There are two approaches to defending your system against LKM root-kits, a proactive defense and a reactive defense. The detection work can be simple and painless, or difficult and tiring, depending on the approach taken.
The advantage of this kind of defense is that it prevents damage to the system in the first place. One such strategy is getting there first, that is, loading an LKM designed to protect the system from other malicious LKMs. A second strategy is to remove capabilities from the kernel itself. For example, you can remove the capability of loadable kernel modules entirely. Note, however, that there are rootkits which might work even in this case, there are some that tamper with /dev/kmem
(kernel memory) directly to make themselves undetectable.
Debian GNU/Linux has a few packages that can be used to mount a proactive defense:
lcap - A user friendly interface to remove
capabilities (kernel-based access control) in the kernel, making the system more secure. For example, executing
lcap CAP_SYS_MODULE
will remove module loading capabilities (even for the root user).
There is some (old) information on capabilities at Jon Corbet's
http://lwn.net/1999/1202/kernel.php3 section on LWN (dated December 1999).
If you don't really need many kernel features on your GNU/Linux system, you may want to disable loadable modules support during kernel configuration. To disable loadable module support, just set CONFIG_MODULES=n during the configuration stage of building your kernel, or in the .config
file. This will prevent LKM root-kits, but you lose this powerful feature of the Linux kernel. Also, disabling loadable modules can sometimes overload the kernel, making loadable support necessary.
The advantage of a reactive defense is that it does not overload system resources. It works by comparing the system call table with a known clean copy in a disk file, System.map
. Of course, a reactive defense will only notify the system administrator after the system has already been compromised.
Detection of some root-kits in Debian can be accomplished with the
chkrootkit package. The
http://www.chkrootkit.org program checks for signs of several known root-kits on the target system, but is not a definitive test.