Author: foodog Date: Subject: Kernel w/o loadable mods, for security?
"John (EBo) David" wrote: >
> foodog wrote:
> >
> > I'm putting the finishing touches on a mail server. Once it's done,
> > I'll never get to touch it again unless the hardware catches fire (it
> > may get a day or two off next June).
> >
> > It's looking like a good idea to build a newer kernel to get really
> > happy reiserfs. I'm considering leaving out support for loadable
> > modules to make things inconvenient for the hypothetical cracker who may
> > try to homestead on it. Kmod rootkits are high on my nightmare list.
>
> homestead? I am not aware of this term in this context. Where can I
> read about the Kmod rootkits -- as if I needed more cause for wory...
By homestead I meant "move in and make themselves at home", use the box
for what they want instead of what I built it for. It seemed like the
right word at the time :-)
I haven't found any articles or papers discussing kernel module
rootkits, but I haven't been looking for very long. In a nutshell, it's
a LKM designed to hide information from the sysadmin or authorized
users. Since it resides in the kernel it's in an excellent position to
conceal files, processes, network connections, loaded modules... Here
are two brief blurbs from packetstorm for adore and knark, 2 such
rootkits:
> Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything. Changes: Added 64bit FS support, now fools protection modules as StMichael, and minor fixes. > Knark is a kernel based rootkit for Linux 2.2. Hides files in the filesystem, strings from /proc/net for netstat, processes, and program execution redirects for seamlessly bypassing tripwire / md5sum. Changes: Remote command execution.