From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.54)
	id 1FChY7-0005Sj-HK
	for garchives@archives.gentoo.org; Fri, 24 Feb 2006 18:20:15 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k1OIIFd7022532;
	Fri, 24 Feb 2006 18:18:15 GMT
Received: from mta13.adelphia.net (mta13.mail.adelphia.net [68.168.78.44])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id k1OIIDir023560
	for <gentoo-hardened@lists.gentoo.org>; Fri, 24 Feb 2006 18:18:14 GMT
Received: from homer.edgehp.net ([69.171.210.251]) by mta13.adelphia.net
          (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP
          id <20060224181812.ECDC23930.mta13.adelphia.net@homer.edgehp.net>
          for <gentoo-hardened@lists.gentoo.org>;
          Fri, 24 Feb 2006 13:18:12 -0500
Received: from [192.168.154.40] (anastasia.edgehp.net [192.168.154.40])
	by homer.edgehp.net (Postfix) with ESMTP id 571615A674
	for <gentoo-hardened@lists.gentoo.org>; Fri, 24 Feb 2006 13:16:19 -0500 (EST)
Message-ID: <43FF4DFB.7020500@edgehp.net>
Date: Fri, 24 Feb 2006 13:18:35 -0500
From: Dale Pontius <DEPontius@edgehp.net>
User-Agent: Mail/News 1.5 (X11/20060211)
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] kernel-guard
References: <43FEE1D4.1000903@struck.lu> <20060224122635.GA285@home.power> <43FF10D7.5070307@struck.lu>
In-Reply-To: <43FF10D7.5070307@struck.lu>
X-Enigmail-Version: 0.93.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 802c1ffa-645f-47ae-9c8b-4c4758f9b121
X-Archives-Hash: 1a9c87d2c6e86f461aa3ae94f9391e7b

Daniel Struck wrote:
>> Last version of hardened-sources has GrSecurity option for this:
>>
>> ---cut---
>>   Runtime module disabling (GRKERNSEC_MODSTOP) [N/y/?] (NEW) ?
>>
> 
> Thanks, I didn't know grsecurity already includes this feature.
> Indeed I have already compiled this feature in the kernel but didn't
> know about the sysctl switch "/proc/sys/kernel/grsecurity/disable_modules".
> 
Doesn't prevent rootkits, only raises the bar. From what I've read on
the kernel list, there are still ways to get code into a running kernel,
even with modules disabled. It's just harder

Dale Pontius

-- 
gentoo-hardened@gentoo.org mailing list