From owner-freebsd-security Sat Sep 8 3:52:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 9954B37B406 for ; Sat, 8 Sep 2001 03:52:29 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id A62DA2D04AB; Sat, 8 Sep 2001 05:52:28 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88AqRG30016; Sat, 8 Sep 2001 05:52:27 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 05:52:27 -0500 (CDT) Message-Id: <200109081052.f88AqRG30016@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 0.9.8a Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: In-Reply-To: From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: Kernel-loadable Root Kits X-Original-Newsgroups: sol.lists.freebsd.hackers,sol.lists.freebsd.security To: deepak@ai.net, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article , deepak@ai.net writes: > > Short question: > > Is there a way to prevent the kernel from allowing loadable modules? If you're dealing with a "fixed purpose" server, the kernel may not need any KLD. On two of my servers, only blank_saver.ko is loaded, and that could be eliminated too, by not using a screensaver. > Thought process -- > > With the advent of the kernel-loadable root kit, intrusion detection has > gotten a bit more complicated. Is there a _simple_ solution to detecting the > presence of a kernel-based root kit once it is running? > > Scenario: > > System is violated, > Root kit is installed, > Root kit [binaries] are deleted from the machine. > > Solution: > > Reboot machine Rebooting won't necessarily fix anything. IIRC, one Linux rootkit replaces a module with the backdoor. If the kernel needed that module once, it'll need it again. > How does one DETECT that the root kit is there in the first place to know to > reboot it? Tripwire. > Thanks, > Deepak Jain > AiNET Hope this helps, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message