smkelly at rooster.creighton.edu
Sat Feb 12 00:25:38 GMT 2005
On Fri, Feb 11, 2005 at 03:35:42PM -0500, Valdis.Kletnieks at vt.edu wrote:
> On Fri, 11 Feb 2005 13:35:12 EST, Wes Young said:
> > What (if you've seen it) has been your best ally against Hacker Defender
> > (and other comperable rt kits) that have all the goodies: self destruct,
> > password crackers etc...
> Stop running operating systems that allow so many different ways for
> Hacker Defender to get its claws into your system, and are so difficult to
> boot from a rescue disk that you can do clean-up from.
> (And yes, I *KNOW* that Linux systems are equally vulnerable to having
> kernel modules loaded that do cloaking and the like. The crucial distinction
> is that it's a lot easier to boot a Linux box from a Knoppix or other rescue
> CD and clean things up.)
In theory, you could design a Linux kernel module that would prevent any
further modules from being loaded through the standard system calls. Just
write a module that wraps around the create_module() and init_module()
system calls and returns EPERM or something. You'd still have the
possibility of somebody playing around with /dev/mem or /dev/kmem, but
there is a slim chance of that happening.
In FreeBSD, you can prevent kernel modules from being loaded by running in
securelevel 1. This also prevents write access to /dev/mem and /dev/kmem
for "live patching" attempts and other wackiness.
Sean M. Kelly
Assistant Unix Administrator/Programmer
Division of Information Technology
More information about the unisog