LKM support (Was: Re: possible compromise or just misreading logs)

From: Damian Gerow (damian_at_sentex.net)
Date: 12/08/03

  • Next message: Dorin H: "Re: possible compromise or just misreading logs"
    Date: Mon, 8 Dec 2003 12:37:15 -0500
    To: freebsd-security@freebsd.org
    
    

    Thus spake Steve Francis (steve@expertcity.com) [08/12/03 12:30]:
    > And just adding my voice to the "tripwire is good to run, but not a
    > panacea" argument - if a machine gets a KLM loaded in a compromise,
    > there is no way tripwire can be assured it is verifying the binary it
    > asks the kernel for information about. Nothing to stop the compromised
    > kernel returning the original binary for all requests, except for those
    > needed to do Evil. If you get a root compromise so that a KLM can be
    > loaded, all bets are off. Short of that, I think tripwire makes it very
    > very hard to change files on a system w/o being detected. As long as
    > that is all the faith you put in tripwire, and use to verify just that
    > purpose and no more, its great, and it (or something like it, like AIDE)
    > is essential.

    On that note, is there any way to disable LKM support in FreeBSD? Or is
    that what NO_MODULES does?
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Dorin H: "Re: possible compromise or just misreading logs"

    Relevant Pages

    • Re: Kernel-loadable Root Kits
      ... But activity in /tmp is normal and will be ignored by tripwire, ... >> appropriate lock in kernel code but I don't know if it's possible. ... >> and compare MD5 checksums. ... from;)) some time ago there were proprietary device drivers (sound cards, ...
      (FreeBSD-Security)
    • Re: [Full-disclosure] Microsoft GhostBuster Opinions
      ... this is not just like tripwire. ... >>and reporting false data to tripwire then tripwire can run along merrily ... This is why booting to a trusted kernel ...
      (Full-Disclosure)
    • Crashes on machines running tripwire
      ... tripwire includes some kind of kernel module that it uses when it is ... If indeed tripwire is what is "tripping up" this system, ... Kernel panic: Aiee, killing interrupt handler! ...
      (RedHat)
    • Re: [Full-disclosure] Microsoft GhostBuster Opinions
      ... On Thu, 17 Mar 2005, Dave King wrote: ... > a known good kernel could yeild incorrect results if the kernel has been ... A similar result can be had using tripwire on the system ... failing system that reboots or blue screens every few weeks rather then ...
      (Full-Disclosure)
    • Re: LKM support (Was: Re: possible compromise or just misreading logs)
      ... >> there is no way tripwire can be assured it is verifying the binary it ... >> asks the kernel for information about. ... If you get a root compromise so that a KLM can be ... I think tripwire makes it very ...
      (FreeBSD-Security)