How does an administrator know if a system has been rooted? Older rootkits try to hide their presence by removing log entries and replacing binaries such as ls and ps to hide the files and processes they install, whereas newer rootkits try to modify the kernel by loading code through device drivers or kernel loadable modules. On most operating systems, the only way to be alerted to these changes is to install and configure a file integrity program such as Tripwire and to set up a schedule to regularly check the database of file checksums for changes. On BSD systems, mtree(8) describes how to use this built-in utility to create a custom file integrity checking system.

NetBSD takes this one step further by providing a kernel-based veriexec(4) feature that will verify the integrity of an executable or file before it is run or read. Unlike other file integrity checking systems that require you to check for changes manually, veriexec(4) alerts the administrator immediately about changes and can provide real-time notification of an intruder. Traditionally, veriexecctl(8) was used to load the signatures file that an administrator generated using a script. Starting in NetBSD 4.0, veriexecgen(8) will be used to generate the fingerprint database, which can then be loaded into kernel memory using veriexecctl(8).

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment