Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSA 5.1, overlapping exceptions and the infamous Rootkit Lockdown Module

Just looking for opinions and observations from the field:

By default, the rule placed in the Rootkit Lockdown Module, has the following attributes:

- Priority Deny

- Acting as client or server

- Any TCP & UDP services

- Communicating with "@(remote)" host addresses

A similar rule (though not the same, I know this, please don't point this out) in the Personal Firewall rule module, has these attributes:

- Deny

- Acting as server

- Any TCP & UDP services

- Communicating with any addresses

There are a couple of other restrictive modules/rules that aren't disabled that when enabled would provide the same protection that the Rootkit Lockdown Module would provide. Any opinions or experiences that anyone would like to share on whether or not you've taken the Rootkit Lockdown Module out of test mode, added exceptions, possibly unattached other rule modules that were doing the same thing, etc.

As well, does anyone have any further definition on the "@remote" addresses variable? Please be specific if you post a reply.

3 REPLIES
Blue

Re: CSA 5.1, overlapping exceptions and the infamous Rootkit Loc

I took the rootkit lockdown module out of test mode after making exceptions for the events that were triggering it and it seems to be working OK.

Since the rootkit is dynamic, I'm going to leave it on unless it causes problems or there are events I can't make exceptions for.

A have the Personal Firewall module enabled and I made a couple of exceptions for it since it is on all the time.

I don't want any host acting as a server at any time unless there is a valid reason.

I deploy all hosts in test mode until tuned.

We are pretty standardized as far as machine hardware and settings go since we use all one brand and disk images to deploy. That makes for less surprises.

HTH..

Tom

Community Member

Re: CSA 5.1, overlapping exceptions and the infamous Rootkit Loc

Tom -->

Did you change the NAC rule in the Rootkit Lockdown Module from a Priority Deny to a Deny and add exceptions, or did you clone and add app classes to the NAC rule?

Blue

Re: CSA 5.1, overlapping exceptions and the infamous Rootkit Loc

No, I created a 'set as trusted rootkit rule' in the system hardening module and left the NAC rule alone.

Since it's only triggered by the 'set as untrusted' rule, I would not modify it.

108
Views
0
Helpful
3
Replies
CreatePlease to create content