OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Limiting kernel modules
From: David Cermak (davidPROG.CZ)
Date: Thu Nov 02 2000 - 16:25:34 CST

Have a look http://medusa.fornax.sk/ - It's a project called "Medusa DS9
Security system". I think the most usefull kernel patch - LIDS functions
could be defined as 20 lines in Medusa-configuration file :-)

On Thu, 2 Nov 2000, Richard DeYoung wrote:

> No, you're not on dope. And yes, it is true that root can re-configure the
> immutable bit on a file, if it's only been modified using the 'chattr'
> command. I said that I hoped that my previous post got you closer to your
> objective, not that it was a final solution.
>
> If you want totally granular control over system parms and files, the I
> believe you're headed in the right direction with LIDS.
>
> Hope this helps,
> Rick DeYoung
>
> > I've been looking into restricting the loading of kernel modules, but
> > not
> > completely preventing them. Historically, for 'secure' systems I
> > compile
> > the kernel statically and turn off loadable modules, but for my Linux
> > based Firewall-1 systems, this is not an option.
> >
> > I'm considering using LIDS to make the FW1 kernel module file r/o so
> > even
> > root can't change it, but I still can't find away to limit this to be
> > the
> > *only* kernel module to load.
> >
> > Anyone have any ideas/thoughts on how to accomplish this?

%NetDave% David Cermak [ dn.cz ]
Arachne Labs | security consultant
Internet solutions | mob: +420-603-559990
http://arachne.cz/ | wrk: +420-2-33358050
         .forward: |/bin/false