[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] LCAP, was: Forensics on a hacked server
- Subject: Re: [cobalt-security] LCAP, was: Forensics on a hacked server
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 21 May 2003 22:43:26 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi pjm,
> However, LCAP has thrown errors from the start. Part of it is "kmod",
> which runs by a cron job every ten minutes. (It lives in /etc/cron.d/.)
> I got the following error: "rmmod: Operation not permitted." Every ten
> minutes. So I took it out of cron.
Yeah. That "kmod" script in /etc/cron.d/ is a dirty RedHat trick which the Sun
Cobalt makers inherited. kmod unloads and reloads all kernel modules every 15
minutes. If kernel modules have a memory leak, then using this "work around"
unclutters the memory. In theory.
You can run a RaQ or Qube without that kmod script and you specifically need
to delete or to disable kmod if you want to use LCAP to disable the ability
to load kernel modules once the box is up and running.
> Where can I find out more about what LCAP does? My Google searches turn
> up a lot of places to download the package but no documentation and a
> few 404s.
Yeah, the original download page vanished at one point or another. However,
LCAP is part of the Debian source tree since a while and can be obtained from
there:
http://packages.debian.org/stable/admin/lcap.html
> Second, can anyone help me figure out how to get it running again?
Best would be to grab the tarball of the latest version from the above
mentioned URL. The included documents contain all the information you might
need.
Here is one example usage: If a system administrator wishes to disallow the
loading of kernel modules, the following command line would be executed:
lcap CAP_SYS_MODULE
--
With best regards,
Michael Stauber