Detecting Kernel rootkits

This option is currently supported only for Linux, kernel versions 2.2.x and 2.4.x, on ix86 machines.

What is a kernel rootkit ?

A rootkit is a set of programs installed to "keep a backdoor open" after an intruder has obtained root access to a system. Usually such rootkits are very easy to install, and provide facilities to hide the intrusion (e.g. erase all traces from audit logs, install a modified 'ps' that will not list certain programs, etc.).

While "normal" rootkits can be detected with checksums on programs, like samhain does (the modified 'ps' would have a different checksum than the original one), this method can be subverted by rootkits that modify the kernel at runtime, either with a loadable kernel module (LKM), i.e. a module that is loaded into the kernel at runtime, or by writing to /dev/kmem (this allows to 'patch' a kernel on-the-fly even if the kernel has no LKM support).

Kernel rootkits can modify the action of kernel syscalls. From a users viewpoint, these syscalls are the lowest level of system functions, and provide the access to filesystems, network connection, and other goodies. By modifying kernel syscalls, kernel rootkits can hide files, directories, processes, or network connections without modifying any system binaries. Obviously, checksums are useless in this situation.

How can samhain detect them ?

Syscalls are invoked by calling the corresponding C library function, which will trigger an int 0x80 interrupt to enter the kernel code. The kernel entry point (the system_call) function will then call the requested kernel syscall.

It is possible to compile into the samhain executable a map of all kernel syscall addresses, and of the syscall code itself. samhain will then check periodically (by reading from /dev/kmem), if any of these addresses has changed, or if the first 8 bytes of the syscall code itself have changed, thus indicating that the corresponding syscall has been clobbered by some other code. As of version 1.3.6, samhain also checks the integrity of the system_call() kernel function that is used to invoke syscalls.

NoteNOTE
 

If you use the option ./configure --enable-khide to use a kernel module to hide the presence of samhain, the first detected modification of the sys_getdents syscall will only cause a warning (rather then an error), as it is presumed to be caused by the samhain_hide LKM).

To use this facility, you need to compile with the option:

./configure --with-kcheck=/path/to/System.map

System.map is a file (sometimes with the kernel version appended to its name) that is generated when the kernel is compiled, and is usually installed in the same directory as your kernel (e.g. /boot), or in the root directory. To find it, you can use: locate System.map

Configuration

This facility is configured in the Kernel section of the configuration file.
  [Kernel]  
  # activate (0 for switching off) 
  KernelCheckActive=1
  # interval between checks (in seconds, default 300)
  KernelCheckInterval=20 
  # this is the severity (see section the section called Severity levels in the chapter called Configuration — Basic) 
  SeverityKernel=crit