In article <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.netns.sol.net>,
        deepakai.net writes:
>
> Short question:
>
> Is there a way to prevent the kernel from allowing loadable modules?

If you're dealing with a "fixed purpose" server, the kernel may not
need any KLD. On two of my servers, only blank_saver.ko is loaded,
and that could be eliminated too, by not using a screensaver.

> Thought process --
>
> With the advent of the kernel-loadable root kit, intrusion detection has
> gotten a bit more complicated. Is there a _simple_ solution to detecting the
> presence of a kernel-based root kit once it is running?
>
> Scenario:
>
> System is violated,
> Root kit is installed,
> Root kit [binaries] are deleted from the machine.
>
> Solution:
>
> Reboot machine

Rebooting won't necessarily fix anything. IIRC, one Linux rootkit
replaces a module with the backdoor. If the kernel needed that module
once, it'll need it again.

> How does one DETECT that the root kit is there in the first place to know to
> reboot it?

Tripwire.

> Thanks,
> Deepak Jain
> AiNET

Hope this helps,
Dave

-- 
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]