06-07-2007 10:17 AM - edited 03-09-2019 06:08 PM
Just looking for opinions and observations from the field:
By default, the rule placed in the Rootkit Lockdown Module, has the following attributes:
- Priority Deny
- Acting as client or server
- Any TCP & UDP services
- Communicating with "@(remote)" host addresses
A similar rule (though not the same, I know this, please don't point this out) in the Personal Firewall rule module, has these attributes:
- Deny
- Acting as server
- Any TCP & UDP services
- Communicating with any addresses
There are a couple of other restrictive modules/rules that aren't disabled that when enabled would provide the same protection that the Rootkit Lockdown Module would provide. Any opinions or experiences that anyone would like to share on whether or not you've taken the Rootkit Lockdown Module out of test mode, added exceptions, possibly unattached other rule modules that were doing the same thing, etc.
As well, does anyone have any further definition on the "@remote" addresses variable? Please be specific if you post a reply.
06-07-2007 12:42 PM
I took the rootkit lockdown module out of test mode after making exceptions for the events that were triggering it and it seems to be working OK.
Since the rootkit is dynamic, I'm going to leave it on unless it causes problems or there are events I can't make exceptions for.
A have the Personal Firewall module enabled and I made a couple of exceptions for it since it is on all the time.
I don't want any host acting as a server at any time unless there is a valid reason.
I deploy all hosts in test mode until tuned.
We are pretty standardized as far as machine hardware and settings go since we use all one brand and disk images to deploy. That makes for less surprises.
HTH..
Tom
06-15-2007 07:25 AM
Tom -->
Did you change the NAC rule in the Rootkit Lockdown Module from a Priority Deny to a Deny and add exceptions, or did you clone and add app classes to the NAC rule?
06-15-2007 10:36 AM
No, I created a 'set as trusted rootkit rule' in the system hardening module and left the NAC rule alone.
Since it's only triggered by the 'set as untrusted' rule, I would not modify it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide