public inbox for systemtap@sourceware.org
 help / color / mirror / Atom feed
From: "James Dickens" <jamesd.wi@gmail.com>
To: "Nathan DeBardeleben" <ndebard@lanl.gov>
Cc: "systemtap@sources.redhat.com" <systemtap@sources.redhat.com>
Subject: Re: SystemTap / kprobes to watch for other probes?
Date: Fri, 22 Dec 2006 10:36:00 -0000	[thread overview]
Message-ID: <cd09bdd10612211427r380066ddtcc07c8c78e7b41e0@mail.gmail.com> (raw)
In-Reply-To: <458AD8C2.9010406@lanl.gov>

On 12/21/06, Nathan DeBardeleben <ndebard@lanl.gov> wrote:
> Something I was wondering about is whether it would be possible to write
> a SystemTap script that watched for other kprobes to be inserted and to
> log them somehow.  I'm a bit concerned about the security implications
> of having kprobes turned on in the kernel and the fact that if someone
> were able to insert a probe they could basically hide themselves by
> hiding their module in the module list and doing assorted other
> nefarious things.  If there was a way to write a probe that was always
> inserted which just logged when a another probe was inserted I thought
> that might be a neat thing.
>
> Any thoughts on this?
>
Sorry as with all security issues on Linux and Unix boxes, once the
user has root the game is over,  you could monitor all you like, but
the bad guy can remove your monitoring module, or  remove the log
files or pick any other method to break into the system.

James Dickens
uadmin.blogspot.com


> --
> -- Nathan
> Correspondence
> ---------------------------------------------------------------------
> Nathan DeBardeleben, Ph.D.
> Los Alamos National Laboratory
> Parallel Tools Team
> High Performance Computing Environments
> phone: 505-667-3428
> email: ndebard@lanl.gov
> ---------------------------------------------------------------------
>
>

  reply	other threads:[~2006-12-21 22:27 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-12-21 19:47 Nathan DeBardeleben
2006-12-22 10:36 ` James Dickens [this message]
2006-12-21 23:56 Stone, Joshua I

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cd09bdd10612211427r380066ddtcc07c8c78e7b41e0@mail.gmail.com \
    --to=jamesd.wi@gmail.com \
    --cc=ndebard@lanl.gov \
    --cc=systemtap@sources.redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).