RE: Disabling module loading with a module?

allbery@kf8nh.apk.net
Tue, 17 Aug 1999 17:42:57 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David Hinds: "Re: scsi_reset requirement questions"
Previous message: Paul Slootman: "Re: jiffies and co"

On 17 Aug, Jones D (ISaCS) wrote:
+-----
| > On Tue, 17 Aug 1999, Jones D (ISaCS) wrote:
| > > Sorry, I fail to see the connection between kernel modules and
| > > trusted networks.
| > Kernel modules can hide evidence of a crack, thus allowing crackers to
| > penetrate further into the network.
|
| Care to explain to me how ?
| Maybe I'm missing something here..
+--->8

It's not uncommon on Solaris: hacked machines usually have a "psmod"
module loaded which prevents certain processes from being visible in
/proc, and hence in ps.

I have to agree with Frank on this one, because you can never have 100%
certainty of keeping undesirables out --- so it makes sense to devote
effort to detection (and countermeasures against anti-detection
mechanisms) as well as on keeping them out in the first place.

-- brandon s. allbery os/2,linux,solaris,perl allbery@kf8nh.apk.net system administrator kthkrb,heimdal,gnome,rt allbery@ece.cmu.edu carnegie mellon / electrical and computer engineering kf8nh We are Linux. Resistance is an indication that you missed the point.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: David Hinds: "Re: scsi_reset requirement questions"
Previous message: Paul Slootman: "Re: jiffies and co"