Re: syslog insmod please!
On Fri, Apr 06, 2001 at 01:50:29PM +0100, Philip Blundell wrote: > Floating point on ARM is indeed something of a crock, but that particular case > used to work -- can you tell where it's going wrong? See entry-armv.S, > about line 680, for the very bad hack that was supposed to facilitate this > kind of thing. I've already discussed this issue with David on irc, and I resolved it a few kernel versions ago (read my 2.4 release notes on the web site). -- Russell King ([EMAIL PROTECTED])The developer of ARM Linux http://www.arm.linux.org.uk/personal/aboutme.html - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
On Fri, Apr 06, 2001 at 01:50:29PM +0100, Philip Blundell wrote: Floating point on ARM is indeed something of a crock, but that particular case used to work -- can you tell where it's going wrong? See entry-armv.S, about line 680, for the very bad hack that was supposed to facilitate this kind of thing. I've already discussed this issue with David on irc, and I resolved it a few kernel versions ago (read my 2.4 release notes on the web site). -- Russell King ([EMAIL PROTECTED])The developer of ARM Linux http://www.arm.linux.org.uk/personal/aboutme.html - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
On Fri, 6 Apr 2001, various people (Ion, David, James) wrote:
>Recent versions of modutils .. log to .. /var/log/ksymoops
>kmod only works when the user calles for the service ..
>consider unix.o
I'm still using 2.2 kernel where unix.o isn't a module and
/var/log/ksymoops doesn't exist, so I suppose that my original suggestion
would work there, no ?
In the usual game of catchup I guess that if RedHat issued a patch to
insmod for RH6 then indeed insmod would be included in r+ootkits.
Currently lr+k4,5 etc. can be detected by tripwire or my rkdet since they
change ls, ps & netstat, but k+nark can't. I haven't seen it in a r+ootkit
yet but it's only a matter of time.
I presume /var/log/ksymoops is local only (unless you take steps to copy
it remotely) ?
rkdet works on the basis of "I don't care how you got in, but
you mess with /bin/ps and I'll panic the firewall". (of course, if
an intruder finds it running under an identifiable name they can kill it)
I'd like to extend this to LKM based cloaking schemes.
I'd looked at LIDS in the past but don't want to patch the kernel.
Besides, I'm not sure whether LIDS module locking allows lkm to run
to load "good" modules like iso9660 on demand.
Loading modules is OK; I can use an unpredictable name to hide it from
scripts & kids.
Again, is there any way to detect a module such as k+nark if someone has
edited it out of the module list (by moving the "next" pointer) ?
("r*kit" mungled to foil search engines - maybe)
--
Andrew Daviel, TRIUMF, Canada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
Hello Wichert , On Fri, 6 Apr 2001, Artur Frysiak wrote: > On Fri, Apr 06, 2001 at 07:43:29AM -0700, Mr. James W. Laferriere wrote: > > On 6 Apr 2001, Wichert Akkerman wrote: > > > In article <[EMAIL PROTECTED]>, > > > Mr. James W. Laferriere <[EMAIL PROTECTED]> wrote: > > > > Not the problem being discussed , This is a user now root & > > > > having gained root is now attempting to from the command line > > > > to load a module . How do we get this event recorded ? > > > Recent versions of modutils (2.4.3 and later iirc) log that info > > > in /var/log/ksymoops > But r00tkit may have own version of insmod. OK , There are no special features accorded to /var/log/ksymoops than to any other file . Unless otherwise configured . Am I that mistaken ? I hope not . Tia , JimL ++ | James W. Laferriere | System Techniques | Give me VMS | | NetworkEngineer | 25416 22nd So | Give me Linux | | [EMAIL PROTECTED] | DesMoines WA 98198 | only on AXP | ++ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
