Re: One for the Security Guru's

["H. Peter Anvin" <hpa@zytor.com>]

Followup to:  <Pine.LNX.4.44.0210230954270.17668-100000@dlang.diginsite.com>
By author:    David Lang <david.lang@digitalinsight.com>
In newsgroup: linux.dev.kernel
>
> yes someone who has root can get the effect of modules by patching
> /dev/kmem directly so eliminating module support does not eliminate all
> risk.
> 
> it does however eliminate the use of the rootkits that use kernel modules.
> 
> you need to decide if the advantages of useing modules are worth it for
> your situation.
> 

One thing about all of this that matters is the following:

It's not about how secure your system is.

It's about how smart/well equipped/patient the attacker needs to be
*once they have already broken into your system*.

I recently had one of my machines broken into, but the service in
question was not running as root, and the attacker wasn't able to find
any privilege-escalation bugs on my system.  I found a whole
collection of attempted security violations in a directory in /tmp,
and a daemon (called "bind" -- not "named") had been installed to get
access to my system again.  Needless to say, I cleaned that stuff up,
and also got a close look at the rootkit.

Since my machine hadn't succumbed to the rootkit, it seems the
attacker had simply moved on.  Most of these kinds of attacks are
actually automated these days, unless you're a high-value site for
them.

The kernel module, and/or replacing common user tools like ps, are
usually about trying to hide the existence of whatever
intrusion-installed software there is.  It really helps more on
"springboard" site than sites that are the genuine attack targets.

	-hpa

-- 
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt	<amsp@zytor.com>