NetBSD Problem Report #15837

Received: (qmail 9198 invoked from network); 8 Mar 2002 16:05:40 -0000
Message-Id: <20020308160531.2A95431074@moog.laffeycomputer.com>
Date: Fri,  8 Mar 2002 10:05:31 -0600 (CST)
From: joe@laffeycomputer.com
Reply-To: joe@laffeycomputer.com
To: gnats-bugs@gnats.netbsd.org
Subject: kern security feature suggestion
X-Send-Pr-Version: 3.95

>Number:         15837
>Category:       kern
>Synopsis:       Kernel should log loading of all loadable modules
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          suspended
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 08 16:06:03 +0000 2002
>Closed-Date:    
>Last-Modified:  Fri May 05 05:24:02 +0000 2017
>Originator:     Joe Laffey
>Release:        NetBSD 1.5.3
>Organization:
Laffey Computer Imaging
>Environment:

System: NetBSD moog.laffeycomputer.com 1.5.2 NetBSD 1.5.2 (BADASS) #2: Tue Sep 10 01:07:20 CDT 1935 joe@moog:/root/mysrc/src/sys/arch/mac68k/compile/BADASS mac68k


>Description:
	It came to my attention that loadable kernel modules are not 
logged when they are loaded. I think that this could be a major risk when 
it comes to rootkits. Imagine a rootkit that loaded a kernel module that 
trapped a bunch of system calls. This module could intercept inode calls 
and all, making it virtually undetectable. If the initial loading were 
logged in gross detail (and the admin was smart enough to log everything 
to a second host or LPR) then there would be a trail to follow.

Since this is probably very easy to implement and could have some good 
benefits to help admins find rootkits I think it is a good idea.

 >How-To-Repeat:
N/A
>How-To-Repeat:
>Fix:
 Have the kernel log loading of ALL kernel modules in explicit deatail 
(size of module, name of module, inode, and anything else you can think 
of)

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->ad
Responsible-Changed-By: pooka@narn.netbsd.org
Responsible-Changed-When: Sat, 19 Jan 2008 22:20:16 +0200
Responsible-Changed-Why:
ad is working on the new module system


State-Changed-From-To: open->closed
State-Changed-By: ad@NetBSD.org
State-Changed-When: Thu, 06 Mar 2008 13:53:10 +0000
State-Changed-Why:
log() or printf() don't suffice here - this is a job for an audit facility
like BSM. On the basis that implementing such a facility is an obvious
project, I'm closing the PR.


From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: ad@NetBSD.org, netbsd-bugs@netbsd.org, gnats-admin@netbsd.org,
	joe@laffeycomputer.com
Subject: Re: kern/15837 (Kernel should log loading of all loadable modules)
Date: Thu, 6 Mar 2008 17:03:54 +0000

 On Thu, Mar 06, 2008 at 01:53:10PM +0000, ad@NetBSD.org wrote:
  > Synopsis: Kernel should log loading of all loadable modules
  > 
  > State-Changed-From-To: open->closed
  > State-Changed-By: ad@NetBSD.org
  > State-Changed-When: Thu, 06 Mar 2008 13:53:10 +0000
  > State-Changed-Why:
  > log() or printf() don't suffice here - this is a job for an audit facility
  > like BSM. On the basis that implementing such a facility is an obvious
  > project, I'm closing the PR.

 Er, how about putting in a printf until such time as a good logging
 facility is available?

 -- 
 David A. Holland
 dholland@netbsd.org

Responsible-Changed-From-To: ad->dholland
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Mon, 31 May 2010 02:49:40 +0000
Responsible-Changed-Why:
ad is not interested in doing this


State-Changed-From-To: closed->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 31 May 2010 02:49:40 +0000
State-Changed-Why:
this should be done


Responsible-Changed-From-To: dholland->pgoyette
Responsible-Changed-By: pgoyette@NetBSD.org
Responsible-Changed-When: Mon, 14 Mar 2016 05:11:51 +0000
Responsible-Changed-Why:
I'll take a stab at it.


State-Changed-From-To: open->suspended
State-Changed-By: pgoyette@NetBSD.org
State-Changed-When: Tue, 15 Mar 2016 03:26:09 +0000
State-Changed-Why:
Interim fix committed in src/sys/kern/kern_module_vfs.c rev 1.14

A more complete fix needs to wait until an appropriate audit facility
is available.


Responsible-Changed-From-To: pgoyette->kern-bug-people
Responsible-Changed-By: pgoyette@NetBSD.org
Responsible-Changed-When: Fri, 05 May 2017 05:24:02 +0000
Responsible-Changed-Why:
Back to category owner - I'm not going to get to this for a very long time.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.42 2017/01/01 07:07:38 snj Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.