Bugtraq mailing list archives
Re: BoS: amodload.tar.gz - dynamic SunOS modules
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Thu, 20 Jun 1996 19:47:31 -0400
amodload is a quick 'hack' that demonstrates how trivial it is to load certain modules or patches into the kernel.
(Unless, of course, you've shut off LKM access with my /dev/security hack.:-)
So for today, the best defense is really to take pro-active action and prevent intruders from gaining access to your network. This can be done with a combination of firewalls and having a continuous security assessment program in place where you scan your network for vulnerabilities and correct. You can test your own machine with a scanner from www.iss.net.
I trust Christopher Klaus will forgive me for being a bit suspicious when I notice that his recommend "best defense" just happens to be what his company is selling.
With writeable CDROM drives around $700, has anybody considered setting up their system [...] and then backing the disk to WCDROM?
As someone else pointed out, all that does is speed up recovery; it doesn't harden the system against attacks any. What _will_ help is to make your boot disk physically read-only. I have tried this with SunOS 4.1.x and NetBSD (with NFS-mounted root, not a real disk that's write protected, but the issues are the same). The latter is relatively easy; the former is much harder but I think would be doable with a couple of binary patches to programs like mount that pigheadedly insist on writing into /etc. I've often wanted to set systems up this way, not because it hardens the system any with respect to initial compromise but because it hardens it a lot with respect to leaving trojans and other backdoors lying around. (I haven't actually put such a scheme into production; the two machines that I feel are reasonably secure at present are so largely because they simply do not offer any network services, and I consider them physically secure.) der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Christopher Klaus (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Dana Bourgeois (Jun 20)
- <Possible follow-ups>
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Dan Stromberg (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules der Mouse (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Markus Zellner (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Brian Denehy (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Brett Lymn (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Piete Brooks (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Brett Lymn (Jun 21)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Markus Zellner (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Dave Matthews (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Dan Stromberg (Jun 21)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Dan Stromberg (Jun 21)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules J.R.Valverde (Jun 24)