I’ve been experimenting with a way to eliminate LD_PRELOAD (and other similar variables). We can create a library that checks if any dangerous variables have been set and then force it to exit if they are. This would be globally preloaded via /etc/ld.so.preload so the check is executed at the start of all applications.
https://paste.debian.net/hidden/f3a9db80/
Compile this with:
gcc rootkit-detect.c -shared -fpic -Wl,-init,init -o rootkit-detect.so
And append /etc/ld.so.preload with:
/usr/lib/rootkit-detect.so
I’ve tested this and it does work. I think it should be included in Whonix as it does eliminate a large vector for user space rootkits. It does hurt debugging a bit but the protection can easily be disabled by root.
Edit: Actually, I forgot about ld-system-preload-disable which would bypass this. Maybe there’s another way to preload this library?