From owner-freebsd-security  Mon Oct 22 12:17: 1 2001
Delivered-To: freebsd-security@freebsd.org
Received: from angryfist.fasttrackmonkey.com (dsl081-195-105.nyc2.dsl.speakeasy.net [64.81.195.105])
	by hub.freebsd.org (Postfix) with ESMTP id 9119637B403
	for <freebsd-security@FreeBSD.ORG>; Mon, 22 Oct 2001 12:16:56 -0700 (PDT)
Received: (qmail 60280 invoked by uid 1001); 22 Oct 2001 19:07:08 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 22 Oct 2001 19:07:08 -0000
Date: Mon, 22 Oct 2001 15:07:08 -0400 (EDT)
From: CS <spork@fasttrackmonkey.com>
X-X-Sender:  <spork@bigpoop.foo.foo>
To: The Psychotic Viper <psyv@sec-it.net>
Cc: Andrew Johns <johnsa@kpi.com.au>,
	"freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject: Re: KLD detectors
In-Reply-To: <20011022025913.G26647-100000@lucifer.fuzion.ath.cx>
Message-ID: <20011022150129.G60205-100000@bigpoop.foo.foo>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi,

Thanks for the info, I'll test it out on a few I've found (bsd versions of
adore).

I'm also interested in utilizing securelevels, but I'm still not 100% sure
that securelevel 1 will actually stop this, as there seem to be a number
of tools out there to bypass the securelevel restriction.  For example:

http://www.s0ftpj.org/en/tools.html

Scroll down to "securelevel bypass":
http://www.s0ftpj.org/tools/securelvl.tgz

Also, I'm finding myself upgrading bits and pieces of the system more
often (telnetd, openssh, etc.) and I'm wavering on what exactly I should
set the "schg" flags on.  Most of my machines are remote, and I also don't
want to revert to NT behaviour of "oh you patched, now you must reboot"...

Charles

On Mon, 22 Oct 2001, The Psychotic Viper wrote:

> Hi,
>
> On Mon, 22 Oct 2001, Andrew Johns wrote:
>
> > CS wrote:
> > >
> > > Hello,
> > >
> > > Does anyone know of a program for FreeBSD to look for "hidden" KLDs?
> > >
> > > I found this for linux:
> > >
> > > http://www.hsc.fr/ressources/breves/LKMrootkits.html
> > >
> > > But so far, nothing for FreeBSD.
> > >
> > > Thanks,
> > >
> > > CS
> > >
> >
> > I found this a while ago - have never looked into it myself -
> > just saved the URL for times like this.
> >
> > http://www.chkrootkit.org
> >
> > They have versions for most un*x's.
> better yet they in the ports /usr/ports/security/chkrootkit =) and have no
> idea on how to check for them but you could enable kernel secure levels
> (if the machine is not going to use X or any securelevelphobic software)
> which would limit the chance of being bitten by a stray module. Just its
> not the all-curing-fix but limits what you would need to look at/check to
> avoid such nasties.
>
> HTH,
> PsyV
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message