syslog insmod please!

syslog insmod please!

[Andrew Daviel]

Is there a good reason why insmod should not call syslog() to log
any module that gets installed ? I know things like bttv get very verbose
in the module itself, and I tried patching insmod to log the first
argument and it seemed to work for me.

I was looking at the knark LKM rootkit and wondering how to detect this
beast. Typically it seemss one does "insmod knark.o" then maybe "insmod
modhide.o" to prevent it showing in /proc/modules (seems to remove the
last loaded module from a linked list if I read it aright).  Adding a
syslog call to the insmod binary might get this logged on a remote host
with a bit of luck.

On a more esoteric note, how would one detect that this kind of module
has been installed (modhide) ? I presume one could dive into /dev/mem or
load another module to go look, but I've no idea where to start.

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security@triumf.ca

Re: syslog insmod please!

[Ion Badulescu]

On Thu, 5 Apr 2001 17:57:48 -0700 (PDT), Andrew Daviel <andrew@andrew.triumf.ca> wrote:

> Is there a good reason why insmod should not call syslog() to log
> any module that gets installed ? 

Simple: you'll have quite a bit of a problem if you are trying to insmod
the module with support for AF_UNIX sockets. :-)

Ion

-- 
  It is better to keep your mouth shut and be thought a fool,
            than to open it and remove all doubt.

Re: syslog insmod please!

[Andreas Dilger]

Ion writes:
> Andrew Daviel <andrew@andrew.triumf.ca> wrote:
> > Is there a good reason why insmod should not call syslog() to log
> > any module that gets installed ? 
> 
> Simple: you'll have quite a bit of a problem if you are trying to insmod
> the module with support for AF_UNIX sockets. :-)

Why do it from user space?  Simply add a printk() to sys_init_module() or
similar.  Granted, this will only help until the lusers install a patched
sysklog before installing a backdoor module, but so would the user-space
solution.  At least the kernel message will stay in kernel memory until
it is flushed out with more messages (which itself might be detectable).

Cheers, Andreas
-- 
Andreas Dilger  \ "If a man ate a pound of pasta and a pound of antipasto,
                 \  would they cancel out, leaving him still hungry?"
http://www-mddsp.enel.ucalgary.ca/People/adilger/               -- Dogbert

Re: syslog insmod please!

[Ion Badulescu]

On Thu, 5 Apr 2001, Andreas Dilger wrote:

> Why do it from user space?  Simply add a printk() to sys_init_module() or
> similar.  

Agreed, but at that point the solution has absolutely nothing to do with 
insmod anymore. :-)

Besides, as you said, I don't really see the point. It certainly doesn't 
help with logging the actions of an attacker, and on the other hand kmod 
already logs its own actions.

Ion

-- 
  It is better to keep your mouth shut and be thought a fool,
            than to open it and remove all doubt.

Re: syslog insmod please!

[Mr. James W. Laferriere]

	Hello Ion ,

On Thu, 5 Apr 2001, Ion Badulescu wrote:
> On Thu, 5 Apr 2001, Andreas Dilger wrote:
> > Why do it from user space?  Simply add a printk() to sys_init_module() or
> > similar.
> Agreed, but at that point the solution has absolutely nothing to do with
> insmod anymore. :-)

> Besides, as you said, I don't really see the point. It certainly doesn't
> help with logging the actions of an attacker, and on the other hand kmod
> already logs its own actions.
	Not the problem being discussed ,  This is a user now root &
	having gained root is now attempting to from the command line
	to load a module .  How do we get this event recorded ?  kmod
	only works when the user calles for the service & then it loads
	it .  Tia ,  JimL
       +----------------------------------------------------------------+
       | James   W.   Laferriere | System  Techniques | Give me VMS     |
       | Network        Engineer | 25416      22nd So |  Give me Linux  |
       | babydr@baby-dragons.com | DesMoines WA 98198 |   only  on  AXP |
       +----------------------------------------------------------------+

Re: syslog insmod please!

[David Woodhouse]

andrew@andrew.triumf.ca said:
>  Is there a good reason why insmod should not call syslog() to log any
> module that gets installed ? I know things like bttv get very verbose
> in the module itself, and I tried patching insmod to log the first
> argument and it seemed to work for me.

Consider "insmod unix.o".

I'm not wonderfully impressed with the way that you can't load the FPU 
emulation module on ARM at the moment without having some form of FPU 
emulation in your kernel already, either :)

--
dwmw2

Re: syslog insmod please!

[Philip Blundell]

>I'm not wonderfully impressed with the way that you can't load the FPU 
>emulation module on ARM at the moment without having some form of FPU 
>emulation in your kernel already, either :)

Floating point on ARM is indeed something of a crock, but that particular case
used to work -- can you tell where it's going wrong?  See entry-armv.S, 
about line 680, for the very bad hack that was supposed to facilitate this 
kind of thing.

p.

Re: syslog insmod please!

[Wichert Akkerman]

In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
Mr. James W. Laferriere <babydr@baby-dragons.com> wrote:
>	Not the problem being discussed ,  This is a user now root &
>	having gained root is now attempting to from the command line
>	to load a module .  How do we get this event recorded ?

Recent versions of modutils (2.4.3 and later iirc) log that info
in /var/log/ksymoops

Wichert.


-- 
   ________________________________________________________________
 / Generally uninteresting signature - ignore at your convenience  \
| wichert@cistron.nl                  http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Re: syslog insmod please!

