* syslog insmod please!
@ 2001-04-06 0:57 Andrew Daviel
2001-04-06 1:46 ` Ion Badulescu
` (2 more replies)
0 siblings, 3 replies; 13+ messages in thread
From: Andrew Daviel @ 2001-04-06 0:57 UTC (permalink / raw)
To: linux-kernel
Is there a good reason why insmod should not call syslog() to log
any module that gets installed ? I know things like bttv get very verbose
in the module itself, and I tried patching insmod to log the first
argument and it seemed to work for me.
I was looking at the knark LKM rootkit and wondering how to detect this
beast. Typically it seemss one does "insmod knark.o" then maybe "insmod
modhide.o" to prevent it showing in /proc/modules (seems to remove the
last loaded module from a linked list if I read it aright). Adding a
syslog call to the insmod binary might get this logged on a remote host
with a bit of luck.
On a more esoteric note, how would one detect that this kind of module
has been installed (modhide) ? I presume one could dive into /dev/mem or
load another module to go look, but I've no idea where to start.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security@triumf.ca
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: syslog insmod please!
2001-04-06 0:57 syslog insmod please! Andrew Daviel
@ 2001-04-06 1:46 ` Ion Badulescu
2001-04-06 4:42 ` Andreas Dilger
2001-04-06 11:53 ` David Woodhouse
2001-04-06 12:50 ` Philip Blundell
2 siblings, 1 reply; 13+ messages in thread
From: Ion Badulescu @ 2001-04-06 1:46 UTC (permalink / raw)
To: Andrew Daviel; +Cc: linux-kernel
On Thu, 5 Apr 2001 17:57:48 -0700 (PDT), Andrew Daviel <andrew@andrew.triumf.ca> wrote:
> Is there a good reason why insmod should not call syslog() to log
> any module that gets installed ?
Simple: you'll have quite a bit of a problem if you are trying to insmod
the module with support for AF_UNIX sockets. :-)
Ion
--
It is better to keep your mouth shut and be thought a fool,
than to open it and remove all doubt.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: syslog insmod please!
2001-04-06 1:46 ` Ion Badulescu
@ 2001-04-06 4:42 ` Andreas Dilger
2001-04-06 4:51 ` Ion Badulescu
0 siblings, 1 reply; 13+ messages in thread
From: Andreas Dilger @ 2001-04-06 4:42 UTC (permalink / raw)
To: Ion Badulescu; +Cc: Andrew Daviel, linux-kernel
Ion writes:
> Andrew Daviel <andrew@andrew.triumf.ca> wrote:
> > Is there a good reason why insmod should not call syslog() to log
> > any module that gets installed ?
>
> Simple: you'll have quite a bit of a problem if you are trying to insmod
> the module with support for AF_UNIX sockets. :-)
Why do it from user space? Simply add a printk() to sys_init_module() or
similar. Granted, this will only help until the lusers install a patched
sysklog before installing a backdoor module, but so would the user-space
solution. At least the kernel message will stay in kernel memory until
it is flushed out with more messages (which itself might be detectable).
Cheers, Andreas
--
Andreas Dilger \ "If a man ate a pound of pasta and a pound of antipasto,
\ would they cancel out, leaving him still hungry?"
http://www-mddsp.enel.ucalgary.ca/People/adilger/ -- Dogbert
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: syslog insmod please!
2001-04-06 4:42 ` Andreas Dilger
@ 2001-04-06 4:51 ` Ion Badulescu
2001-04-06 11:36 ` Mr. James W. Laferriere
0 siblings, 1 reply; 13+ messages in thread
From: Ion Badulescu @ 2001-04-06 4:51 UTC (permalink / raw)
To: Andreas Dilger; +Cc: Andrew Daviel, linux-kernel
On Thu, 5 Apr 2001, Andreas Dilger wrote:
> Why do it from user space? Simply add a printk() to sys_init_module() or
> similar.
