This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: SystemTap / kprobes to watch for other probes?

On 12/21/06, Nathan DeBardeleben <ndebard@lanl.gov> wrote: 
Something I was wondering about is whether it would be possible to write
a SystemTap script that watched for other kprobes to be inserted and to
log them somehow.  I'm a bit concerned about the security implications
of having kprobes turned on in the kernel and the fact that if someone
were able to insert a probe they could basically hide themselves by
hiding their module in the module list and doing assorted other
nefarious things.  If there was a way to write a probe that was always
inserted which just logged when a another probe was inserted I thought
that might be a neat thing.

Any thoughts on this?

Sorry as with all security issues on Linux and Unix boxes, once the
user has root the game is over,  you could monitor all you like, but
the bad guy can remove your monitoring module, or  remove the log
files or pick any other method to break into the system.

James Dickens
uadmin.blogspot.com


--
-- Nathan
Correspondence
---------------------------------------------------------------------
Nathan DeBardeleben, Ph.D.
Los Alamos National Laboratory
Parallel Tools Team
High Performance Computing Environments
phone: 505-667-3428
email: ndebard@lanl.gov
---------------------------------------------------------------------



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]