Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 22 Oct 2001 15:07:08 -0400 (EDT)
From:      CS <spork@fasttrackmonkey.com>
To:        The Psychotic Viper <psyv@sec-it.net>
Cc:        Andrew Johns <johnsa@kpi.com.au>, "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject:   Re: KLD detectors
Message-ID:  <20011022150129.G60205-100000@bigpoop.foo.foo>
In-Reply-To: <20011022025913.G26647-100000@lucifer.fuzion.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

Thanks for the info, I'll test it out on a few I've found (bsd versions of
adore).

I'm also interested in utilizing securelevels, but I'm still not 100% sure
that securelevel 1 will actually stop this, as there seem to be a number
of tools out there to bypass the securelevel restriction.  For example:

http://www.s0ftpj.org/en/tools.html

Scroll down to "securelevel bypass":
http://www.s0ftpj.org/tools/securelvl.tgz

Also, I'm finding myself upgrading bits and pieces of the system more
often (telnetd, openssh, etc.) and I'm wavering on what exactly I should
set the "schg" flags on.  Most of my machines are remote, and I also don't
want to revert to NT behaviour of "oh you patched, now you must reboot"...

Charles

On Mon, 22 Oct 2001, The Psychotic Viper wrote:

> Hi,
>
> On Mon, 22 Oct 2001, Andrew Johns wrote:
>
> > CS wrote:
> > >
> > > Hello,
> > >
> > > Does anyone know of a program for FreeBSD to look for "hidden" KLDs?
> > >
> > > I found this for linux:
> > >
> > > http://www.hsc.fr/ressources/breves/LKMrootkits.html
> > >
> > > But so far, nothing for FreeBSD.
> > >
> > > Thanks,
> > >
> > > CS
> > >
> >
> > I found this a while ago - have never looked into it myself -
> > just saved the URL for times like this.
> >
> > http://www.chkrootkit.org
> >
> > They have versions for most un*x's.
> better yet they in the ports /usr/ports/security/chkrootkit =) and have no
> idea on how to check for them but you could enable kernel secure levels
> (if the machine is not going to use X or any securelevelphobic software)
> which would limit the chance of being bitten by a stray module. Just its
> not the all-curing-fix but limits what you would need to look at/check to
> avoid such nasties.
>
> HTH,
> PsyV
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011022150129.G60205-100000>