Kernel-loadable Root Kits

From: Deepak Jain (deepak@ai.net)
Date: 09/08/01


From: "Deepak Jain" <deepak@ai.net>
To: <freebsd-security@freebsd.org>, "freebsd-hackers@FreeBSD. ORG" <freebsd-hackers@freebsd.org>
Date: Sat, 8 Sep 2001 05:43:41 -0400


Short question:

Is there a way to prevent the kernel from allowing loadable modules?

Thought process --

---
With the advent of the kernel-loadable root kit, intrusion detection has
gotten a bit more complicated. Is there a _simple_ solution to detecting the
presence of a kernel-based root kit once it is running?
Scenario:
System is violated,
Root kit is installed,
Root kit [binaries] are deleted from the machine.
Solution:
Reboot machine
How does one DETECT that the root kit is there in the first place to know to
reboot it?
Thanks,
Deepak Jain
AiNET
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message