modules

Christopher James Coleman ug97cjc at cs.bham.ac.uk
Wed Jan 7 02:56:35 PST 2004



On Wed, 7 Jan 2004, quinte wrote:
> > The argument for disabling loadble modules (using a monolithic
> > kernel) is that they make an easy, well-documented path for an
> > intruder who has broken root to install kernel modules that change
> > the behavior of the OS, to make a rootkit that conceals intrusions
> > or leaves backdoors or whatever, even in the face of audit apps that
> > the intruder didn't know about.
>
> mhh do u know lids? http://www.lids.org
> the linux intrusion detectino project. here u are able to deny even root
> from doing anything... this could be a solution (far far away)

All of the kernel modifications that support MAC (Mandatory Access
Controls) can deny root from any given action, this is the point behind
abandoning the traditional DAC (Discretionary Access Control) where root
undergoes no checking and can do anything.

.chris



More information about the hlfs-dev mailing list