10.4. 避免 root-kits

10.4.1. 可加载内核模块 (LKM)

可加载内核模块是指包含动态可加载内核组件的文件, 用于扩展内核功能. 使用模块最大的好处是在添加另外的设备时, 如网卡或声卡, 不必修补内核源码, 并重新编译整个内核. 然而, 现在黑客将 LKMs 用于 root-kits(knark 和 adore),在 GNU/Linux 系统中开启后门.

LKM 后门比传统的 root-kits 更加先进和隐蔽. 可以隐藏进程, 文件, 目录, 甚至连接而不必修改二进制源码. 例如, 一个恶意的 LKM 可以迫使内核隐藏源自 procfs 的进程, 这样即使是著名的 ps 也不能列出关于系统的当前进程的准确信息.

10.4.2. 检测 root-kits

有两种方法保护您的系统免受 LKM 伤害, 主动防护和被动防护. 检测工作可能是简单和轻松的, 或是麻烦和繁重的, 这和采取的方法有关.

10.4.2.1. 主动防护

The advantage of this kind of defense is that it prevents damage to the system in the first place. One such strategy is getting there first, that is, loading an LKM designed to protect the system from other malicious LKMs. A second strategy is to remove capabilities from the kernel itself. For example, you can remove the capability of loadable kernel modules entirely. Note, however, that there are rootkits which might work even in this case, there are some that tamper with /dev/kmem (kernel memory) directly to make themselves undetectable.

Debian GNU/Linux 仅提供很少的软件包用于挂载一个主动防御防护:

lcap - A user friendly interface to remove capabilities (kernel-based access control) in the kernel, making the system more secure. For example, executing lcap CAP_SYS_MODULE^[65] will remove module loading capabilities (even for the root user).^[66] There is some (old) information on capabilities at Jon Corbet's http://lwn.net/1999/1202/kernel.php3 section on LWN (dated December 1999).

如果您的 GNU/Linux 系统确实不需要那么多的内核特性, 您可能想在内核配置阶段取消可加载模块支持. 禁用可加载模块支持, 只要在构建内核的配置阶段或者在 .config 文件中设置 CONFIG_MODULES=n 就可以了. 这将能防止 LKM root-kits, 但是你也将丧失 Linux 内核的强大特性. 同时, 有时对可加载的支持是必须的, 禁用可加载模块可能会引起内核过载.

10.4.2.2. 被动防护

被动防护的优点是不必重载系统资源. 其通过将系统与一个已知干净系统的清单 System.map 相比较. 当然, 被动防护只能在系统被攻克以后通知管理员.

Detection of some root-kits in Debian can be accomplished with the chkrootkit package. The http://www.chkrootkit.org program checks for signs of several known root-kits on the target system, but is not a definitive test.

^[65] There are over 28 capabilities including: CAP_BSET, CAP_CHOWN, CAP_FOWNER, CAP_FSETID, CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, CAP_SYS_RESOURCE, CAP_SYS_TIME, and CAP_SYS_TTY_CONFIG. All of them can be de-activated to harden your kernel.

^[66] You don't need to install lcap to do this, but it's easier than setting /proc/sys/kernel/cap-bound by hand.