[Triumf-linux-managers] kernel vulnerability

Andrew Daviel advax at triumf.ca
Mon Aug 17 13:10:05 PDT 2009 

On Mon, 17 Aug 2009, Konstantin Olchanski wrote:

> On Sun, Aug 16, 2009 at 03:26:28PM -0700, Andrew Daviel wrote:

> This line of thinking eventually leads to the conclusion that
> "security is not important because bad guys do not exist".

Someone wrote "the only secure computer is one that is turned off, 
encased in cement, and dropped in the ocean". Others wrote "not even 
then".
At any given point there are hundreds of known vulnerabilities in 
operating systems and applications. It's logistically impossible to close 
them all. Chances are, if someone targets a particular user and computer 
and tries really hard, they can get in with a combination of attacks.
If you have a vulnerable service, especially as root, you can get in in 
one go, automatically - so that's a greater risk. Or if there is a huge 
pool of users running a homogenous privileged application on a homogenous 
O/S, so that sending out email and infecting websites will net a large number of 
machines you can recruit for a botnet. Right now, that does not seem to 
be the case for Linux. Though anyone who says Linux/Mac/BSD is totally 
secure and there can never be a Linux/Mac virus is an idiot.

>
>> # service bluetooth stop ; chkconfig bluetooth off
>
> Denice tells me that this does not prevent autoloading of "bad" kernel
> modules.

True. It just seems like a good idea, in addition to zapping 
modules.conf, not as a replacement. Turning off unwanted services is in 
general a good idea - the problem is figuring out which are unwanted and which are required by 
some new OS feature.

> Can this be accidentally defeated by the existance of some other
> /etc/modules.d/ file that happens to have
> a line "install pppox /bin/do-something-else" overwriting
> the /bin/true command?

I don't know. Care to try ?
(I tested pppox, but sctp can't easily be removed if installed with 
modprobe, even if ip6tables is stopped)

> Do we need to "grep pppox /etc/modules.d" to make sure?

Maybe. RedHat would have said if that was the case for RHEL.
Though the only lines I have seen are things like "don't install x; 
install y" and call modprobe recursively to install y, not insmod. E.g.
   install usbmouse /sbin/modprobe --first-time --ignore-install usbmouse \
   &&  { /sbin/modprobe hid; /bin/true; }



-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

More information about the Triumf-linux-managers mailing list