From: "Henning P. Schmiedehausen" <hps@intermeta.de>
To: linux-kernel@vger.kernel.org
Subject: Re: One for the Security Guru's
Date: Wed, 23 Oct 2002 16:23:13 +0000 (UTC) [thread overview]
Message-ID: <ap6idh$1pj$1@forge.intermeta.de> (raw)
In-Reply-To: 20021023130251.GF25422@rdlg.net
"Robert L. Harris" <Robert.L.Harris@rdlg.net> writes:
> I'd like it from the guru's on exactly how bad a hole this really is
>and if there is a method in the kernel that will prevent such exploits.
>For example, if I disable CONFIG_MODVERSIONS is the kernel less likely
>to accept a module we didn't build? Are there plans to implement some
>form of finger printing on modules down the road?
You can get the same effect as a module with a kernel without any
modules support compiled. There are even root kits out there which do
exactly this.
If you want a little more security, don't run a vendor kernel
(sic!). Not because they're unsafe but because many rootkits have
binary modules for some well known kernels (2.4.9-34 or 2.4.18-3 come
to mind); clean up your systems (e.g. don't ever ever ever have a
compiler and a development kit on an internet connected system. If you
don't have a compiler, 80% of all root kits will not work or will
simply not be able to build the process hiding stuff because it comes
as C code). If you run 2.4.18-3-rerolled with MODVERSIONS off, lots of
the kiddie root kits break.
You can't get security by design. Ask the OpenBSD people who tried
this and failed.
You get security by installing your systems, administrating them
(which means looking at logfiles, unusual activities), keeping your
boxes up to date with vendor patches and by training your staff to be
security aware. Read lists like Bugtraq. Invest time (and money!) in
the security of the systems.
If some consultant sets up a box and slaps a "this is safe" label on
it, start being suspicious. I've seen more than my share of RedHat 5.x
and 6.x boxes which were installed like this and then they called me
12 months later because the "so secure" boxes have been rooted...
Regards
Henning
--
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH hps@intermeta.de
Am Schwabachgrund 22 Fon.: 09131 / 50654-0 info@intermeta.de
D-91054 Buckenhof Fax.: 09131 / 50654-20
next prev parent reply other threads:[~2002-10-23 16:17 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-23 13:02 One for the Security Guru's Robert L. Harris
2002-10-23 13:13 ` John Jasen
2002-10-23 13:20 ` Keith Owens
2002-10-24 7:56 ` Greg KH
2002-10-23 13:45 ` Alan Cox
2002-10-23 13:59 ` Gilad Ben-ossef
2002-10-23 22:14 ` James Cleverdon
2002-10-23 22:17 ` James Stevenson
2002-10-23 22:39 ` James Cleverdon
2002-10-23 22:44 ` James Stevenson
2002-10-24 6:12 ` Gilad Ben-Yossef
2002-11-06 21:39 ` Florian Weimer
2002-10-23 14:57 ` Richard B. Johnson
2002-10-23 17:56 ` Gerhard Mack
2002-10-24 9:38 ` Henning P. Schmiedehausen
[not found] ` <ap8f36$8ge$1@dstl.gov.uk>
2002-10-24 10:01 ` Tony Gale
2002-10-24 16:13 ` Gerhard Mack
2002-10-24 16:39 ` Henning P. Schmiedehausen
2002-10-24 16:34 ` David Lang
2002-10-24 17:04 ` Gilad Ben-Yossef
2002-10-25 9:44 ` Henning Schmiedehausen
2002-10-25 20:52 ` H. Peter Anvin
2002-10-26 10:43 ` Henning P. Schmiedehausen
2002-10-27 10:17 ` Rogier Wolff
2002-10-28 7:47 ` Chris Wedgwood
2002-10-24 22:02 ` Danny Lepage
2002-10-25 9:40 ` Henning Schmiedehausen
2002-10-24 14:23 ` Gilad Ben-ossef
2002-10-25 4:09 ` Stephen Satchell
2002-10-25 13:47 ` Stephen Frost
2002-10-26 10:38 ` Rogier Wolff
2002-10-26 9:44 ` Rogier Wolff
2002-10-26 10:46 ` Henning P. Schmiedehausen
2002-10-23 16:23 ` Henning P. Schmiedehausen [this message]
2002-10-23 17:55 ` David Lang
2002-10-23 19:46 ` H. Peter Anvin
2002-10-23 22:15 ` James Stevenson
2002-10-24 9:47 ` Henning P. Schmiedehausen
2002-10-25 12:28 ` Daniel Egger
2002-10-25 15:22 ` Alex Riesen
2002-10-25 16:38 ` Stephen Satchell
2002-10-25 18:21 ` [OT] " J Sloan
2002-10-26 10:40 ` OT " Rogier Wolff
2002-10-24 10:11 ` Ville Herva
2002-10-24 11:09 ` Henning P. Schmiedehausen
2002-10-24 11:55 ` Alan Cox
2002-10-24 14:40 ` Henning P. Schmiedehausen
2002-10-24 15:36 ` Alan Cox
2002-10-24 16:46 ` Eric W. Biederman
2002-10-24 6:04 ` David Wagner
-- strict thread matches above, loose matches on Subject: below --
2002-10-23 21:49 Hank Leininger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ap6idh$1pj$1@forge.intermeta.de' \
--to=hps@intermeta.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).