[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Security tip o' the month

Subject: [cobalt-security] Security tip o' the month
From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
Date: Mon, 16 Apr 2001 19:48:15 +0100 (BST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Grab 'lcap', a program which allows you to set kernel parameters on the
fly, from;

http://owned.lab6.com/~gossi/RaQ-security/files/lcap-0.0.3-2.i386.rpm

Install it, then add "/sbin/lcap CAP_SYS_MODULE" to the the bottom of
/etc/rc.d/rc.local and reboot the RaQ.  Or if you are cautious about it
not working properly, try manually running the command first to check it
works ok.

Basically, that stops loadable kernel modules from being inserted into the
kernel once the command is run (ie at boot).  So if somebody breaks in and
tries to load up something like adore, knark (or one of the other various
Linux Kernel Module rootkits) they won't be able to, without forcefully
removing lcap (which requires removing the line from rc.local and
rebooting the RaQ, which is easily noticable).

Combine it with something like Tripwire to monitor system files for
changes and you have a reliable method of detecting dodgy system activity.

Gossi.

Follow-Ups:
- Re: [cobalt-security] Security tip o' the month
  - From: Carrie Bartkowiak

Prev by Date: Re: [cobalt-security] NEW local exploit
Next by Date: RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
Previous by thread: Re: [cobalt-security] NEW local exploit
Next by thread: Re: [cobalt-security] Security tip o' the month

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index