On 13 Jan 2002, Florian Weimer wrote: > Henrique de Moraes Holschuh <[EMAIL PROTECTED]> writes: > > > On Fri, 11 Jan 2002, Ricardo B wrote: > > > Isn't there a way to turn module loading off (a way that can't be chagend > > > back - without rebooting) ? > > > > None that cannot be undone if you're root in a non-ACL kernel. It gets hard > > if the kernel has no module support at all, but not impossible. >
Hmm, am I right in assuming that all (current) non-LKM rootkits use write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that there's no write access would be a good idea. Anybody knows of programs that need to write to dev kmem? There are some (mostly video drivers) that write there I think, but most should only be reading (like videoboard grabbers). Another solution could be to randomize (or at least pick a non-standard) GFP_KERNEL, as (in the article) there is no algorithm (yet) to find that value. I'd rather have the box kernel-panic. (Well, not *every* day of course ;-) Dries