Agreed, but at that point the solution has absolutely nothing to do with
insmod anymore. :-)
Besides, as you said, I don't really see the point. It certainly doesn't
help with logging the actions of an attacker, and on the other hand kmod
already logs its own actions.
Ion
--
It is better to keep your mouth shut and be thought a fool,
than to open it and remove all doubt.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: syslog insmod please!
2001-04-06 4:51 ` Ion Badulescu
@ 2001-04-06 11:36 ` Mr. James W. Laferriere
2001-04-06 14:03 ` Wichert Akkerman
2001-04-06 17:52 ` Andrew Daviel
0 siblings, 2 replies; 13+ messages in thread
From: Mr. James W. Laferriere @ 2001-04-06 11:36 UTC (permalink / raw)
To: Ion Badulescu; +Cc: Andreas Dilger, Andrew Daviel, linux-kernel
Hello Ion ,
On Thu, 5 Apr 2001, Ion Badulescu wrote:
> On Thu, 5 Apr 2001, Andreas Dilger wrote:
> > Why do it from user space? Simply add a printk() to sys_init_module() or
> > similar.
> Agreed, but at that point the solution has absolutely nothing to do with
> insmod anymore. :-)
> Besides, as you said, I don't really see the point. It certainly doesn't
> help with logging the actions of an attacker, and on the other hand kmod
> already logs its own actions.
Not the problem being discussed , This is a user now root &
having gained root is now attempting to from the command line
to load a module . How do we get this event recorded ? kmod
only works when the user calles for the service & then it loads
it . Tia , JimL
+----------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network Engineer | 25416 22nd So | Give me Linux |
| babydr@baby-dragons.com | DesMoines WA 98198 | only on AXP |
+----------------------------------------------------------------+
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: syslog insmod please!
2001-04-06 11:36 ` Mr. James W. Laferriere
@ 2001-04-06 14:03 ` Wichert Akkerman
2001-04-06 14:43 ` Mr. James W. Laferriere
2001-04-06 17:52 ` Andrew Daviel
1 sibling, 1 reply; 13+ messages in thread
From: Wichert Akkerman @ 2001-04-06 14:03 UTC (permalink / raw)
To: linux-kernel
In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
Mr. James W. Laferriere <babydr@baby-dragons.com> wrote:
> Not the problem being discussed , This is a user now root &
> having gained root is now attempting to from the command line
> to load a module . How do we get this event recorded ?
Recent versions of modutils (2.4.3 and later iirc) log that info
in /var/log/ksymoops
Wichert.
--
________________________________________________________________
/ Generally uninteresting signature - ignore at your convenience \
| wichert@cistron.nl http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: syslog insmod please!
2001-04-06 14:03 ` Wichert Akkerman
@ 2001-04-06 14:43 ` Mr. James W. Laferriere
2001-04-06 14:54 ` Artur Frysiak
0 siblings, 1 reply; 13+ messages in thread
From: Mr. James W. Laferriere @ 2001-04-06 14:43 UTC (permalink / raw)
To: Wichert Akkerman; +Cc: linux-kernel
Hello Wichert ,
On 6 Apr 2001, Wichert Akkerman wrote:
> In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
> Mr. James W. Laferriere <babydr@baby-dragons.com> wrote:
> > Not the problem being discussed , This is a user now root &
> > having gained root is now attempting to from the command line
> > to load a module . How do we get this event recorded ?
> Recent versions of modutils (2.4.3 and later iirc) log that info
> in /var/log/ksymoops
Thank you . Does anyone know why this information is being put
into /var/log/ksymoops ? If anything I'd have used a differant
filename . Tia , JimL
+----------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network Engineer | 25416 22nd So | Give me Linux |
| babydr@baby-dragons.com | DesMoines WA 98198 | only on AXP |
+----------------------------------------------------------------+
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: syslog insmod please!
