Malicious modules are fairly simple to detect, particularly in freebsd.
While the modules themselves can be hidden, their actions are more easily
detectable. Logging module loading is 'ok', but there are better
approaches, I think.

On Thu, 21 Jun 2001, roland kwitt wrote:

>
>
>
> hi folks,
>
> i recently read an artice about lkm coding
> and i know from my own experience that lkms
> can do a lot of good work but can also
> be a malicious thing! so i coded i little
> lkm that logs all modules beeing loaded!
> generally modules like the sbive! emulator
> log messages to klogd but the ordinary
> cracker certainly wont place a log entry
> in your log file so that you would notice
> something going on! Since with kernel version
> 2.2.x it is not that difficult to hide modules
> from the modules list this lkm i think is a
> good aproach to strenghten the security of
> a system. i will also add a feature that
> a mail is sent to the admin if somebody
> loads a modules into the kernel. But
> the good admin wont need it because
> he has a monolithic kernel without module
> support but for machines running a kernel
> with modules support this little program
> is a good thing a believe. please
> mail me if you wanna try it out!!
> i would be pleased to get replys!
>
>
> sniper
> sniperf1lesystem.net
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]