From: Sansonetti Laurent <[EMAIL PROTECTED]>
Subject: Re: Kernel-loadable Root Kits
Date: Sat, Sep 08, 2001 at 04:21:29PM +0200
> Hello,
>
> > Short question:
> >
> > Is there a way to prevent the kernel from allowing loadable modules?
>
> Yes, by hacking kldload(2). You can also switch the secure level using
> sysctl.
>
> > With the advent of the kernel-loadable root kit, intrusion
> > detection has gotten a bit more complicated. Is there a _simple_
> > solution to detecting the presence of a kernel-based root kit once
> > it is running?
>
> 1) scan the sysent table and check syscalls pointers (generally, rootkits
> intercepts syscalls)
This can get really "hairy". To scan the syscall table, even if you
are 'root' and directly access /dev/mem you will have to use some
system calls to open(), read() and seek() into the /dev/mem device.
But those syscalls might be the intercepted ones: ouch!
Instead of worrying after the module has been loaded it's much safer
to run the kernel in securelevel>=1 when modules cannot be loaded
without a reboot to single-user mode.
-giorgos
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
