[Plug-security] Once cracked

Wes Bateman plug-security@lists.PLUG.phoenix.az.us
Mon, 10 Sep 2001 03:05:18 -0500 (CDT) 

I don't think that loadable kernel modules are more problematic than
trojaned binaries, etc. from an "either way you're screwed" kinda
standpoint :)  It's just that an LKM can do things at a kernel level to
hide things from you - and it can be  damn near impossible to detect while
running that same kernel.  If the kernel's not playing tricks on you, then
you can probably bring over trusted copies of and/or verify binaries,
libraries, etc.

That's my thinking on that anyway.

>From a network security standpoint, I don't think you'll gain anything by
not allowing modules.  In other words, your daemon listening on port 53 is
just as vulnerable or just as secure.  It's the "after something bad has
happened" part that leads me to prefer not to allow modules.  It's just
another little layer of security, a small piece of a bigger whole (defense
in depth, ;-) ).  

One thing though, is that a custom compiled kernel (not the one out of the
box - but with or without modules) can be nice sometimes too.  Sometimes
the generic, pre-scripted buffer overflow attacks that are thrown at you
won't succeed against a slightly non-standard kernel and binaries.  This
is certainly security through obscurity and is only a minor hindrance to
throw in somebody's way.  I would never rely on such things, but every
little thing all adds up :)

YMMV, hehe

C ya,

Wes

> I suppose that if one were to compile a kernel without loadable modules,
> if it got rooted, someone oculd still install their own binaries and
> libraries anyway - it's a question of how secure any particular box
> needs to be and how easy it is to crack into. I know that the boxes that
> I've been setting up are at least a little more difficult than most
> windows boxes and many of the other linux boxes so I have contented
> myself there - worrying more about the exposed services -
> sendmail/apache/ftp.
> 
> Craig
> _______________________________________________
> Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
> 

-- 
Wes Bateman, GCIA
Chief Security Officer
ManISec, Inc. - "Managed Internet Security Services"
http://www.manisec.com
wes@manisec.com