Specifications
CHAPTER 6 63
6.4.4 Rootkit Prevention
When the Integrity Checking is enabled, the product can prevent rootkits.
Hackers can use rootkits to gain access to the system and obtain
administrator-level access to the computer and the network.
Kernel module
verification
Protects the system against rootkits by
preventing unknown kernel modules from
loading.
When the kernel module verification is on, only
those kernel modules that are listed in the
known files list and which have not been
modified can be loaded.
If the kernel module verification is set to Report
only, the product sends an alert when an
unknown or modified kernel module is loaded
but does not prevent it from loading.
Write protect kernel
memory
Protects the /dev/kmem file against write
attempts. A running kernel cannot be directly
modified through the device.
If the write protection is set to Report only, the
product sends an alert when it detects a write
attempt to /dev/kmem file, but it does not
prevent the write operation.
Allowed kernel
module loaders
Specify programs that are allowed to load kernel
modules when the kernel module verification is
enabled.
By default, the list contains the most common
module loaders. If the Linux system you use
uses some other module loaders, add them to
the list. Type each entry on a new line, only one
entry per line.