Date: Sat, 8 Sep 2001 05:52:27 -0500 (CDT) From: hawkeyd@visi.com (D J Hawkey Jr) To: deepak@ai.net, freebsd-security@freebsd.org Subject: Re: Kernel-loadable Root Kits Message-ID: <200109081052.f88AqRG30016@sheol.localdomain> In-Reply-To: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.net@ns.sol.net> References: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.net@ns.sol.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.net@ns.sol.net>, deepak@ai.net writes: > > Short question: > > Is there a way to prevent the kernel from allowing loadable modules? If you're dealing with a "fixed purpose" server, the kernel may not need any KLD. On two of my servers, only blank_saver.ko is loaded, and that could be eliminated too, by not using a screensaver. > Thought process -- > > With the advent of the kernel-loadable root kit, intrusion detection has > gotten a bit more complicated. Is there a _simple_ solution to detecting the > presence of a kernel-based root kit once it is running? > > Scenario: > > System is violated, > Root kit is installed, > Root kit [binaries] are deleted from the machine. > > Solution: > > Reboot machine Rebooting won't necessarily fix anything. IIRC, one Linux rootkit replaces a module with the backdoor. If the kernel needed that module once, it'll need it again. > How does one DETECT that the root kit is there in the first place to know to > reboot it? Tripwire. > Thanks, > Deepak Jain > AiNET Hope this helps, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109081052.f88AqRG30016>