This repository has been archived by the owner on Feb 22, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Block incoming modules and log emergency alerts in case of trying to insert a new module or removing an existing one
License
CERN-CERT/dresden
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
+----------------------------+
+ dresden +
+----------------------------+
Product name: dresden
Date: Jul 9 2012
Version: 1.0
Vendor: CERN
Author: Panos Sakkos while at Computer Security Team
CST Email: cert-sec@cern.ch
Author Email: <panos.sakkos@cern.ch>
License: GPLv3
+-------+
|License|
+-------+
Copyright 2012 CERN. This software is distributed under the terms of the GNU General Public
Licence version 3 (GPL Version 3), copied verbatim in the file COPYING. In applying this licence,
CERN does not waive the privileges and immunities granted to it by virtue of its status as an
Intergovernmental Organization or submit itself to any jurisdiction.
+-----------+
|Description|
+-----------+
dresden is a kernel module that will log emergency messages for every attempt of inserting or removing a kernel module.
Also, it will block the insertion of every kernel module, by replacing the init functio of the (wannabe) incoming module
with a function crafted for failure. After deploying dresden, you will not be able to remove it. It will delete itself from
the list of the loaded kernel modules.
+--------------------------+
|Supported kernel versions |
+--------------------------+
2.6.18 up to 3.4.9
+--------------------------+
|Format of the log messages|
+--------------------------+
Jul 9 13:36:05 kmod-testing kernel: dresden: Kernel module insertion blocker and action notifier by CERN Security Team
Jul 9 13:36:05 kmod-testing kernel: dresden: [+] Future loading of kernel modules will be prevented
Jul 9 13:36:05 kmod-testing kernel: dresden: [+] Emergency messages will be logged in case of trying to load or unload a module
Jul 9 13:36:05 kmod-testing kernel: dresden: [+] You are not able to remove this module
Trying to insert a module:
[root@kmod-testing netlog]# insmod ./netlog.ko
Message from syslogd@kmod-testing at Jul 9 13:36:52 ...
kernel:dresden: event: MODULE_STATE_COMING name: netlog init: 0xffffffffa0038000 size of init (text + data) 0x137e core: 0xffffffffa07c7000 size of core (text + data) 0x20037a8
Message from syslogd@kmod-testing at Jul 9 13:36:52 ...
kernel:dresden: New module is th name netlog. Its functionality will be disabled
Message from syslogd@kmod-testing at Jul 9 13:36:52 ...
kernel:dresden: event: MODULE_STATE_GOING name: netlog core: 0xffffffffa07c7000 size of core (text + data) 0x20037a8
insmod: error inserting './netlog.ko': -1 Operation not permitted
[root@kmod-testing netlog]#
Jul 9 13:36:52 kmod-testing kernel: dresden: event: MODULE_STATE_COMING name: netlog init: 0xffffffffa0038000 size of init (text + data) 0x137e core: 0xffffffffa07c7000 size of core (text + data) 0x20037a8
Jul 9 13:36:52 kmod-testing kernel: dresden: New module is th name netlog. Its functionality will be disabled
Jul 9 13:36:52 kmod-testing kernel: Module insertion blocked by CERN's dresden
Jul 9 13:36:52 kmod-testing kernel: dresden: event: MODULE_STATE_GOING name: netlog core: 0xffffffffa07c7000 size of core (text + data) 0x20037a8
+--------------+
|How to compile|
+--------------+
In the src directory run:
make
Then run:
insmod ./dresden.ko
You cannot remove dresden after insertion.
+----------+
|References|
+----------+
Linux Source Code:
http://www.kernel.org/
Scientific Linux CERN
http://linux.web.cern.ch/linux/
Harry Dresden:
http://en.wikipedia.org/wiki/Harry_Dresden
About
Block incoming modules and log emergency alerts in case of trying to insert a new module or removing an existing one
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published