Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 23 Oct 2002 15:40:40 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 23 Oct 2002 15:40:39 -0400 Received: from neon-gw-l3.transmeta.com ([63.209.4.196]:48133 "EHLO neon-gw.transmeta.com") by vger.kernel.org with ESMTP id ; Wed, 23 Oct 2002 15:40:38 -0400 To: linux-kernel@vger.kernel.org From: "H. Peter Anvin" Subject: Re: One for the Security Guru's Date: 23 Oct 2002 12:46:22 -0700 Organization: Transmeta Corporation, Santa Clara CA Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Disclaimer: Not speaking for Transmeta in any way, shape, or form. Copyright: Copyright 2002 H. Peter Anvin - All Rights Reserved Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2051 Lines: 50 Followup to: By author: David Lang In newsgroup: linux.dev.kernel > > yes someone who has root can get the effect of modules by patching > /dev/kmem directly so eliminating module support does not eliminate all > risk. > > it does however eliminate the use of the rootkits that use kernel modules. > > you need to decide if the advantages of useing modules are worth it for > your situation. > One thing about all of this that matters is the following: It's not about how secure your system is. It's about how smart/well equipped/patient the attacker needs to be *once they have already broken into your system*. I recently had one of my machines broken into, but the service in question was not running as root, and the attacker wasn't able to find any privilege-escalation bugs on my system. I found a whole collection of attempted security violations in a directory in /tmp, and a daemon (called "bind" -- not "named") had been installed to get access to my system again. Needless to say, I cleaned that stuff up, and also got a close look at the rootkit. Since my machine hadn't succumbed to the rootkit, it seems the attacker had simply moved on. Most of these kinds of attacks are actually automated these days, unless you're a high-value site for them. The kernel module, and/or replacing common user tools like ps, are usually about trying to hide the existence of whatever intrusion-installed software there is. It really helps more on "springboard" site than sites that are the genuine attack targets. -hpa -- at work, in private! "Unix gives you enough rope to shoot yourself in the foot." http://www.zytor.com/~hpa/puzzle.txt - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/