2001-04-06 14:43 ` Mr. James W. Laferriere
@ 2001-04-06 14:54 ` Artur Frysiak
2001-04-06 15:08 ` Mr. James W. Laferriere
0 siblings, 1 reply; 13+ messages in thread
From: Artur Frysiak @ 2001-04-06 14:54 UTC (permalink / raw)
To: linux-kernel
On Fri, Apr 06, 2001 at 07:43:29AM -0700, Mr. James W. Laferriere wrote:
>
> Hello Wichert ,
>
> On 6 Apr 2001, Wichert Akkerman wrote:
> > In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
> > Mr. James W. Laferriere <babydr@baby-dragons.com> wrote:
> > > Not the problem being discussed , This is a user now root &
> > > having gained root is now attempting to from the command line
> > > to load a module . How do we get this event recorded ?
> > Recent versions of modutils (2.4.3 and later iirc) log that info
> > in /var/log/ksymoops
But r00tkit may have own version of insmod.
Regards
--
Artur Frysiak
Click and Buy Sp. z o.o.
tel. (071) 327-95-00 wew. 67
tel. GSM (0606) 506-414
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: syslog insmod please!
2001-04-06 14:54 ` Artur Frysiak
@ 2001-04-06 15:08 ` Mr. James W. Laferriere
0 siblings, 0 replies; 13+ messages in thread
From: Mr. James W. Laferriere @ 2001-04-06 15:08 UTC (permalink / raw)
To: Artur Frysiak; +Cc: linux-kernel
Hello Wichert ,
On Fri, 6 Apr 2001, Artur Frysiak wrote:
> On Fri, Apr 06, 2001 at 07:43:29AM -0700, Mr. James W. Laferriere wrote:
> > On 6 Apr 2001, Wichert Akkerman wrote:
> > > In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
> > > Mr. James W. Laferriere <babydr@baby-dragons.com> wrote:
> > > > Not the problem being discussed , This is a user now root &
> > > > having gained root is now attempting to from the command line
> > > > to load a module . How do we get this event recorded ?
> > > Recent versions of modutils (2.4.3 and later iirc) log that info
> > > in /var/log/ksymoops
> But r00tkit may have own version of insmod.
OK , There are no special features accorded to /var/log/ksymoops
than to any other file . Unless otherwise configured .
Am I that mistaken ? I hope not . Tia , JimL
+----------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network Engineer | 25416 22nd So | Give me Linux |
| babydr@baby-dragons.com | DesMoines WA 98198 | only on AXP |
+----------------------------------------------------------------+
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: syslog insmod please!
2001-04-06 11:36 ` Mr. James W. Laferriere
2001-04-06 14:03 ` Wichert Akkerman
@ 2001-04-06 17:52 ` Andrew Daviel
1 sibling, 0 replies; 13+ messages in thread
From: Andrew Daviel @ 2001-04-06 17:52 UTC (permalink / raw)
To: linux-kernel
On Fri, 6 Apr 2001, various people (Ion, David, James) wrote:
>Recent versions of modutils .. log to .. /var/log/ksymoops
>kmod only works when the user calles for the service ..
>consider unix.o
I'm still using 2.2 kernel where unix.o isn't a module and
/var/log/ksymoops doesn't exist, so I suppose that my original suggestion
would work there, no ?
In the usual game of catchup I guess that if RedHat issued a patch to
insmod for RH6 then indeed insmod would be included in r+ootkits.
Currently lr+k4,5 etc. can be detected by tripwire or my rkdet since they
change ls, ps & netstat, but k+nark can't. I haven't seen it in a r+ootkit
yet but it's only a matter of time.
I presume /var/log/ksymoops is local only (unless you take steps to copy
it remotely) ?
rkdet works on the basis of "I don't care how you got in, but
you mess with /bin/ps and I'll panic the firewall". (of course, if
an intruder finds it running under an identifiable name they can kill it)
I'd like to extend this to LKM based cloaking schemes.