On Fri, Apr 06, 2001 at 07:43:29AM -0700, Mr. James W. Laferriere wrote: > > Hello Wichert , > > On 6 Apr 2001, Wichert Akkerman wrote: > > In article <[EMAIL PROTECTED]>, > > Mr. James W. Laferriere <[EMAIL PROTECTED]> wrote: > > > Not the problem being discussed , This is a user now root & > > > having gained root is now attempting to from the command line > > > to load a module . How do we get this event recorded ? > > Recent versions of modutils (2.4.3 and later iirc) log that info > > in /var/log/ksymoops But r00tkit may have own version of insmod. Regards -- Artur Frysiak Click and Buy Sp. z o.o. tel. (071) 327-95-00 wew. 67 tel. GSM (0606) 506-414 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
Hello Wichert , On 6 Apr 2001, Wichert Akkerman wrote: > In article <[EMAIL PROTECTED]>, > Mr. James W. Laferriere <[EMAIL PROTECTED]> wrote: > > Not the problem being discussed , This is a user now root & > > having gained root is now attempting to from the command line > > to load a module . How do we get this event recorded ? > Recent versions of modutils (2.4.3 and later iirc) log that info > in /var/log/ksymoops Thank you . Does anyone know why this information is being put into /var/log/ksymoops ? If anything I'd have used a differant filename . Tia , JimL ++ | James W. Laferriere | System Techniques | Give me VMS | | NetworkEngineer | 25416 22nd So | Give me Linux | | [EMAIL PROTECTED] | DesMoines WA 98198 | only on AXP | ++ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
In article <[EMAIL PROTECTED]>, Mr. James W. Laferriere <[EMAIL PROTECTED]> wrote: > Not the problem being discussed , This is a user now root & > having gained root is now attempting to from the command line > to load a module . How do we get this event recorded ? Recent versions of modutils (2.4.3 and later iirc) log that info in /var/log/ksymoops Wichert. -- / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
>I'm not wonderfully impressed with the way that you can't load the FPU >emulation module on ARM at the moment without having some form of FPU >emulation in your kernel already, either :) Floating point on ARM is indeed something of a crock, but that particular case used to work -- can you tell where it's going wrong? See entry-armv.S, about line 680, for the very bad hack that was supposed to facilitate this kind of thing. p. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
[EMAIL PROTECTED] said: > Is there a good reason why insmod should not call syslog() to log any > module that gets installed ? I know things like bttv get very verbose > in the module itself, and I tried patching insmod to log the first > argument and it seemed to work for me. Consider "insmod unix.o". I'm not wonderfully impressed with the way that you can't load the FPU emulation module on ARM at the moment without having some form of FPU emulation in your kernel already, either :) -- dwmw2 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
Hello Ion , On Thu, 5 Apr 2001, Ion Badulescu wrote: > On Thu, 5 Apr 2001, Andreas Dilger wrote: > > Why do it from user space? Simply add a printk() to sys_init_module() or > > similar. > Agreed, but at that point the solution has absolutely nothing to do with > insmod anymore. :-) > Besides, as you said, I don't really see the point. It certainly doesn't > help with logging the actions of an attacker, and on the other hand kmod > already logs its own actions. Not the problem being discussed , This is a user now root & having gained root is now attempting to from the command line to load a module . How do we get this event recorded ? kmod only works when the user calles for the service & then it loads it . Tia , JimL ++ | James W. Laferriere | System Techniques | Give me VMS | | NetworkEngineer | 25416 22nd So | Give me Linux | | [EMAIL PROTECTED] | DesMoines WA 98198 | only on AXP | ++ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
Hello Ion , On Thu, 5 Apr 2001, Ion Badulescu wrote: On Thu, 5 Apr 2001, Andreas Dilger wrote: Why do it from user space? Simply add a printk() to sys_init_module() or similar. Agreed, but at that point the solution has absolutely nothing to do with insmod anymore. :-) Besides, as you said, I don't really see the point. It certainly doesn't help with logging the actions of an attacker, and on the other hand kmod already logs its own actions. Not the problem being discussed , This is a user now root having gained root is now attempting to from the command line to load a module . How do we get this event recorded ? kmod only works when the user calles for the service then it loads it . Tia , JimL ++ | James W. Laferriere | System Techniques | Give me VMS | | NetworkEngineer | 25416 22nd So | Give me Linux | | [EMAIL PROTECTED] | DesMoines WA 98198 | only on AXP | ++ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
