From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8546 invoked by alias); 21 Dec 2006 18:56:16 -0000 Received: (qmail 8536 invoked by uid 22791); 21 Dec 2006 18:56:15 -0000 X-Spam-Status: No, hits=-0.8 required=5.0 tests=AWL,BAYES_50,SPF_PASS X-Spam-Check-By: sourceware.org Received: from mailwasher.lanl.gov (HELO mailwasher-b.lanl.gov) (192.65.95.54) by sourceware.org (qpsmtpd/0.31) with ESMTP; Thu, 21 Dec 2006 18:56:04 +0000 Received: from ccn-mail.lanl.gov (ccn-mail.lanl.gov [128.165.4.105]) by mailwasher-b.lanl.gov (8.13.8/8.13.8/(ccn-5)) with ESMTP id kBLIu26c020363 for ; Thu, 21 Dec 2006 11:56:02 -0700 Received: from [128.165.243.132] (euphoria.lanl.gov [128.165.243.132]) by ccn-mail.lanl.gov (8.13.8/8.13.8/(ccn-5)) with ESMTP id kBLIu1bJ018026 for ; Thu, 21 Dec 2006 11:56:02 -0700 Message-ID: <458AD8C2.9010406@lanl.gov> Date: Thu, 21 Dec 2006 19:47:00 -0000 From: Nathan DeBardeleben User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: "systemtap@sources.redhat.com" Subject: SystemTap / kprobes to watch for other probes? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-PMX-Version: 4.7.0.111621 X-IsSubscribed: yes Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org X-SW-Source: 2006-q4/txt/msg00744.txt.bz2 Something I was wondering about is whether it would be possible to write a SystemTap script that watched for other kprobes to be inserted and to log them somehow. I'm a bit concerned about the security implications of having kprobes turned on in the kernel and the fact that if someone were able to insert a probe they could basically hide themselves by hiding their module in the module list and doing assorted other nefarious things. If there was a way to write a probe that was always inserted which just logged when a another probe was inserted I thought that might be a neat thing. Any thoughts on this? -- -- Nathan Correspondence --------------------------------------------------------------------- Nathan DeBardeleben, Ph.D. Los Alamos National Laboratory Parallel Tools Team High Performance Computing Environments phone: 505-667-3428 email: ndebard@lanl.gov ---------------------------------------------------------------------