Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <8452bbcd-8840-9b26-20c8-080540a8f9cf@gmail.com>
Date: Sun, 21 Jun 2020 11:26:35 +0200
From: Mikhail Morfikov <mmorfikov@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: rootkit detection

On 21/06/2020 00:23, Solar Designer wrote:
> 
> FWIW, here's my tentative proposal from a few months ago for replacing
> lkrg.block_modules, which we ended up not doing yet:
> 
> ---
> modules_enforce 0 no enforcement, 1 log only, 2 block loading, 3 block loading and unloading, 4 also lock this setting itself
> (lkrg.modules_enforce=4 will be same as kernel.modules_disabled=1, except it'd also have LKRG's logging)
> ---
> 
> Do you like this?

Yes, this looks good to me.

> For now, we're going to document lkrg.block_modules as follows:
> 
> ---
> - lkrg.block_modules (0)
>   Whether or not to block further loading of kernel modules.  Allowed values
>   are 0 (no) and 1 (yes).
> 
>   This feature is meant primarily to prevent unintended user-triggered (or
>   attacker-triggered) auto-loading of maybe-vulnerable modules provided in a
>   distribution after all intended modules have already been loaded.  This
>   feature is not effective (nor is meant to be) against attackers who already
>   have root privileges and try to load a module explicitly (they could simply
>   flip this setting or even unload LKRG first).
> ---
> 

I would also add here some info on the kernel.modules_disabled option, to point 
users in the right direction when they look for a mechanism to completely lock 
the module loading feature.




Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.