5.2 Trojan, RootKit and Sensitive Information 

Attack
Trojan: /bin/login	 Log clean: /var/log/
Password: /etc/shadow	 Modules: insmod/rmmod
Kernel Root Kit
Defense
File system protection:
Implementation in VFS layer 
MODE: Read Only, Append, Deny Access
Module operation
CAP_SYS_MODULES
Disable by default
Log:

LIDS: insmod (dev 3:2 inode 84860) pid 21420 ppid 21414 uid/gid (0/0) on (ttyp) 
:  violated CAP_SYS_MODULE