This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: SystemTap / kprobes to watch for other probes?
- From: "James Dickens" <jamesd dot wi at gmail dot com>
- To: "Nathan DeBardeleben" <ndebard at lanl dot gov>
- Cc: "systemtap at sources dot redhat dot com" <systemtap at sources dot redhat dot com>
- Date: Thu, 21 Dec 2006 16:27:24 -0600
- Subject: Re: SystemTap / kprobes to watch for other probes?
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mukvDLfBV4f3qdOe7rXzG+NW87nOZTE2GOgiZuK5VUOkVl7iDarYZIvAxKdZSDVIM8ylXVPEQ2Hp6+uCPONgR2KFB9Vi/OQ8owQHHTSui9ZvxCmv9yJh0s8zUo1HB9T0UyqvK8WnwFXPYSrpSeOIcchBnDP9JTyXowCmGeBiO98=
- References: <458AD8C2.9010406@lanl.gov>
On 12/21/06, Nathan DeBardeleben <ndebard@lanl.gov> wrote:
Something I was wondering about is whether it would be possible to write
a SystemTap script that watched for other kprobes to be inserted and to
log them somehow. I'm a bit concerned about the security implications
of having kprobes turned on in the kernel and the fact that if someone
were able to insert a probe they could basically hide themselves by
hiding their module in the module list and doing assorted other
nefarious things. If there was a way to write a probe that was always
inserted which just logged when a another probe was inserted I thought
that might be a neat thing.
Any thoughts on this?
Sorry as with all security issues on Linux and Unix boxes, once the
user has root the game is over, you could monitor all you like, but
the bad guy can remove your monitoring module, or remove the log
files or pick any other method to break into the system.
James Dickens
uadmin.blogspot.com
--
-- Nathan
Correspondence
---------------------------------------------------------------------
Nathan DeBardeleben, Ph.D.
Los Alamos National Laboratory
Parallel Tools Team
High Performance Computing Environments
phone: 505-667-3428
email: ndebard@lanl.gov
---------------------------------------------------------------------