CSA 5.1, overlapping exceptions and the infamous Rootkit Lockdown Module

Unanswered Question
Jun 7th, 2007

Just looking for opinions and observations from the field:

By default, the rule placed in the Rootkit Lockdown Module, has the following attributes:

- Priority Deny

- Acting as client or server

- Any TCP & UDP services

- Communicating with "@(remote)" host addresses

A similar rule (though not the same, I know this, please don't point this out) in the Personal Firewall rule module, has these attributes:

- Deny

- Acting as server

- Any TCP & UDP services

- Communicating with any addresses

There are a couple of other restrictive modules/rules that aren't disabled that when enabled would provide the same protection that the Rootkit Lockdown Module would provide. Any opinions or experiences that anyone would like to share on whether or not you've taken the Rootkit Lockdown Module out of test mode, added exceptions, possibly unattached other rule modules that were doing the same thing, etc.

As well, does anyone have any further definition on the "@remote" addresses variable? Please be specific if you post a reply.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Thu, 06/07/2007 - 12:42

I took the rootkit lockdown module out of test mode after making exceptions for the events that were triggering it and it seems to be working OK.

Since the rootkit is dynamic, I'm going to leave it on unless it causes problems or there are events I can't make exceptions for.

A have the Personal Firewall module enabled and I made a couple of exceptions for it since it is on all the time.

I don't want any host acting as a server at any time unless there is a valid reason.

I deploy all hosts in test mode until tuned.

We are pretty standardized as far as machine hardware and settings go since we use all one brand and disk images to deploy. That makes for less surprises.



astroman Fri, 06/15/2007 - 07:25

Tom -->

Did you change the NAC rule in the Rootkit Lockdown Module from a Priority Deny to a Deny and add exceptions, or did you clone and add app classes to the NAC rule?

tsteger1 Fri, 06/15/2007 - 10:36

No, I created a 'set as trusted rootkit rule' in the system hardening module and left the NAC rule alone.

Since it's only triggered by the 'set as untrusted' rule, I would not modify it.


This Discussion