From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5994 invoked by alias); 21 Dec 2006 22:27:39 -0000 Received: (qmail 5986 invoked by uid 22791); 21 Dec 2006 22:27:37 -0000 X-Spam-Status: No, hits=-2.3 required=5.0 tests=AWL,BAYES_00,DK_SIGNED,SARE_MSGID_LONG40,SPF_PASS X-Spam-Check-By: sourceware.org Received: from wx-out-0506.google.com (HELO wx-out-0506.google.com) (66.249.82.236) by sourceware.org (qpsmtpd/0.31) with ESMTP; Thu, 21 Dec 2006 22:27:26 +0000 Received: by wx-out-0506.google.com with SMTP id s8so2560454wxc for ; Thu, 21 Dec 2006 14:27:25 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mukvDLfBV4f3qdOe7rXzG+NW87nOZTE2GOgiZuK5VUOkVl7iDarYZIvAxKdZSDVIM8ylXVPEQ2Hp6+uCPONgR2KFB9Vi/OQ8owQHHTSui9ZvxCmv9yJh0s8zUo1HB9T0UyqvK8WnwFXPYSrpSeOIcchBnDP9JTyXowCmGeBiO98= Received: by 10.70.39.2 with SMTP id m2mr15205916wxm.1166740045010; Thu, 21 Dec 2006 14:27:25 -0800 (PST) Received: by 10.70.33.2 with HTTP; Thu, 21 Dec 2006 14:27:24 -0800 (PST) Message-ID: Date: Fri, 22 Dec 2006 10:36:00 -0000 From: "James Dickens" To: "Nathan DeBardeleben" Subject: Re: SystemTap / kprobes to watch for other probes? Cc: "systemtap@sources.redhat.com" In-Reply-To: <458AD8C2.9010406@lanl.gov> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <458AD8C2.9010406@lanl.gov> X-IsSubscribed: yes Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org X-SW-Source: 2006-q4/txt/msg00749.txt.bz2 On 12/21/06, Nathan DeBardeleben wrote: > Something I was wondering about is whether it would be possible to write > a SystemTap script that watched for other kprobes to be inserted and to > log them somehow. I'm a bit concerned about the security implications > of having kprobes turned on in the kernel and the fact that if someone > were able to insert a probe they could basically hide themselves by > hiding their module in the module list and doing assorted other > nefarious things. If there was a way to write a probe that was always > inserted which just logged when a another probe was inserted I thought > that might be a neat thing. > > Any thoughts on this? > Sorry as with all security issues on Linux and Unix boxes, once the user has root the game is over, you could monitor all you like, but the bad guy can remove your monitoring module, or remove the log files or pick any other method to break into the system. James Dickens uadmin.blogspot.com > -- > -- Nathan > Correspondence > --------------------------------------------------------------------- > Nathan DeBardeleben, Ph.D. > Los Alamos National Laboratory > Parallel Tools Team > High Performance Computing Environments > phone: 505-667-3428 > email: ndebard@lanl.gov > --------------------------------------------------------------------- > >