Hi all,
After some thinking (nothing serious) I came up with the idea of print a
KERN_INFO after a module got loaded, why? Think about this, some guy
inserts a LKM rootkit, obviously that module (think adore or knark)
doesn't say anything when it gets loaded. In this cases is useful to have
this feature, another example can be simply now the order of a group of
pre-requisite modules when you load something using modprobe(8).
Before doing this I searched the web, readed some docs and asked on
#kernelnewbies, it seems there's no standard way to log the insertion of a
module.
I'm not sure if this is the right way to do this, I'm just adding a printk
after the module gets initialized, perhaps it must be done somewhere else,
comments/flames are welcome.
This is pretty useful, at least for me 8) (the printk, not the flames)
Best Regards
PS: Oops, I forgot, this applies happily against 2.4.18 and 2.5.21
diff -Nrua linux/kernel/module.c linux-info/kernel/module.c
--- linux/kernel/module.c Sat Jun 15 01:00:24 2002
+++ linux-info/kernel/module.c Sat Jun 15 01:02:37 2002
@@ -560,6 +560,7 @@
/* And set it running. */
mod->flags = (mod->flags | MOD_RUNNING) & ~MOD_INITIALIZING;
+ printk(KERN_INFO "module: %s loaded\n", mod->name);
error = 0;
goto err0;
--
Robinson Maureira Castillo
Asesor DAI
INACAP
On Sat, 15 Jun 2002, Robinson Maureira Castillo wrote:
> diff -Nrua linux/kernel/module.c linux-info/kernel/module.c
> --- linux/kernel/module.c Sat Jun 15 01:00:24 2002
> +++ linux-info/kernel/module.c Sat Jun 15 01:02:37 2002
> @@ -560,6 +560,7 @@
>
> /* And set it running. */
> mod->flags = (mod->flags | MOD_RUNNING) & ~MOD_INITIALIZING;
> + printk(KERN_INFO "module: %s loaded\n", mod->name);
> error = 0;
> goto err0;
And when this gets to mainline, what stops your hacker from removing the
printk from displaying? The way i see it, if the person is loading modules
you're screwed beyond help.
Regards,
Zwane Mwaikambo
--
http://function.linuxpower.ca
On Sat, 15 Jun 2002, Zwane Mwaikambo wrote:
>
> And when this gets to mainline, what stops your hacker from removing the
> printk from displaying? The way i see it, if the person is loading modules
> you're screwed beyond help.
>
That's why I was asking for a better place to put this printk, maybe the
correct one is just _before_ the module register its "features", you can
always check `dmesg` for a list of loaded modules, but again, if I put the
printk before the module correctly registers I can get some fake "loaded"
messages, from modules that did not complete the registration. I'll review
more carefully the loading process, perhaps adding the module address, or
even its path, I'll give it a look after giving class today, I'm already
late 8-)
Best regards.
--
Robinson Maureira Castillo
Asesor DAI
INACAP
On Sat, 15 Jun 2002, Robinson Maureira Castillo wrote:
> On Sat, 15 Jun 2002, Zwane Mwaikambo wrote:
> >
> > And when this gets to mainline, what stops your hacker from removing the
> > printk from displaying? The way i see it, if the person is loading modules
> > you're screwed beyond help.
> >
>
> That's why I was asking for a better place to put this printk,
The better place is before the attacker gets root access. After that, all
bets are off.
--
"Love the dolphins," she advised him. "Write by W.A.S.T.E.."
Robinson Maureira Castillo <[email protected]> said:
> After some thinking (nothing serious) I came up with the idea of print a
> KERN_INFO after a module got loaded, why? Think about this, some guy
> inserts a LKM rootkit, obviously that module (think adore or knark)
> doesn't say anything when it gets loaded. In this cases is useful to have
> this feature, another example can be simply now the order of a group of
> pre-requisite modules when you load something using modprobe(8).
If the cracker gets to the stage where they can insert modules at will, you
can't believe anything the machine does or says anymore.
--
Horst von Brand [email protected]
Casilla 9G, Vin~a del Mar, Chile +56 32 672616
On Sat, 15 Jun 2002 01:27:31 -0400 (CLT),
Robinson Maureira Castillo <[email protected]> wrote:
>After some thinking (nothing serious) I came up with the idea of print a
>KERN_INFO after a module got loaded, why? Think about this, some guy
>inserts a LKM rootkit, obviously that module (think adore or knark)
>doesn't say anything when it gets loaded.
Pointless. The user already has root, any logging can be compromised.
>another example can be simply now the order of a group of
>pre-requisite modules when you load something using modprobe(8).
man insmod, see /var/log/ksymoops.