Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
3
Replies

CSA 5.1, overlapping exceptions and the infamous Rootkit Lockdown Module

astroman
Level 1
Level 1

‎06-07-2007 10:17 AM - edited ‎03-09-2019 06:08 PM

Just looking for opinions and observations from the field:

By default, the rule placed in the Rootkit Lockdown Module, has the following attributes:

- Priority Deny

- Acting as client or server

- Any TCP & UDP services

- Communicating with "@(remote)" host addresses

A similar rule (though not the same, I know this, please don't point this out) in the Personal Firewall rule module, has these attributes:

- Deny

- Acting as server

- Any TCP & UDP services

- Communicating with any addresses

There are a couple of other restrictive modules/rules that aren't disabled that when enabled would provide the same protection that the Rootkit Lockdown Module would provide. Any opinions or experiences that anyone would like to share on whether or not you've taken the Rootkit Lockdown Module out of test mode, added exceptions, possibly unattached other rule modules that were doing the same thing, etc.

As well, does anyone have any further definition on the "@remote" addresses variable? Please be specific if you post a reply.

Labels:
0 Helpful
3 Replies 3

tsteger1
Level 8
Level 8

‎06-07-2007 12:42 PM

I took the rootkit lockdown module out of test mode after making exceptions for the events that were triggering it and it seems to be working OK.

Since the rootkit is dynamic, I'm going to leave it on unless it causes problems or there are events I can't make exceptions for.

A have the Personal Firewall module enabled and I made a couple of exceptions for it since it is on all the time.

I don't want any host acting as a server at any time unless there is a valid reason.

I deploy all hosts in test mode until tuned.

We are pretty standardized as far as machine hardware and settings go since we use all one brand and disk images to deploy. That makes for less surprises.

HTH..

Tom

0 Helpful

astroman
Level 1
Level 1
In response to tsteger1

‎06-15-2007 07:25 AM

Tom -->

Did you change the NAC rule in the Rootkit Lockdown Module from a Priority Deny to a Deny and add exceptions, or did you clone and add app classes to the NAC rule?

0 Helpful

tsteger1
Level 8
Level 8
In response to astroman

‎06-15-2007 10:36 AM

No, I created a 'set as trusted rootkit rule' in the system hardening module and left the NAC rule alone.

Since it's only triggered by the 'set as untrusted' rule, I would not modify it.

0 Helpful
Customers Also Viewed These Support Documents