RE: Stock vs Compiled Kernel

What I do here is snag a copy of the current .config from /proc (kernel
option...) and diff it against a copy of the one used during compile time.
The script I use is encrypted with shc, for obscurity. The check is nightly,
and everything better be where expected and equal up with md5.... One could
go farther with this and do offline or this or that.... A module diff is
done too, what's loaded and changed...Then there's Tripwire...and remote
logging...

There's always lids and selinux and...

The whole module vuln is fairly easy to detect, and what steps taken by the
baddie to align himself with such opportunity better raise many a red flags,
if not, admin or higher ups are doing a poor job :) One of the hardest
things to get around is the lastlog options in login and sshd, mixed with
tripwire monitoring and remote syslog...or, basha :)

2 cents,
eddie

>From: jsw <jsw@wadell.org>
>To: aklug@aklug.org
>Subject: Stock vs Compiled Kernel
>Date: Wed, 04 Jan 2006 17:41:29 -0900
>
>Responding to Jamie's question, as I see it, having loadable modules in
>the kernel is a vulnerability, abet a small one. If the box were rooted,
>services, etc could be added by loading a module. If loadable modules
>are not enabled, this can't happen.
>
>Just my $./02
>
>Jim
>---------
>To unsubscribe, send email to <aklug-request@aklug.org>
>with 'unsubscribe' in the message body.
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Jan 4 18:28:28 2006