Date: Mon, 10 Sep 2001 09:55:57 +0200 (CEST) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: freebsd-security@freebsd.org Subject: Kernel-loadable Rootkits Summary Attempt Message-ID: <Pine.BSF.4.21.0109100902310.428-100000@lhotse.zaraska.dhs.org>
next in thread | raw e-mail | index | archive | help
Hello everyone, This is an attempt to summarize the discussion regarding this topic. Credits go to respectable posters. All comments welcome. ATTACK: Trojan module insertion IMPACT: Backdooring the system DETECTION: tripwire if attacker left the binary, kldstat if module is not stealth ; may be undetectable COUNTERMEASURE: Set securelevel to 1 (via sysctl and in rc.conf) or higher what prevents module insertion ATTACK: Putting trojan version of legitimate module under /modules IMPACT: Trojan module will be loaded when system reboots DETECTION: tripwire COUNTERMEASURE: chmod schg /modules/* and set securelevel >= 1 what prevents modification of files under /modules ATTACK: Modifying /etc/rc* scripts IMPACT: Possibility of lowering the securelevel and/or inserting trojan module at boot time DETECTION: tripwire COUNTERMEASURE: chmod schg /etc/rc* and set securelevel >= 1 PROBLEM: There's no possibility of lowering the securelevel without console access. In order to make any modification to protected /etc/rc* files or modules you must boot singleuser or use ddb built in kernel to modify a kernel variable named 'securelevel'. Regards, Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0109100902310.428-100000>