OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Limiting kernel modules
From: Richard DeYoung (Richard.DeYoungBLUESTORM.COM)
Date: Thu Nov 02 2000 - 15:07:25 CST

No, you're not on dope. And yes, it is true that root can re-configure the
immutable bit on a file, if it's only been modified using the 'chattr'
command. I said that I hoped that my previous post got you closer to your
objective, not that it was a final solution.

If you want totally granular control over system parms and files, the I
believe you're headed in the right direction with LIDS.

Hope this helps,
Rick DeYoung

-----Original Message-----
From: Aaron D. Turner [mailto:aturneronesecure.com]
Sent: Thursday, November 02, 2000 3:52 PM
To: Richard_DeYoung/BUTLER%BUTLERbutler.com
Cc: FOCUS-LINUXSECURITYFOCUS.COM
Subject: Re: Limiting kernel modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maybe I'm on dope, but what prevents root from later on doing a:

chattr -i /etc/conf.modules

and then editing the file?

- --
Aaron D. Turner Security Architect, OneSecure http://www.onesecure.com/
aturneronesecure.com work: 408-992-8045 cell: 408-314-9874
pub 1024D/1B57EB4D 2000-09-27 Aaron D. Turner <aturneronesecure.com>
     Key fingerprint = F90C BFB4 4404 5504 295D 4435 578B 1DD5 1B57 EB4D
All emails by me are PGP signed; a lack of signature indicates a forgery.

On Thu, 2 Nov 2000, Richard DeYoung wrote:

> Aaron,
> You may want to look at editing your /etc/conf.modules file,
> specifying where the modules can be loaded from with the
> 'path=/lib/modules/<your restricted dir goes here>' directive. Then
> you can use 'chattr' to set the immutable bit on the
> '/etc/conf.modules' file. This should at least get you closer to your
> objective.
>
> Hope it helps,
> Rick DeYoung
>
> -----Original Message-----
> From: Focus on Linux Mailing List
> [mailto:FOCUS-LINUXSECURITYFOCUS.COM]On Behalf Of Aaron D. Turner
> Sent: Wednesday, November 01, 2000 5:35 PM
> To: FOCUS-LINUXSECURITYFOCUS.COM
> Subject: Limiting kernel modules
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I've been looking into restricting the loading of kernel modules, but
> not
> completely preventing them. Historically, for 'secure' systems I
> compile
> the kernel statically and turn off loadable modules, but for my Linux
> based Firewall-1 systems, this is not an option.
>
> I'm considering using LIDS to make the FW1 kernel module file r/o so
> even
> root can't change it, but I still can't find away to limit this to be
> the
> *only* kernel module to load.
>
> Anyone have any ideas/thoughts on how to accomplish this?
>
> - --
> Aaron D. Turner Security Architect, OneSecure
> http://www.onesecure.com/
> aturneronesecure.com work: 408-992-8045 cell: 408-314-9874
> pub 1024D/1B57EB4D 2000-09-27 Aaron D. Turner
> <aturneronesecure.com>
> Key fingerprint = F90C BFB4 4404 5504 295D 4435 578B 1DD5 1B57
> EB4D
> All emails by me are PGP signed; a lack of signature indicates a
> forgery.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (GNU/Linux)
> Comment: Public key 0x1B57EB4D at: http://www.keyserver.net/en/
> Filter: gpg4pine 4.1 (http://azzie.robotics.net)
>
> iEYEARECAAYFAjoAmqUACgkQV4sd1RtX603pgACfR0WCTvELQIJ1VNpeuqTbkFlB
> DtYAoJfghC1WnZA6QgrPcPh9VEFuFzrk
> =KjRC
> -----END PGP SIGNATURE-----
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key 0x1B57EB4D at: http://www.keyserver.net/en/
Filter: gpg4pine 4.1 (http://azzie.robotics.net)

iEYEARECAAYFAjoB0kQACgkQV4sd1RtX603AdQCeMG/o/fdQmitF6Gz9xNNyZdQy
Te4An0Dwz/rDidK060UY5nxbTk0x6csl
=piVC
-----END PGP SIGNATURE-----