Vulnerability Development mailing list archives
Re: Positive uses for rootkits
From: Renee Teunissen <Renee () wittenburg10c nl>
Date: Mon, 26 Mar 2001 10:14:31 +0200
So that's why I think it's better to build a minimal, static kernel without modules support. And once your kernel is OK and running, remove the .config file from your kernel source tree. If someone does get in and tries to make a new kernel (with modules support) he cannot simply grab the old configfile and add modules support to it. If he can make a kernel, at least he will have to configure it right to make it behave the same like the static kernel. I say this because it is not the first time I made a kernel and found out that it was not bootable because of a tiny misconfiguration :) Comments on this strategy are welcome.
Well, can anyone tell me why you are building your kernel on a machine that is hooked on the net? My "firewall" linux box does not have a compiler nor kernel sources (and headers) installed. And why should you? In my opinion systems that are connected to the outside world or with a high risk should not have a compiler, compiler-tooling and source packages installed. And if possible build your apps and tools with a defensive compiler, like the gcc with stackguard patches _or_ build your apps so that you machine runs only our own build apps. There is a patch available to sign executables and prevents the kernel to run non-signed or wrongly-signed programs. In the "old days" I use to swap several variables in the elf-exe-format, just to prevent others to build apps for my machine. This has -ofcourse- a big impact on the work one has to do build a system like this. You could do the same for LKM-structures.. or add a "Crc" check in the modules and modutils. Anyway, stripping your systems has something and will make things a lot more difficult for attackers to install backdoors using root-kits. The thing I read from booting of a CDROM is also a good choice, I think, this will prevent people from booting from unwanted kernels. Gr, Renee PTS Software bv, Soerenseweg 61, 7314JE Apeldoorn, The Netherlands. phone +31-55-5363200 web: http://www.pts.nl (work), http://www.wittenburg10c.nl (home) email: mailto:renee () pts nl (work), mailto:renee () wittenburg10c nl (home)
Current thread:
- Re: Positive uses for rootkits, (continued)
- Re: Positive uses for rootkits Jason Nicholls (Mar 23)
- Re: Positive uses for rootkits Jonathan James (Mar 25)
- Re: Positive uses for rootkits Dick Visser (Mar 25)
- Re: Positive uses for rootkits Ron DuFresne (Mar 25)
- Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
- Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)
- Re: Positive uses for rootkits -> off-topic: booting tricks. ze Snark (Mar 28)
- Re: Positive uses for rootkits Dick Visser (Mar 25)
- Re: Positive uses for rootkits The Attitude Adjuster (Mar 25)
- Re: Positive uses for rootkits Ben Ford (Mar 28)
- Re: Positive uses for rootkits Big Woz (Mar 28)
- Re: Positive uses for rootkits Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Dick Visser (Mar 26)
- The use of immunix Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Ben Ford (Mar 27)
- Re: Positive uses for rootkits Martin 'Goran' Moravec (Mar 28)
- Re: Positive uses for rootkits Kev (Mar 28)
- Re: Positive uses for rootkits Ryan Permeh (Mar 29)
- Kernel-level security (was Re: Positive uses for rootkits) Craig Boston (Mar 29)
- Re: Positive uses for rootkits Gregor Binder (Mar 29)
- ICQ exploit Geo. (Mar 28)