kallsyms is disabled for security reasons

Francois Marier Mon, 17 Aug 2009 20:06:07 -0700

Package: rkhunter
Version: 1.3.4-6
Severity: normal
Tags: patch

Certain security frameworks (e.g. grsecurity) prevent programs from reading 
/proc/kallsyms.


The file exists but it returns error when you try to read from it. I end up 
receiving
these emails every day:

  From: Anacron <r...@localhost>
  To: r...@localhost
  Subject: Anacron job 'cron.daily' on localhost
  
  /etc/cron.daily/rkhunter:
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error
  grep: /proc/kallsyms: Input/output error

I have attached a patch which disables this check (as if /proc/kallsyms was 
missing) if
the "file" is not readable.

Cheers,
Francois

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30.5-grsec (SMP w/2 CPU cores; PREEMPT)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils              2.19.51.20090805-1 The GNU assembler, linker and bina
ii  debconf [debconf-2.0] 1.5.27             Debian configuration management sy
ii  exim4                 4.69-11            metapackage to ease Exim MTA (v4) 
ii  exim4-daemon-light [m 4.69-11            lightweight Exim MTA (v4) daemon
ii  file                  5.03-1             Determines file type using "magic"
ii  net-tools             1.60-23            The NET-3 networking toolkit
ii  perl                  5.10.0-24          Larry Wall's Practical Extraction 

Versions of packages rkhunter recommends:
ii  curl                       7.19.5-1      Get a file from an HTTP, HTTPS or 
ii  iproute                    20090324-1    networking and traffic control too
ii  lsof                       4.81.dfsg.1-1 List open files
pn  unhide                     <none>        (no description available)
ii  wget                       1.11.4-4      retrieves files from the web

Versions of packages rkhunter suggests:
pn  bsd-mailx                     <none>     (no description available)
pn  tripwire                      <none>     (no description available)

-- debconf information:
* rkhunter/apt_autogen: true
* rkhunter/cron_daily_run: true
* rkhunter/cron_db_update: true

--- /usr/bin/rkhunter   2009-07-29 05:01:56.000000000 +1200
+++ rkhunter    2009-08-18 14:31:47.000000000 +1200
@@ -12316,6 +12316,15 @@
        elif [ -f "${RKHROOTDIR}/proc/kallsyms" ]; then
                KSYMS_FILE="${RKHROOTDIR}/proc/kallsyms"
        fi
+
+       #
+       # Check to make sure that the symbols are readable
+       # as certain security frameworks hide this.
+       #
+
+       if ! head -1 /proc/kallsyms > /dev/null 2>&1 ; then
+               KSYMS_FILE=""
+       fi
 fi

Bug#542139: rkhunter: Spurious warnings when access to /proc/kallsyms is disabled for security reasons

Reply via email to