From owner-freebsd-hackers Sat Sep 8 2:39:47 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from aries.ai.net (aries.ai.net [205.134.163.4]) by hub.freebsd.org (Postfix) with ESMTP id 6B1CA37B409; Sat, 8 Sep 2001 02:39:39 -0700 (PDT) Received: from blood (pool-138-88-72-170.res.east.verizon.net [138.88.72.170]) by aries.ai.net (8.9.3/8.9.3) with SMTP id FAA02736; Sat, 8 Sep 2001 05:47:23 -0400 (EDT) (envelope-from deepak@ai.net) Reply-To: From: "Deepak Jain" To: , "freebsd-hackers@FreeBSD. ORG" Subject: Kernel-loadable Root Kits Date: Sat, 8 Sep 2001 05:43:41 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Short question: Is there a way to prevent the kernel from allowing loadable modules? Thought process -- --- With the advent of the kernel-loadable root kit, intrusion detection has gotten a bit more complicated. Is there a _simple_ solution to detecting the presence of a kernel-based root kit once it is running? Scenario: System is violated, Root kit is installed, Root kit [binaries] are deleted from the machine. Solution: Reboot machine How does one DETECT that the root kit is there in the first place to know to reboot it? Thanks, Deepak Jain AiNET To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message