[ale] Monolithic vs Modularised Kernels

Michael H. Warfield mhw at wittsend.com
Wed Jul 9 23:56:27 EDT 2003 

On Wed, Jul 09, 2003 at 11:31:17PM -0400, Byron A Jeff wrote:

> > The Client that I am doing for is finally pushing Linux into the
> > enterprise. Amazing how chap11 can actually help promote better and much
> > more superior technologies ;-). I am feverishly replacing a lot of the
> > servers with Linux (Redhat) that use to the run the piece of sh!%$^%$ NT ,
> > but using a vanilla kernel with the grsecurity patch. Some examples are,
> > Samba for the PDC, WINS, Print Server, and even the  production database
> > running Sybase (HP-UX) will soon be on Linux. My question is whether to
> > build a Monolithic or Modularised Kernel. Read several arguments on
> > google, but wanted to see your views. Thanks.

> Monolithic kernels are hardware to maintain. Any changes require a kernel
                         ^^^^^^^^
	They're both hardware to maintain (backwards English - do it with a
lilt - sort of a sing song...)  But I assume you mean harder.  :->

> recompile, and a subsequent reboot to install the new kernel. Also there are
> no guarantees that a newly compiled kernel will boot.

	Rules:

	1) Always maintain a fall back kernel you know will clean the FS.

	2) Always maintain the last known working kernel (which may be #1)

	3) Enable Magic Sys-Req so you can reboot even if damn near all
else fails (I've used Magic Sys-Req over a serial line and recovered
remote boxes miles away).

	I currently have two or three 2.5 kernels I know work plus a known
GOOD 2.4 custom kernel and a 2.4 stock RedHat kernel to get my ass out of
the hole I just dug for myself.  That's on my laptop.  My workstations
are a bit different, my servers a bit different more, and my remote boxen -
very different...  But all follow the above three rules.  ESPECIALLY
those remote colo servers.

> As long as you turn off kernel module autoloading, the risk of exposure is
> both small and total.  ...

	Huh???  That last sentence did not parse.  ...  "is both small
and total"?  Uhhh...  Total what???  The words were English but the meaning
escapes me.  IAC...  Turning off kernel module autoloading may help some.
But not much...  The paths that it autoloads from are restricted and if
they can modify that, they have you by the shorts already...

>	...	If an unauthorized user can load a module, you already 
> have much bigger problems than the fact that they can load a module.

	Even if they can't, they can.  Some rootkits include the ability
to load their kernel stuff through kmem.  Even if modules are totally
disabled, they can patch the kernel if they can access kmem.  Game over.

> My general rule of thumb is to compile into the kernel only what is required
> to boot the system and have everything else as modules.

	I'm usually somewhere in-between everything in the monolithic block
and everything in modules...  If it results in an initrd to boot, I am NOT
a happy camper (which is "what is required to boot the system") but some
things are reasonable to put in a kernel if you are already customizing it.

> BAJ

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

 PGP signature

More information about the Ale mailing list