From owner-freebsd-hackers Sat Sep 8 7:17:26 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from mail.teledis.be (mail.teledis.be [217.117.32.52]) by hub.freebsd.org (Postfix) with ESMTP id A3CE537B403 for ; Sat, 8 Sep 2001 07:17:22 -0700 (PDT) Received: from natalie ([217.117.38.8]) by mail.teledis.be (Netscape Messaging Server 4.15) with SMTP id GJCL0Y00.93W; Sat, 8 Sep 2001 16:17:22 +0200 Message-ID: <002f01c13871$8dc2d360$0201a8c0@teledisnet.be> From: "Sansonetti Laurent" To: Cc: References: Subject: Re: Kernel-loadable Root Kits Date: Sat, 8 Sep 2001 16:21:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, > Short question: > > Is there a way to prevent the kernel from allowing loadable modules? Yes, by hacking kldload(2). You can also switch the secure level using sysctl. > With the advent of the kernel-loadable root kit, intrusion detection has > gotten a bit more complicated. Is there a _simple_ solution to detecting the > presence of a kernel-based root kit once it is running? 1) scan the sysent table and check syscalls pointers (generally, rootkits intercepts syscalls) 2) scan the tail queue called 'modules' (note, many rootkits erases their entry in MOD_LOAD) Hope this help, -- Sansonetti Laurent - http://lrz.linuxbe.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message