Vulnerability Development mailing list archives

Re: Positive uses for rootkits

From: Renee Teunissen <Renee () wittenburg10c nl>
Date: Mon, 26 Mar 2001 10:14:31 +0200

So that's why I think it's better to build a minimal, static kernel
without modules support. And once your kernel is OK and running, remove
the .config file from your kernel source tree. If someone does get in and
tries to make a new kernel (with modules support) he cannot simply grab
the old configfile and add modules support to it.
If he can make a kernel, at least he will have to configure it right to
make it behave the same like the static kernel.
I say this because it is not the first time I made a kernel and found out
that it was not bootable because of a tiny misconfiguration :)
Comments on this strategy are welcome.


Well, can anyone tell me why you are building your kernel on a machine
that is hooked on the net?  My "firewall" linux box does not have a
compiler nor kernel sources (and headers) installed.
And why should you?
In my opinion systems that are connected to the outside world or
with a high risk should not have a compiler, compiler-tooling and
source packages installed. And if possible build your apps and tools
with a defensive compiler, like the gcc with stackguard patches
_or_ build your apps so that you machine runs only our own build
apps. There is a patch available to sign executables and prevents
the kernel to run non-signed or wrongly-signed programs.
In the "old days" I use to swap several variables in the elf-exe-format,
just to prevent others to build apps for my machine. This has
-ofcourse- a big impact on the work one has to do build a system
like this. You could do the same for LKM-structures.. or add a "Crc"
check in the modules and modutils.

Anyway, stripping your systems has something and will make things a
lot more difficult for attackers to install backdoors using root-kits.

The thing I read from booting of a CDROM is also a good choice, I think,
this will prevent people from booting from unwanted kernels.

Gr,
Renee


PTS Software bv,
Soerenseweg 61,
7314JE Apeldoorn,
The Netherlands.
phone +31-55-5363200
web: http://www.pts.nl (work), http://www.wittenburg10c.nl (home)
email: mailto:renee () pts nl (work), mailto:renee () wittenburg10c nl (home)

Current thread:

Re: Positive uses for rootkits, (continued)
- Re: Positive uses for rootkits Jason Nicholls (Mar 23)
- Re: Positive uses for rootkits Jonathan James (Mar 25)
  - Re: Positive uses for rootkits Dick Visser (Mar 25)
    - Re: Positive uses for rootkits Ron DuFresne (Mar 25)
    - Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
    - Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)
    - Re: Positive uses for rootkits -> off-topic: booting tricks. ze Snark (Mar 28)
    - Re: Positive uses for rootkits The Attitude Adjuster (Mar 25)
    - Re: Positive uses for rootkits Ben Ford (Mar 28)
    - Re: Positive uses for rootkits Big Woz (Mar 28)
    - Re: Positive uses for rootkits Renee Teunissen (Mar 26)
    - Re: Positive uses for rootkits Dick Visser (Mar 26)
    - The use of immunix Renee Teunissen (Mar 26)
    - Re: Positive uses for rootkits Ben Ford (Mar 27)
    - Re: Positive uses for rootkits Martin 'Goran' Moravec (Mar 28)
    - Re: Positive uses for rootkits Kev (Mar 28)
    - Re: Positive uses for rootkits Ryan Permeh (Mar 29)
    - Kernel-level security (was Re: Positive uses for rootkits) Craig Boston (Mar 29)
    - Re: Positive uses for rootkits Gregor Binder (Mar 29)
- Re: Positive uses for rootkits Bosschert, B. (is-ks) (Mar 23)
  - ICQ exploit Geo. (Mar 28)

(Thread continues...)