Defending against Kernel-Level RootKits
¨Don’t let attacker gain root in the first place
¨Apply all relevant security patches
¨Disable all unneeded services and ports
¨Harden operating system
¨Look for traces of kernel-level RootKits
–Eg. Activate sniffer and check for presence of PROMISC flag in ifconfig
¨Install chkrootkit ftp.pangeia.com/pub/seg/pac
¨Install host-based IDS
¨Build Linux kernels that don’t accept LKM