On Sun, May 07, 2000 at 02:13:40PM -0400, Ron Van Dam wrote:
> >> Security integrity checking ( log if the system was booted with a
> >> different kernel, log when kernel modules are loaded)
>
> >User space/bootloader/external hardware problem (how can a kernel that has
> >been tampered with audit itself? -- to be really sure you need external
> >tamperproof hardware)
>
> Well my thought was if you are running syslog on another box you would have
> somewhat of a temperproof
> system. For instance an intruder compromises root. loads a kernel module to
> hide his/her activities. If modules are logged there's one more piece of
> evidence that the system has been compromised. Right now (under 2.2 kernels)
> I do not see any logs when I load (or remove) modules.
You can simply log module loading by adding 2 or 3 LOC to
./kernel/kmod.c:exec_modprobe().
That's nor the problem. The point is that an intruder wants to make in-
visible. *If* he already is root, then he will simply kill sysklogd
befort he loads that module...
> I thinking about including a unique ID in the kernel that is generated
> during compile time. All modules that are built must reference this ID. If I
> transfer a kernel module binary from a different system it would be refused.
> In order for me to build a new kernel module, I would have to build that
> module under my kernel. If the systems doesn't have compiler tools, new
> modules can't be easily installed.
Unique IDs? We all love them...
MfG, JBG
-- Fehler eingestehen, Größe zeigen: Nehmt die Rechtschreibreform zurück!!! /* Jan-Benedict Glaw <jbglaw@lug-owl.de> -- +49-177-5601720 */ keyID=0x8399E1BB fingerprint=250D 3BCF 7127 0D8C A444 A961 1DBD 5E75 8399 E1BB ...und aus aktuellem Anlaß: ILOVEYOU, Linux!
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:21 EST