[Mr. James W. Laferriere]

	Hello Wichert ,

On 6 Apr 2001, Wichert Akkerman wrote:
> In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
> Mr. James W. Laferriere <babydr@baby-dragons.com> wrote:
> >	Not the problem being discussed ,  This is a user now root &
> >	having gained root is now attempting to from the command line
> >	to load a module .  How do we get this event recorded ?
> Recent versions of modutils (2.4.3 and later iirc) log that info
> in /var/log/ksymoops
	Thank you .  Does anyone know why this information is being put
	into /var/log/ksymoops ?  If anything I'd have used a differant
	filename .  Tia ,  JimL

       +----------------------------------------------------------------+
       | James   W.   Laferriere | System  Techniques | Give me VMS     |
       | Network        Engineer | 25416      22nd So |  Give me Linux  |
       | babydr@baby-dragons.com | DesMoines WA 98198 |   only  on  AXP |
       +----------------------------------------------------------------+

Re: syslog insmod please!

[Artur Frysiak]

On Fri, Apr 06, 2001 at 07:43:29AM -0700, Mr. James W. Laferriere wrote:
> 
> 	Hello Wichert ,
> 
> On 6 Apr 2001, Wichert Akkerman wrote:
> > In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
> > Mr. James W. Laferriere <babydr@baby-dragons.com> wrote:
> > >	Not the problem being discussed ,  This is a user now root &
> > >	having gained root is now attempting to from the command line
> > >	to load a module .  How do we get this event recorded ?
> > Recent versions of modutils (2.4.3 and later iirc) log that info
> > in /var/log/ksymoops

But r00tkit may have own version of insmod.

Regards
-- 
Artur Frysiak
Click and Buy Sp. z o.o.
tel. (071) 327-95-00 wew. 67
tel. GSM (0606) 506-414

Re: syslog insmod please!

[Mr. James W. Laferriere]

	Hello Wichert ,
On Fri, 6 Apr 2001, Artur Frysiak wrote:
> On Fri, Apr 06, 2001 at 07:43:29AM -0700, Mr. James W. Laferriere wrote:
> > On 6 Apr 2001, Wichert Akkerman wrote:
> > > In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
> > > Mr. James W. Laferriere <babydr@baby-dragons.com> wrote:
> > > >	Not the problem being discussed ,  This is a user now root &
> > > >	having gained root is now attempting to from the command line
> > > >	to load a module .  How do we get this event recorded ?
> > > Recent versions of modutils (2.4.3 and later iirc) log that info
> > > in /var/log/ksymoops

> But r00tkit may have own version of insmod.
	OK ,  There are no special features accorded to /var/log/ksymoops
	than to any other file .  Unless otherwise configured .
	Am I that mistaken ?  I hope not .  Tia ,  JimL

       +----------------------------------------------------------------+
       | James   W.   Laferriere | System  Techniques | Give me VMS     |
       | Network        Engineer | 25416      22nd So |  Give me Linux  |
       | babydr@baby-dragons.com | DesMoines WA 98198 |   only  on  AXP |
       +----------------------------------------------------------------+

Re: syslog insmod please!

[Andrew Daviel]

On Fri, 6 Apr 2001, various people (Ion, David, James) wrote:
>Recent versions of modutils .. log to .. /var/log/ksymoops
>kmod only works when the user calles for the service ..
>consider unix.o

I'm still using 2.2 kernel where unix.o isn't a module and
/var/log/ksymoops doesn't exist, so I suppose that my original suggestion
would work there, no ?

In the usual game of catchup I guess that if RedHat issued a patch to
insmod for RH6 then indeed insmod would be included in r+ootkits.
Currently lr+k4,5 etc. can be detected by tripwire or my rkdet since they
change ls, ps & netstat, but k+nark can't. I haven't seen it in a r+ootkit
yet but it's only a matter of time.

I presume /var/log/ksymoops is local only (unless you take steps to copy
it remotely) ?

rkdet works on the basis of "I don't care how you got in, but
you mess with /bin/ps and I'll panic the firewall". (of course, if
an intruder finds it running under an identifiable name they can kill it)
I'd like to extend this to LKM based cloaking schemes.
I'd looked at LIDS in the past but don't want to patch the kernel.
Besides, I'm not sure whether LIDS module locking allows lkm to run
to load "good" modules like iso9660 on demand.
Loading modules is OK; I can use an unpredictable name to hide it from
scripts & kids.

Again, is there any way to detect a module such as k+nark if someone has
edited it out of the module list (by moving the "next" pointer) ?


("r*kit" mungled to foil search engines - maybe)
-- 
Andrew Daviel, TRIUMF, Canada
security@triumf.ca

Re: syslog insmod please!

[Russell King]

On Fri, Apr 06, 2001 at 01:50:29PM +0100, Philip Blundell wrote:
> Floating point on ARM is indeed something of a crock, but that particular case
> used to work -- can you tell where it's going wrong?  See entry-armv.S, 
> about line 680, for the very bad hack that was supposed to facilitate this 
> kind of thing.

I've already discussed this issue with David on irc, and I resolved it a
few kernel versions ago (read my 2.4 release notes on the web site).

--
Russell King (rmk@arm.linux.org.uk)                The developer of ARM Linux
             http://www.arm.linux.org.uk/personal/aboutme.html