From: Hal Flynn (firstname.lastname@example.org)
Date: Wed, 5 Mar 2003 16:06:13 -0700 (MST) From: Hal Flynn <email@example.com> To: firstname.lastname@example.org
A friend and I were having a discussion a few weeks ago concerning
loadable kernel modules and Solaris. Basically, we were in agreement that
preventing the loading of malicious kernel modules was merely a step that,
while not offering total security, was an excellent means of preventing
kernel back doors as they're commonly used.
I've been thinking it over more in the last few weeks, and I've reached a
point at which I'm curious as to what other people responsible for the
security of Solaris systems are doing to prevent, or at least limit the
ability of users to load modules on a system.
Obviously, when an attacker compromises administrative access, the game is
essentially over. Theoretically, the attacker can patch the running
kernel, creating a situation in which detection of compromise would at
the very least be difficult. However, I think we're still in the arms
race leading up to that, and for now the concern is the LKM.
So, my question is, what are you doing to prevent the loading of kernel
modules? Any clever tricks? Hacks?
"....You guys are the Marine's doctors; There's no better in the business
than a Navy Corpsman...."
-- Lieutenant General Lewis B. "Chesty" Puller, U.S.M.C.