LKM support (Was: Re: possible compromise or just misreading logs)

• Previous message: jan.muenther_at_nruns.com: "Re: possible compromise or just misreading logs"
• In reply to: Steve Francis: "Re: possible compromise or just misreading logs"
• Next in thread: Petri Riihikallio: "Re: LKM support (Was: Re: possible compromise or just misreading logs)"
• Reply: Petri Riihikallio: "Re: LKM support (Was: Re: possible compromise or just misreading logs)"
• Reply: Crist J. Clark: "Re: LKM support (Was: Re: possible compromise or just misreading logs)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 8 Dec 2003 12:37:15 -0500
To: freebsd-security@freebsd.org

Thus spake Steve Francis (steve@expertcity.com) [08/12/03 12:30]:
> And just adding my voice to the "tripwire is good to run, but not a
> panacea" argument - if a machine gets a KLM loaded in a compromise,
> there is no way tripwire can be assured it is verifying the binary it
> asks the kernel for information about. Nothing to stop the compromised
> kernel returning the original binary for all requests, except for those
> needed to do Evil. If you get a root compromise so that a KLM can be
> loaded, all bets are off. Short of that, I think tripwire makes it very
> very hard to change files on a system w/o being detected. As long as
> that is all the faith you put in tripwire, and use to verify just that
> purpose and no more, its great, and it (or something like it, like AIDE)
> is essential.

On that note, is there any way to disable LKM support in FreeBSD? Or is
that what NO_MODULES does?
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: jan.muenther_at_nruns.com: "Re: possible compromise or just misreading logs"
• In reply to: Steve Francis: "Re: possible compromise or just misreading logs"
• Next in thread: Petri Riihikallio: "Re: LKM support (Was: Re: possible compromise or just misreading logs)"
• Reply: Petri Riihikallio: "Re: LKM support (Was: Re: possible compromise or just misreading logs)"
• Reply: Crist J. Clark: "Re: LKM support (Was: Re: possible compromise or just misreading logs)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Kernel-loadable Root Kits ... But activity in /tmp is normal and will be ignored by tripwire, ... >> appropriate lock in kernel code but I don't know if it's possible. ... >> and compare MD5 checksums. ... from;)) some time ago there were proprietary device drivers (sound cards, ... (FreeBSD-Security) Re: [Full-disclosure] Microsoft GhostBuster Opinions ... this is not just like tripwire. ... >>and reporting false data to tripwire then tripwire can run along merrily ... This is why booting to a trusted kernel ... (Full-Disclosure) Crashes on machines running tripwire ... tripwire includes some kind of kernel module that it uses when it is ... If indeed tripwire is what is "tripping up" this system, ... Kernel panic: Aiee, killing interrupt handler! ... (RedHat) Re: [Full-disclosure] Microsoft GhostBuster Opinions ... On Thu, 17 Mar 2005, Dave King wrote: ... > a known good kernel could yeild incorrect results if the kernel has been ... A similar result can be had using tripwire on the system ... failing system that reboots or blue screens every few weeks rather then ... (Full-Disclosure) Re: LKM support (Was: Re: possible compromise or just misreading logs) ... >> there is no way tripwire can be assured it is verifying the binary it ... >> asks the kernel for information about. ... If you get a root compromise so that a KLM can be ... I think tripwire makes it very ... (FreeBSD-Security)