On Sat, Sep 08, 2001 at 05:43:41AM -0400, Deepak Jain wrote:
Short question:
Is there a way to prevent the kernel from allowing loadable modules?
Run your system in securelevel 1 or higher.
See the init(8) manual page and the kern_securelevel_enable and
kern_securelevel variables in the
1) scan the sysent table and check syscalls pointers (generally, rootkits
intercepts syscalls)
This can get really hairy. To scan the syscall table, even if you
are 'root' and directly access /dev/mem you will have to use some
system calls to open(), read() and seek() into the /dev/mem
Hello,
1) scan the sysent table and check syscalls pointers (generally,
rootkits
intercepts syscalls)
This can get really hairy. To scan the syscall table, even if you
are 'root' and directly access /dev/mem you will have to use some
system calls to open(), read() and seek() into the
From: Sansonetti Laurent [EMAIL PROTECTED]
Subject: Re: Kernel-loadable Root Kits
Date: Sat, Sep 08, 2001 at 04:21:29PM +0200
Hello,
Short question:
Is there a way to prevent the kernel from allowing loadable modules?
Yes, by hacking kldload(2). You can also switch the secure level
:Instead of worrying after the module has been loaded it's much safer
:to run the kernel in securelevel=1 when modules cannot be loaded
:without a reboot to single-user mode.
:
Not entirely true. They are called kernel bugs... Not the proper url for
this, but good enough:
Short question:
Is there a way to prevent the kernel from allowing loadable modules?
Thought process --
---
With the advent of the kernel-loadable root kit, intrusion detection has
gotten a bit more complicated. Is there a _simple_ solution to detecting the
presence of a kernel-based root
On Sat, Sep 08, 2001 at 05:43:41AM -0400, Deepak Jain wrote:
Short question:
Is there a way to prevent the kernel from allowing loadable modules?
Run your system in securelevel 1 or higher.
See the init(8) manual page and the kern_securelevel_enable and
kern_securelevel variables in the
Hello,
Short question:
Is there a way to prevent the kernel from allowing loadable modules?
Yes, by hacking kldload(2). You can also switch the secure level using
sysctl.
With the advent of the kernel-loadable root kit, intrusion detection has
gotten a bit more complicated. Is there a
8 matches
Mail list logo