From: Michele Andreoli (m.andreoli@tin.it)
Date: Sat Nov 11 2000 - 12:53:45 CET
I developed a kernel module (a simple case study) able to detect any
opened file and to write its name on the console and on the syslog
/var/log/messages.
It run in 2.2.5 version (insmod my.o), and, maybe, also higger,
if you force the loading under wrong version: insmod -f my.o.
The module replace the internal syscall open() with an hand-made one,
after that it call the real one.
It can easily modified to detect is a file is opened by PGP, for
example. Maybe, changing some other syscall, the module may be able
to write in the syslog also passwords, passphrases, or the plaintext
being cyphered.
Il will send on the list the spy.tgz archive (only 1215 Kb); you will
find also a script "comp" able to compile it.
This scope is to show how is insecure a multi-user system: the superuser
can load the module at startup!
Michele
-- "I'd like to conclude with a positive statement, but I can't remember any. Would two negative ones do?" -- Woody Allen
---------------------------------------------------------------------
To unsubscribe, e-mail: mulinux-unsubscribe@sunsite.auc.dk
For additional commands, e-mail: mulinux-help@sunsite.auc.dk
This archive was generated by hypermail 2.1.6 : Sat Feb 08 2003 - 15:27:16 CET