RE: chkrootkit and LKM?

From: Andrew Ruef (jabberwockyat_private)
Date: Thu Jun 19 2003 - 20:34:59 PDT

Next message: Brad: "Re: Unusual registry entries"

Previous message: David J. Meltzer: "Intrusec 55808 Trojan Analysis"
In reply to: Tim Greer: "Re: chkrootkit and LKM?"
Next in thread: Tim Greer: "Re: chkrootkit and LKM?"
Next in thread: Nathan Dornquast: "Re: chkrootkit and LKM?"
Reply: Tim Greer: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Actually the best way to do that is to turn off module support within
the kernel and then use some device (the grsecurity kernel patches and
the StJude LKM both have these) to close down things like access to
/dev/kmem, /dev/ports, privileged I/O, so on. This closes down other
avenues for code to be loaded into the kernel.

A. Ruef

-----Original Message-----
From: Tim Greer [mailto:chatmasterat_private] 
Sent: Wednesday, June 18, 2003 12:22 PM
To: Rob Shein; 'Janus N. Tøndering'; incidentsat_private
Subject: Re: chkrootkit and LKM?



> ----- Original Message -----
> From: "Rob Shein" <shotenat_private>
> To: "'Tim Greer'" <chatmasterat_private>; "'Janus N. Tøndering'"
<janusat_private>; <incidentsat_private>
> Sent: Wednesday, June 18, 2003 12:47 AM
> Subject: RE: chkrootkit and LKM?
>

> This won't help if it's an LKM...LKM stands for "Linux Kernel Module,"

For some reason, I just saw 'chrootroot' and not LKM; hence my response.
Anyway, I always recommend people not compile in loadable module support
if
they want a more secure kernel and to avoid this type of problem in the
future.
--
Regards,
Tim Greer  chatmasterat_private
Server administration, security, programming, consulting.


------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
----


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Brad: "Re: Unusual registry entries"
Previous message: David J. Meltzer: "Intrusec 55808 Trojan Analysis"
In reply to: Tim Greer: "Re: chkrootkit and LKM?"
Next in thread: Tim Greer: "Re: chkrootkit and LKM?"
Next in thread: Nathan Dornquast: "Re: chkrootkit and LKM?"
Reply: Tim Greer: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 21 2003 - 11:44:02 PDT