be just as dangerous as a kernel module and would > > bypass your signed module thing nicely). > > Which means: so long, X. I have a workstation and using X in, > naturally, necessary (in fact, it is paramount since 3D rendering > without Xfree4's opengl is horrible). Thus this option is out. How > about compiling the kernel without module support in the first place? > The problem of /dev/mem would remain, but if the kernel does not know > about modules, is it a problem?
compiling without module support would be mostly the same as just lcap CAP_SYS_MODULE leaving /dev/mem open leaves you open regardless of how you stop module loading. i suggest installing all security updates immediatly when they arrive and vigilent sysadmin. those will keep your box uncompromised better then anything (except turning it off). -- Ethan Benson http://www.alaska.net/~erbenson/
pgpXdAtbKcUlQ.pgp
Description: PGP signature