[2754] in bugtraq
Re: BoS: amodload.tar.gz - dynamic SunOS modules
daemon@ATHENA.MIT.EDU (der Mouse)
Thu Jun 20 21:11:31 1996
Date: Thu, 20 Jun 1996 19:47:31 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
>> amodload is a quick 'hack' that demonstrates how trivial it is to
>> load certain modules or patches into the kernel.
(Unless, of course, you've shut off LKM access with my /dev/security
hack. :-)
>> So for today, the best defense is really to take pro-active action
>> and prevent intruders from gaining access to your network. This can
>> be done with a combination of firewalls and having a continuous
>> security assessment program in place where you scan your network for
>> vulnerabilities and correct. You can test your own machine with a
>> scanner from www.iss.net.
I trust Christopher Klaus will forgive me for being a bit suspicious
when I notice that his recommend "best defense" just happens to be what
his company is selling.
> With writeable CDROM drives around $700, has anybody considered
> setting up their system [...] and then backing the disk to WCDROM?
As someone else pointed out, all that does is speed up recovery; it
doesn't harden the system against attacks any.
What _will_ help is to make your boot disk physically read-only. I
have tried this with SunOS 4.1.x and NetBSD (with NFS-mounted root, not
a real disk that's write protected, but the issues are the same). The
latter is relatively easy; the former is much harder but I think would
be doable with a couple of binary patches to programs like mount that
pigheadedly insist on writing into /etc. I've often wanted to set
systems up this way, not because it hardens the system any with respect
to initial compromise but because it hardens it a lot with respect to
leaving trojans and other backdoors lying around. (I haven't actually
put such a scheme into production; the two machines that I feel are
reasonably secure at present are so largely because they simply do not
offer any network services, and I consider them physically secure.)
der Mouse
mouse@collatz.mcrcim.mcgill.edu
