Peter Svensson <petersv@df.lth.se> writes:

> The talk about an indruder being able to write to the root disk doesn't buy 
> you much, if he can write to the root fs, he can just insert a new kernel and
> wait for a reboot.

Not if you set the correct immutable flags on the kernel file.  Then the
intruder would need console access to modify it.

> My sleep-deprived idea: load a list of allowed modules into the kernel att 
> boot-time, and mark those modules as immutable. Afterwards, only modules from
> the "allowed list" can be loaded. Since the immutable flag is set, the
> modules should be as safe as the kernel itself (provided the securelevel is 
> appropriatly set, of course).

Right.

And, since currently the modules are in /usr/lkm (since it makes little
sense to put them in /lkm...  ld needs to run, and is a dynamic executable)
you could get away with making /usr and /usr/lkm and the contents of that
immutable.

You would have to go to single user to modify parts of /usr, but how often
would someone do that?

IMHO, it would be nice to have Yet Another Security Level (or a bitmask
even :) which would allow you to turn on and off security features
seperately.  For example, I never want someone to be able to modify my
immutable flags, but assuming the kernel loader has secure files to load
it would be nice to have dynamic loading.

As many have pointed out, however, those who are security paranoid (like
I am one some machines, less on others) won't want to use dynamic loading
more than likely.

--Michael