Hello,
> Short question:
>
> Is there a way to prevent the kernel from allowing loadable modules?
Yes, by hacking kldload(2). You can also switch the secure level using
sysctl.
> With the advent of the kernel-loadable root kit, intrusion detection has
> gotten a bit more complicated. Is there a _simple_ solution to detecting
the
> presence of a kernel-based root kit once it is running?
1) scan the sysent table and check syscalls pointers (generally, rootkits
intercepts syscalls)
2) scan the tail queue called 'modules' (note, many rootkits erases their
entry in MOD_LOAD)
Hope this help,
--
Sansonetti Laurent - http://lrz.linuxbe.org
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
