Re: Kernel-loadable Root Kits

From: D J Hawkey Jr (hawkeyd@visi.com)
Date: 09/09/01 

Date: Sun, 9 Sep 2001 06:07:18 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>

On Sep 09, at 10:05 AM, Krzysztof Zaraska wrote:
>
> On Sat, 8 Sep 2001, D J Hawkey Jr wrote:
> >
> > On Sep 08, at 08:07 PM, Krzysztof Zaraska wrote:
> > >
> > > But activity in /tmp is normal and will be ignored by tripwire, right?
> >
> > Tripwire's policy file can reflect nearly any level of Admin paranoia.
>
> Ever seen an admin that would observe changes in /tmp on a daily basis?

No, but I could see one getting interested in /tmp if events led him or
her there. Actually, I rather thought the /tmp thang an example; my reply
was therefore in a more generic vein.

> > > Or, something LIDS-like.
> >
> > You're the second to mention LIDS. I know so little about it as to
> > refrain from comment (like, why should I let that stop me now?). Based
> > on another's description, it strikes me as rather over-engineered, but
> > that's an ignorant opinion. Maybe it has to be.
>
> Well. I heard about it once, went to their site, read the docs and run
> away ;). Seriously, it seemed to offer interesting features but all the
> complications scared me off.
>
> > RedHat does seem more dependant on LKMs than FreeBSD and KLDs, at least
> > out-of-the-box, so perhaps the modules are more of a security issue?
>
> This is due to the way Linux bootloader works. The compressed kernel image
> must fit within the first 640K of memory, so that imposes a limit on the
> kernel size. Since they want plug-and-play they must have all the existing
> drivers (save maybe video cards and the like) built. But taking into
> account the kernel size limit they must be built as modules. FreeBSD also
> has lots of drivers in the GENERIC kernel (for the similar reason) but
> this system does not seem to have this kind of limitations.
>
> IIRC they are some Linux drivers that _must_ be built as modules for some
> reason (PPP-related stuff, I guess).
>
> I hope this discussion won't end up with advocacy of FreeBSD's superiority
> to Linux in the area of kernel modules.

Not by my hand. Not in public, anyway. ;-,

> BTW: is there a way to build linux.ko in the kernel? Or is it a must-be
> module?

Dunno. I haven't need to run a Linux app under FreeBSD yet, so I don't
even enable compatability.

SeeYa,
Dave 

-- 
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Freebsd vs. linux
    ... > Linux is only a kernel, whereas FreeBSD is a complete OS. ... > Windows-like desktop behavior are made at the expense of server ...
    (freebsd-questions)
  • Re: Newbie Experience
    ... I've only been around since FreeBSD 5.4 ... FreeBSD kernel too. ... always sunshine and linux is farts. ... in the hey day of AT&T Unix I'm ...
    (freebsd-questions)
  • Re: Review of FreeBSD 5.4
    ... but not less problems compared to FreeBSD. ... If you like to have a bleeding edge system using debian --- just go ... > the linux kernel suffers. ... When the kernel suffers, everyone who uses ...
    (comp.unix.bsd.freebsd.misc)
  • Re: FreeBSD 4.x Opteron Question
    ... the FreeBSD developers told everyone that 5.3 was da ... initially over linux not because there's a bunch of good guys on the ... My tests measure kernel performance; ... > a networking device is a key performance indicator. ...
    (freebsd-questions)
  • PLIP transmit timeouts -- any solutions?
    ... I currently have a PLIP link to an old laptop running Linux (I tried to ... install FreeBSD, but it freezes at the USB detection -- yes, I tried ... FreeBSD desktop. ... I'm running 5.1-R on the FreeBSD system and a 2.4.18 Linux kernel as is ...
    (freebsd-current)
Quantcast