Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753672AbYHNC0S (ORCPT ); Wed, 13 Aug 2008 22:26:18 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751928AbYHNC0G (ORCPT ); Wed, 13 Aug 2008 22:26:06 -0400 Received: from main.gmane.org ([80.91.229.2]:46802 "EHLO ciao.gmane.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751835AbYHNC0F (ORCPT ); Wed, 13 Aug 2008 22:26:05 -0400 X-Injected-Via-Gmane: http://gmane.org/ To: linux-kernel@vger.kernel.org From: 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> Subject: Re: TALPA - a threat model? well sorta. Date: Wed, 13 Aug 2008 22:25:49 -0400 Message-ID: References: <1218645375.3540.71.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: delta513.server4you.de User-Agent: Thunderbird 2.0.0.16 (X11/20080707) In-Reply-To: Cc: malware-list@lists.printk.net Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1014 Lines: 32 7v5w7go9ub0o wrote: > > 4. Again, my hope for libmalware.so/dazuko is a realtime > integrity-management link. > > > > HTH > > p.s. The question has developed, should this monitor root activities. > IMHO, the answer is a definite YES! We are most vulnerable during > software updating; AntiMailware signatures may stop the compilation or > installation of a Trojan - by root. > I just noticed a separate discussion about integrity-checking LKMs and LSMs. Obviously, a libmalware.so or Dazuko based integrity-checker would block a kernel from loading in a Trojaned LKM - noting that the MD5 had changed, and asking you to block, temporarily allow, or permanently allow the changed module. Another security benefit of your pursuit. HTH -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/