If the module loading code isn't present, and the get kernel symbols routine
isn't present, it's a much bigger hassle to try and load 'evil' modules as
commonly found in root kits... things like setting back the system clock for
a particular process, implementing a magic signal to kill to set a processes
UID to root, etc, etc. If you don't have the appropriate stuff configured in
in 2.2, possibly they can't even run 'linsniffer' without putting a new kernel
in, but with modules, no problem.
The easiest thing to do becomes to try and work out from dmesg what the kernel
options are and to build a kernel with modules so that their root kit will
work... then try and reboot without the sysadmin getting suspicious... not
easy.
So, modules make things easier for someone whose broken into your system.
Sure, once they get root, most things are simple, but why make them even
simpler? Make them have to trojan ps et al the traditional way (and miss
pstree, as always, so you can find their processes anyway :-). If they have
modules, they can hide their process at a kernel level, and ps and all other
utilities would be tricked.
David.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/