Linux kernel rootkits: protecting the system's

This paper is the practical assignment required to obtain the GIAC Unix Security Administrator (GCUX) certification (version 2.0), option 3. Why to secure the kernel, the jewel of the crown in a Unix system? There are mainly two reasons why this paper was developed; first, because the kernel is the most important and critical part of a modern Unix operating system; second, because almost all Linux hardening guides don't include any reference about how to secure the kernel but other OS components (subsystems, daemons, filesystems). The paper's contents try to provide a general overview of rootkits, its main goals and evolution. The very specific and technical details are focused on kernel-level rootkits, describing their programming principles (mainly through Loadable Kernel Modules) and capabilities. Obviously, several defensive methods associated with these threats are covered in detail, providing the information required to detect them and protect the Linux kernel. Finally, the future Linux version 2.6 and its rootkits implications are introduced. The paper tries to be a Linux system administrator's educational paper, providing all the basic knowledge about how the Linux kernel can be subverted and the security countermeasures that can be applied to defend the system.