Many kernel level rootkits can be effectively squashed at attack time by enabling the kernel command line module.sig_enforce
.
http://lxr.free-electrons.com/source/Documentation/kernel-parameters.txt?v=4.8
module.sig_enforce
[KNL] When CONFIG_MODULE_SIG is set, this means that
modules without (valid) signatures will fail to load.
Note that if CONFIG_MODULE_SIG_FORCE is set, that
is always true, so this option does nothing.
In order to take advantage of this properly you'd ideally want a 'vanilla' kernel thats only using modules that come from the main repository for the system though. The upshot of doing this is you only allow to load kernel modules which are signed by your trusted repository you originally got your kernel from.
In regards to detection and/or prevention of userspace rootkits -- rpm -V
can help provide some anomalies out of the box but if the ssl
libraries have been tampered with this is still possible to outdo.
Ultimately these types of security checks are fruitless though. If you are interested in maintaining some degree of tamper resistance for your systems you need to alter your mindset of how security works.
You need to define what the system should do and not what the system should not do.
Often this is both difficult to enumerate in terms of time or unknown to the system administrator which is the crux of the problem.
However, once you know what the system should do you can define security policies in things like SELinux (a whole massive subject on its own, but turning it on is a great start). SELinux these days has pretty good policies which have gone a long way to trying to define what a typical Linux should should do already.
A future step (if you are really really seriously paranoid) is you buy hardware which contain TPM chips and setup servers to be fully tamper resistant via the IMA facilities being merged into the kernel.
This relies on a physically tamper-resistant chip which provides crypto-services to the kernel, through which you can cryptographically sign specific files and binaries in order to make this truly tamper resistant (the kernel can refuse to execute code that isn't signed in this way).
Most of this is so fresh and new that its not really distro ready unfortunately, but its good to know of its existence for when it does become ready.
https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture