Why not? If someone finds a way to defeat a module, doesn't it help if they can't be sure the module is what is actually running in the first place? And if the blackhats already are doing it (which I'll look into, in case this proposal is torpedoed) then we aren't really providing any extra power to the bad guys. BTW: Is there a way other than the one mentioned in Phrack so long ago? I can see perhaps by changing the inode_ops on /proc/modules to hijack it, but haven't seen that idea mentioned or tested it myself. If it's easy like then, then no biggie. If it is only done through tweaking registers, that's a mess. -Titus On Thu, 14 Jun 2001, Greg KH wrote: > On Thu, Jun 14, 2001 at 03:36:21PM -0700, Titus D. Winters wrote: > > Can I get a feel for the idea of having a hook that will govern letting a > > module be detected? I can imagine there are some securiyt modules (mine > > for example) that would rather not broadcast their existence via someone > > running lsmod. I think I know where to add it already. > > That's for the "l33t 15m" security module :) > I don't think that it is needed, or wanted in a normal module. > > See some kernel module root kits for where to put that bit of code if > you're interested. > > thanks, > > greg k-h > _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 16:16:24 PDT