Typical consultant rubbish. Yes, LKMs can hide rooted systems, but the
system has already been broken into by then. You must be root to load
a module or copy a module to /lib/modules, depmod ignores modules that
are not owned by root. IOW, if somebody can load a module then they
already own your system!
Fingerprinting modules is a hardy perennial. It cannot be done in user
space (how do you fingerprint the loader, libc, insmod etc.?), it can
only be done in kernel. No kernel code exists to do that, although LSM
may be getting there. The stumbling block is - who creates the
fingerprint? Answer - root. You are trying to identify the difference
between a valid root user and a malicious root user, both of whom have
exactly the same privileges. It does not work!
LSM with its fine grained security model might help in this area, but
don't hold your breath. LSM has not been accepted into the kernel yet.
>As a result every machine has a 100% monolithic kernel
There are techniques for getting the same effect as LKMs even when the
kernel is not compiled with modules. Phrack had a series of articles
on this subject. Turning off modules increases the effort of hiding
the break in by 5-10%, it does not make the system any more secure.
Remember, if somebody can load a module then they have already broken
in.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/