[EMAIL PROTECTED] said: Is there a good reason why insmod should not call syslog() to log any module that gets installed ? I know things like bttv get very verbose in the module itself, and I tried patching insmod to log the first argument and it seemed to work for me. Consider "insmod unix.o". I'm not wonderfully impressed with the way that you can't load the FPU emulation module on ARM at the moment without having some form of FPU emulation in your kernel already, either :) -- dwmw2 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
I'm not wonderfully impressed with the way that you can't load the FPU emulation module on ARM at the moment without having some form of FPU emulation in your kernel already, either :) Floating point on ARM is indeed something of a crock, but that particular case used to work -- can you tell where it's going wrong? See entry-armv.S, about line 680, for the very bad hack that was supposed to facilitate this kind of thing. p. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
In article [EMAIL PROTECTED], Mr. James W. Laferriere [EMAIL PROTECTED] wrote: Not the problem being discussed , This is a user now root having gained root is now attempting to from the command line to load a module . How do we get this event recorded ? Recent versions of modutils (2.4.3 and later iirc) log that info in /var/log/ksymoops Wichert. -- / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
Hello Wichert , On Fri, 6 Apr 2001, Artur Frysiak wrote: On Fri, Apr 06, 2001 at 07:43:29AM -0700, Mr. James W. Laferriere wrote: On 6 Apr 2001, Wichert Akkerman wrote: In article [EMAIL PROTECTED], Mr. James W. Laferriere [EMAIL PROTECTED] wrote: Not the problem being discussed , This is a user now root having gained root is now attempting to from the command line to load a module . How do we get this event recorded ? Recent versions of modutils (2.4.3 and later iirc) log that info in /var/log/ksymoops But r00tkit may have own version of insmod. OK , There are no special features accorded to /var/log/ksymoops than to any other file . Unless otherwise configured . Am I that mistaken ? I hope not . Tia , JimL ++ | James W. Laferriere | System Techniques | Give me VMS | | NetworkEngineer | 25416 22nd So | Give me Linux | | [EMAIL PROTECTED] | DesMoines WA 98198 | only on AXP | ++ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
On Fri, 6 Apr 2001, various people (Ion, David, James) wrote:
Recent versions of modutils .. log to .. /var/log/ksymoops
kmod only works when the user calles for the service ..
consider unix.o
I'm still using 2.2 kernel where unix.o isn't a module and
/var/log/ksymoops doesn't exist, so I suppose that my original suggestion
would work there, no ?
In the usual game of catchup I guess that if RedHat issued a patch to
insmod for RH6 then indeed insmod would be included in r+ootkits.
Currently lr+k4,5 etc. can be detected by tripwire or my rkdet since they
change ls, ps netstat, but k+nark can't. I haven't seen it in a r+ootkit
yet but it's only a matter of time.
I presume /var/log/ksymoops is local only (unless you take steps to copy
it remotely) ?
rkdet works on the basis of "I don't care how you got in, but
you mess with /bin/ps and I'll panic the firewall". (of course, if
an intruder finds it running under an identifiable name they can kill it)
I'd like to extend this to LKM based cloaking schemes.
I'd looked at LIDS in the past but don't want to patch the kernel.
Besides, I'm not sure whether LIDS module locking allows lkm to run
to load "good" modules like iso9660 on demand.
Loading modules is OK; I can use an unpredictable name to hide it from
scripts kids.
Again, is there any way to detect a module such as k+nark if someone has
edited it out of the module list (by moving the "next" pointer) ?
