Checking for kernel module rootkits

Section heading:

[Kernel]

Entries:

KernelCheckActive=true/false — 'true' to switch on, 'false' to switch off.

KernelCheckInterval=seconds — Interval between checks.

KernelCheckIDT=true/false — Check the Interrupt Descriptor Table (default true).

SeverityKernel=severity — Severity for events.

KernelSystemCall = address — the address of system_call (grep system_call System.map)

KernelSyscallTable = address — the address of sys_call_table (grep ' sys_call_table' System.map)

KernelProcRoot = address — the address of proc_root (grep ' proc_root$' System.map)

KernelProcRootIops = address — the address of proc_root_inode_operations (grep proc_root_inode_operations System.map)

KernelProcRootLookup = address — the address of proc_root_lookup (grep proc_root_lookup System.map)