Linux security product with its own kernel module

juddy · 07-20-2021, 01:57 AM

Question for all Linux admins / Linux security guys out there –
Would you use a Linux security product that has it own kernel module?
Or do you consider products that use a kernel module as a big no – no?
Thoughts? Reasons?

syg00 · 07-20-2021, 03:10 AM

Depends if it really is a module. Linux has a framework specifically to accommodate this - read the kernel doco here

sundialsvcs · 07-20-2021, 08:09 PM

Tell us more about the specific product that you are now considering ...

Certainly, some systems – such as "plesk" – do use custom kernel modules.

jefro · 07-20-2021, 09:49 PM

If one had enough resources in this device then they probably ought to avoid LKM's.

"
Security
While loadable kernel modules are a convenient method of modifying the running kernel, this can be abused by attackers on a compromised system to prevent detection of their processes or files, allowing them to maintain control over the system. Many rootkits make use of LKMs in this way. Note that on most operating systems modules do not help privilege elevation in any way, as elevated privilege is required to load a LKM; they merely make it easier for the attacker to hide the break-in.[10]

Linux
Linux allows disabling module loading via sysctl option /proc/sys/kernel/modules_disabled.[11][12] An initramfs system may load specific modules needed for a machine at boot and then disable module loading. This makes the security very similar to a monolithic kernel. If an attacker can change the initramfs, they can change the kernel binary."
https://en.wikipedia.org/wiki/Loadab...ule#Advantages

syg00 · 07-20-2021, 11:37 PM

Don't confuse LSM with LKM.

jmccue · 07-23-2021, 10:17 AM

I am fine with using modules and I tend to prefer that. But I usually stick with whatever security that comes with the distros I use.