("r*kit" mungled to foil search engines - maybe)
--
Andrew Daviel, TRIUMF, Canada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
On Thu, 5 Apr 2001, Andreas Dilger wrote: > Why do it from user space? Simply add a printk() to sys_init_module() or > similar. Agreed, but at that point the solution has absolutely nothing to do with insmod anymore. :-) Besides, as you said, I don't really see the point. It certainly doesn't help with logging the actions of an attacker, and on the other hand kmod already logs its own actions. Ion -- It is better to keep your mouth shut and be thought a fool, than to open it and remove all doubt. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
Ion writes: > Andrew Daviel <[EMAIL PROTECTED]> wrote: > > Is there a good reason why insmod should not call syslog() to log > > any module that gets installed ? > > Simple: you'll have quite a bit of a problem if you are trying to insmod > the module with support for AF_UNIX sockets. :-) Why do it from user space? Simply add a printk() to sys_init_module() or similar. Granted, this will only help until the lusers install a patched sysklog before installing a backdoor module, but so would the user-space solution. At least the kernel message will stay in kernel memory until it is flushed out with more messages (which itself might be detectable). Cheers, Andreas -- Andreas Dilger \ "If a man ate a pound of pasta and a pound of antipasto, \ would they cancel out, leaving him still hungry?" http://www-mddsp.enel.ucalgary.ca/People/adilger/ -- Dogbert - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
On Thu, 5 Apr 2001 17:57:48 -0700 (PDT), Andrew Daviel <[EMAIL PROTECTED]> wrote: > Is there a good reason why insmod should not call syslog() to log > any module that gets installed ? Simple: you'll have quite a bit of a problem if you are trying to insmod the module with support for AF_UNIX sockets. :-) Ion -- It is better to keep your mouth shut and be thought a fool, than to open it and remove all doubt. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
syslog insmod please!
Is there a good reason why insmod should not call syslog() to log any module that gets installed ? I know things like bttv get very verbose in the module itself, and I tried patching insmod to log the first argument and it seemed to work for me. I was looking at the knark LKM rootkit and wondering how to detect this beast. Typically it seemss one does "insmod knark.o" then maybe "insmod modhide.o" to prevent it showing in /proc/modules (seems to remove the last loaded module from a linked list if I read it aright). Adding a syslog call to the insmod binary might get this logged on a remote host with a bit of luck. On a more esoteric note, how would one detect that this kind of module has been installed (modhide) ? I presume one could dive into /dev/mem or load another module to go look, but I've no idea where to start. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
On Thu, 5 Apr 2001 17:57:48 -0700 (PDT), Andrew Daviel [EMAIL PROTECTED] wrote: Is there a good reason why insmod should not call syslog() to log any module that gets installed ? Simple: you'll have quite a bit of a problem if you are trying to insmod the module with support for AF_UNIX sockets. :-) Ion -- It is better to keep your mouth shut and be thought a fool, than to open it and remove all doubt. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
Ion writes: Andrew Daviel [EMAIL PROTECTED] wrote: Is there a good reason why insmod should not call syslog() to log any module that gets installed ? Simple: you'll have quite a bit of a problem if you are trying to insmod the module with support for AF_UNIX sockets. :-) Why do it from user space? Simply add a printk() to sys_init_module() or similar. Granted, this will only help until the lusers install a patched sysklog before installing a backdoor module, but so would the user-space solution. At least the kernel message will stay in kernel memory until it is flushed out with more messages (which itself might be detectable). Cheers, Andreas -- Andreas Dilger \ "If a man ate a pound of pasta and a pound of antipasto, \ would they cancel out, leaving him still hungry?" http://www-mddsp.enel.ucalgary.ca/People/adilger/ -- Dogbert - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: syslog insmod please!
On Thu, 5 Apr 2001, Andreas Dilger wrote: Why do it from user space? Simply add a printk() to sys_init_module() or similar. Agreed, but at that point the solution has absolutely nothing to do with insmod anymore. :-) Besides, as you said, I don't really see the point. It certainly doesn't help with logging the actions of an attacker, and on the other hand kmod already logs its own actions. Ion -- It is better to keep your mouth shut and be thought a fool, than to open it and remove all doubt. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
