On Sun, 11 Apr 2004, Noah Meyerhans wrote:
> On Sun, Apr 11, 2004 at 11:15:10AM +0200, LeVA wrote:
>> I always compile the latest stable 2.4 kernel with loadable modules
>> disabled, but I don't apply any kernel patches.
>> Is this "safe", or I must apply some security patch?
>
> None of the recent kernel-level vulnerabilities have required module
> support to be enabled. So no, it is not safe to run pre-2.4.25 kernels
> unless you manually apply backported fixes or use the kernels provided
> by the Debian security team.
It is probably also worth pointing out that disabling module loading
does *not* prevent people installing a kernel-mode patch (root kit) at
all.
It does make it slightly harder to achieve, but at least a few of the
root-kit systems out there are happy doing a binary patch direct to the
kernel, ignoring the module loader completely.
The only situation I can see where disabling module loading will
increase real security is where a device driver, or other code built as
a module, has a root exploit available, or enables access to an exploit.
A device driver with a flaw could do this, as could allowing someone to
load (say) the SCTP protocol, and bypass your firewall as a result.
Overall, though, disabling modules does not increase security more than
a trivial amount.
That said, I don't use modules or the module loader on most of my
servers - the added management complexity of building a custom kernel is
lower, in my experience, than the management complexity of dealing with
module loading issues, especially at boot time.
Daniel
--
Confidence comes not from always being right but from not fearing to be wrong.
-- Peter T. Mcintyre
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
