Hi!
On Fri, Feb 24, 2006 at 11:37:08AM +0100, Daniel Struck wrote:
> "*Kernel-Guard:* It is a sort of rootkit, that prevent anyone include
> the root from loading or unloading modules...."
>
> Is it wise to run this "kernel-guard"
> (http://www.informatik.uni-freiburg.de/~alsbiha/code.htm)?
>
> Amir Alsbih, who found out how to write a rootkit for the 2.6 series of
> the Linux kernel, now proposes a module, which uses the same method to
> prevent any other module to load into memory.
Last version of hardened-sources has GrSecurity option for this:
---cut---
Runtime module disabling (GRKERNSEC_MODSTOP) [N/y/?] (NEW) ?
If you say Y here, you will be able to disable the ability to (un)load
modules at runtime. This feature is useful if you need the ability
to load kernel modules at boot time, but do not want to allow an
attacker to load a rootkit kernel module into the system, or to remove
a loaded kernel module important to system functioning. You should
enable the /dev/mem protection feature as well, since rootkits can be
inserted into the kernel via other methods than kernel modules. Since
an untrusted module could still be loaded by modifying init scripts and
rebooting the system, it is also recommended that you enable the RBAC
system. If you enable this option, a sysctl option with name
"disable_modules" will be created. Setting this option to "1" disables
module loading. After this option is set, no further writes to it are
allowed until the system is rebooted.
---cut---
--
WBR, Alex.
--
[email protected] mailing list
