On 13 Feb 2002 03:35 PM, Anthony DeRobertis wrote: > > But if the machine is restarted, those changes either do not > > persist (same kernel) or are quite obvious (modified kernel > > overwrites the old one, etc). On the other hand, having a > > hostile module inserted into the kernel not only allows > > persistence, it is much harder to detect with IDS tools. > > Huh? How is there any different. Assuming you reboot off clean > media to check for security issues (of course you do), loading a > module automatically will show as a change in some file on the > file system.
Hmm, this is true. At this point, I was going on the advise I've been given and what I've read in documentation and such, so my rationale may indeed be flawed. I have not, knock on wood, had a box compromised in any way, so I have no practical experience in that regard. Whether that's the result of my security efforts, or just pure luck, who knows. > > Linux has an abundance of malicious LKMs, ready for anyone > > to download and implement, so I see this as a primary method > > to potentially exploit my system. YMMV. > > There are the same for systems without modules, unfortunately. > I've seen it published on the web. No URL; sorry. Maybe Google > can find it. Yeah, I've heard tidbits on them, but I don't know anything substantial about it. I should probably make that "further reading". > > I'm not saying this is the answer to every possible scenario. > > There are a number of other items to tick off the "security > > checklist", such as read-only media. When added up, they make > > it a lot harder for the casual skript kiddie to come along and > > wreak havoc -- and hopefully less-than-determined blackhats -- > > but I don't for a minute think I'm impenetrable. > > Here, we agree completely. And I never meant to debate whether any given method could be overridden, although it seems to have turned it into that. I should know better.... the stock answer to the original BIND problem would be "chroot jail", which itself can supposedly be broken out of. I was just trying to give the original inquirer some ideas to implement, out of a vast potential. I'm no authority on Linux, much less this topic, so I tried to qualify many of those points in my original message. Sorry if there was any confusion, I'm always up for (constructive) criticism when I'm wrong. Jeff Bonner
