From owner-freebsd-security  Mon Sep 10  0:57:51 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id 0A5E737B401
	for <freebsd-security@freebsd.org>; Mon, 10 Sep 2001 00:57:40 -0700 (PDT)
Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001)
	id D93CE1D14; Mon, 10 Sep 2001 09:55:58 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 9E160552A
	for <freebsd-security@freebsd.org>; Mon, 10 Sep 2001 09:55:58 +0200 (CEST)
Date: Mon, 10 Sep 2001 09:55:57 +0200 (CEST)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
X-Sender: kzaraska@lhotse.zaraska.dhs.org
To: freebsd-security@freebsd.org
Subject: Kernel-loadable Rootkits Summary Attempt
Message-ID: <Pine.BSF.4.21.0109100902310.428-100000@lhotse.zaraska.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello everyone,

This is an attempt to summarize the discussion regarding this topic. 
Credits go to respectable posters. All comments welcome. 

ATTACK: Trojan module insertion
IMPACT: Backdooring the system
DETECTION: tripwire if attacker left the binary, kldstat if module is not
stealth ; may be undetectable
COUNTERMEASURE: Set securelevel to 1 (via sysctl and in rc.conf) or higher
what prevents module insertion

ATTACK: Putting trojan version of legitimate module under /modules
IMPACT: Trojan module will be loaded when system reboots
DETECTION: tripwire
COUNTERMEASURE: chmod schg /modules/* and set securelevel >= 1 what
prevents modification of files under /modules

ATTACK: Modifying /etc/rc* scripts
IMPACT: Possibility of lowering the securelevel and/or inserting trojan
module at boot time
DETECTION: tripwire
COUNTERMEASURE: chmod schg /etc/rc* and set securelevel >= 1

PROBLEM: There's no possibility of lowering the securelevel without
console access. In order to make any modification to protected /etc/rc*
files or modules you must boot singleuser or use ddb built in kernel to
modify a kernel variable named 'securelevel'.

Regards,
Kris


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message