Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 Sep 2001 16:21:29 +0200
From:      "Sansonetti Laurent" <lorenzo@linuxbe.org>
To:        <deepak@ai.net>
Cc:        <freebsd-hackers@freebsd.org>
Subject:   Re: Kernel-loadable Root Kits
Message-ID:  <002f01c13871$8dc2d360$0201a8c0@teledisnet.be>
References:  <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak@ai.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello,

> Short question:
>
> Is there a way to prevent the kernel from allowing loadable modules?

Yes, by hacking kldload(2).  You can also switch the secure level using
sysctl.

> With the advent of the kernel-loadable root kit, intrusion detection has
> gotten a bit more complicated. Is there a _simple_ solution to detecting
the
> presence of a kernel-based root kit once it is running?

1) scan the sysent table and check syscalls pointers (generally, rootkits
intercepts syscalls)
2) scan the tail queue called 'modules' (note, many rootkits erases their
entry in MOD_LOAD)

Hope this help,

--
Sansonetti Laurent - http://lrz.linuxbe.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002f01c13871$8dc2d360$0201a8c0>