On Sun, 7 May 2000, Ron Van Dam wrote:
> Well my thought was if you are running syslog on another box you would have
> somewhat of a temperproof
> system. For instance an intruder compromises root. loads a kernel module to
> hide his/her activities. If modules are logged there's one more piece of
> evidence that the system has been compromised. Right now (under 2.2 kernels)
> I do not see any logs when I load (or remove) modules.
>
In case anyone else wants module loading/unloading logging, here is the
patch against 2.3.99-pre7-6:
--- module.c.old Mon May 8 15:32:06 2000
+++ module.c Mon May 8 15:45:30 2000
@@ -337,6 +337,8 @@
/* And set it running. */
mod->flags = (mod->flags | MOD_RUNNING) & ~MOD_INITIALIZING;
error = 0;
+ /* Inform syslog that we are inserting a module */
+ printk(KERN_INFO "Inserted module %s.\n", mod->name);
goto err0;
err3:
@@ -831,9 +833,9 @@
continue;
p->next = mod->next;
}
-
+ /* Tell syslog that we are freeing the module */
+ printk(KERN_INFO "Deleted module %s.\n", mod->name);
/* And free the memory. */
-
module_unmap(mod);
}
-- Piotr Wilkin pwilkin@astercity.net- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:11 EST