grsecurity forums

[evilangel]

Hi all,

I am wondering of Linux modules.
Would compiling in static in the kernel all my modules and then blocking module loading in my kernel improve security of my host ?

Thanks

[cormander]

Yes, but only when combined with the options to disable privileged IO and writes to KMEM. I might be missing another that needs to be enabled ... it's 2am Have a look at the help files for those options, it'll give you the full details.

Disabling LKM (Loadable Kernel Modules) is one way to prevent the insertion of a kernel rootkit - but there are other ways to do it (via ioctl and /dev/kmem and mmap) so turning this feature on is pretty useless w/o turning on the others. With all these respective options enabled, inserting a kernel-level rootkit at runtime is impossible, thus greatly increasing security.

If you enable this feature I would suggest that you also enable the SYSCTL feature ... and write to /proc/sys/kernel/grsecurity/disable_modules on boot. This way your kernel will still accept modules from your mkinitrd file at boot time, which makes switching hardware not needing to recompile your kernel, and will disallow insertion of any other module after boot time.

You *could* build in all your modules and not use a mkinitrd at all, and that would be a little bit of additional security; but using the RBAC system will prevent someone from replacing your mkinitrd with malicious kernel modules, and I would only recommend removing your mkinitrd from the boot process if you really know what you are doing.

Hope this answer your question.

[evilangel]

Hey,

Ok I think here is something I missed.
In my understanding, disabling LKM means that I can't load ANY modules and so I have to compile everything static.

But in your previous post, I had feeling that I can disbale LKM (and the few stuff linked) and keep my initrd.

Is that possible ? Am I able to use an initrd when I disbale LKM ?

Thanks

[cormander]

Keep the core kernel LKM enabled. There is a grsecurity option to disable loading of kernel modules, and when combined with the grsecurity option to enabled grsecurity SYSCTL options, makes you able to load modules (like from your initrd) until do run this command:

Code: Select all

echo 1 > /proc/sys/kernel/grsecurity/disable_modules


Once you run it, no more modules will be allowed to be loaded. This is useful because you may not want to have to compile all modules static into your kernel, but once they're all loaded at boot time, you don't want an attacker loading anything more. So in your /etc/rc.local (or whatever file your distribution uses to execute commands after your machines boots) put the above command, and from that point on (until next reboot) modules can't be loaded.

[evilangel]

Great
I thought it was kernel with or without modules.
This feature is quite comfortable then to use.

Thanks a lot Cormander for all these explanations

[specs]

Keep the core kernel LKM enabled. There is a grsecurity option to disable loading of kernel modules, and when combined with the grsecurity option to enabled grsecurity SYSCTL options, makes you able to load modules (like from your initrd) until do run this command:

Code: Select all

echo 1 > /proc/sys/kernel/grsecurity/disable_modules


Please use sysctl instead.
Using /proc to change kernelsettings is not something you should be recommending.

Instead you might recommend not using /proc at all, if no programs break. (Why would you even want to mount /proc on a secure system?)

Code: Select all

sysctl -w kernel.grsecurity.disable_modules=1