I'd looked at LIDS in the past but don't want to patch the kernel.
Besides, I'm not sure whether LIDS module locking allows lkm to run
to load "good" modules like iso9660 on demand.
Loading modules is OK; I can use an unpredictable name to hide it from
scripts & kids.
Again, is there any way to detect a module such as k+nark if someone has
edited it out of the module list (by moving the "next" pointer) ?
("r*kit" mungled to foil search engines - maybe)
--
Andrew Daviel, TRIUMF, Canada
security@triumf.ca
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: syslog insmod please!
2001-04-06 0:57 syslog insmod please! Andrew Daviel
2001-04-06 1:46 ` Ion Badulescu
@ 2001-04-06 11:53 ` David Woodhouse
2001-04-06 12:50 ` Philip Blundell
2 siblings, 0 replies; 13+ messages in thread
From: David Woodhouse @ 2001-04-06 11:53 UTC (permalink / raw)
To: Andrew Daviel; +Cc: linux-kernel
andrew@andrew.triumf.ca said:
> Is there a good reason why insmod should not call syslog() to log any
> module that gets installed ? I know things like bttv get very verbose
> in the module itself, and I tried patching insmod to log the first
> argument and it seemed to work for me.
Consider "insmod unix.o".
I'm not wonderfully impressed with the way that you can't load the FPU
emulation module on ARM at the moment without having some form of FPU
emulation in your kernel already, either :)
--
dwmw2
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: syslog insmod please!
2001-04-06 0:57 syslog insmod please! Andrew Daviel
2001-04-06 1:46 ` Ion Badulescu
2001-04-06 11:53 ` David Woodhouse
@ 2001-04-06 12:50 ` Philip Blundell
2001-04-07 8:28 ` Russell King
2 siblings, 1 reply; 13+ messages in thread
From: Philip Blundell @ 2001-04-06 12:50 UTC (permalink / raw)
To: David Woodhouse; +Cc: linux-kernel
>I'm not wonderfully impressed with the way that you can't load the FPU
>emulation module on ARM at the moment without having some form of FPU
>emulation in your kernel already, either :)
Floating point on ARM is indeed something of a crock, but that particular case
used to work -- can you tell where it's going wrong? See entry-armv.S,
about line 680, for the very bad hack that was supposed to facilitate this
kind of thing.
p.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: syslog insmod please!
2001-04-06 12:50 ` Philip Blundell
@ 2001-04-07 8:28 ` Russell King
0 siblings, 0 replies; 13+ messages in thread
From: Russell King @ 2001-04-07 8:28 UTC (permalink / raw)
To: Philip Blundell; +Cc: David Woodhouse, linux-kernel
On Fri, Apr 06, 2001 at 01:50:29PM +0100, Philip Blundell wrote:
> Floating point on ARM is indeed something of a crock, but that particular case
> used to work -- can you tell where it's going wrong? See entry-armv.S,
> about line 680, for the very bad hack that was supposed to facilitate this
> kind of thing.
I've already discussed this issue with David on irc, and I resolved it a
few kernel versions ago (read my 2.4 release notes on the web site).
--
Russell King (rmk@arm.linux.org.uk) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2001-04-07 8:29 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-04-06 0:57 syslog insmod please! Andrew Daviel
2001-04-06 1:46 ` Ion Badulescu
2001-04-06 4:42 ` Andreas Dilger
2001-04-06 4:51 ` Ion Badulescu
2001-04-06 11:36 ` Mr. James W. Laferriere
2001-04-06 14:03 ` Wichert Akkerman
2001-04-06 14:43 ` Mr. James W. Laferriere
2001-04-06 14:54 ` Artur Frysiak
2001-04-06 15:08 ` Mr. James W. Laferriere
2001-04-06 17:52 ` Andrew Daviel
2001-04-06 11:53 ` David Woodhouse
2001-04-06 12:50 ` Philip Blundell
2001-04-07 8:28 ` Russell King
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).