LFS Paper on Secure Servers
ken at kenmoffat.uklinux.net
Wed May 5 07:08:13 PDT 2004
On Wed, 5 May 2004, Tony Sequeira wrote:
> On Tue, 04 May 2004 23:48:50 -0500, Bruce Dubbs wrote
> > Bob Morgan wrote:
> > >In a somewhat related thought, having
> > >a separate /boot partition, and commenting it out in /etc/fstab can
> > >help a tiny bit to keep the kernel contents away from an attacker
> > >(one can always mount it manually long enough to install a
> > >kernel if need be - also related to the issue of monolithic vs
> > modular).
> > >
> > >
> > I had thought of that. The problem with that is that the klogd needs
> > to
> > be able to read the System Map. I don't know if there is a way to
> > it read from another location or not.
> That's interesting. I have been playing with Gentoo, and by default
> the /boot partition is not mounted automatically. I had a small
> discussion about this in one of their forums, and was about to bring up
> System.map, but then realised that I had no evidence that it was used
> at anything but boot time. I didn't realise that klogd needed access
> to it.
Anyone got any pointers to what klogd misses without access to
System.map ? My firewall has had a separate, not-mounted, /boot for a
long while and I've not noticed any problems.
das eine Mal als Tragödie, das andere Mal als Farce
More information about the lfs-security