Title
#general
e

Eoin Miller

10/31/2019, 10:04 PM
Would it be a good idea to add
path
and maybe some signing information to the
kernel_modules
table? It looks like table currently is very similar to output from
lsmod
, but if we could also get some of the items from
modinfo
(like filename and signing info) then you could do things like
JOIN hash USING (path)
to get hashes of the modules to find unique ones and do hash lookups for known bad.
user@ubuntu:~$ lsmod | grep intel_rapl_perf
intel_rapl_perf        16384  0

user@ubuntu:~$ sudo modinfo intel_rapl_perf
filename:       /lib/modules/4.15.0-66-generic/kernel/arch/x86/events/intel/intel-rapl-perf.ko
license:        GPL
srcversion:     F7ACBF921FF58C3A9F81470
...
signat:         PKCS#7
signer:         
sig_key:        
sig_hashalgo:   md4
theopolis

theopolis

10/31/2019, 10:25 PM
I think yes, iirc it was difficult to get this information from the APIs available.
e

Eoin Miller

10/31/2019, 11:36 PM
It looks like
modinfo
just searches
/lib/modules/
for the module name in question (after replacing all
_
with
-
and ignores the file extension) https://git.kernel.org/pub/scm/utils/kernel/module-init-tools/module-init-tools.git/tree/modinfo.c#n187 https://git.kernel.org/pub/scm/utils/kernel/module-init-tools/module-init-tools.git/tree/modinfo.c#n140
theopolis

theopolis

11/01/2019, 1:16 AM
How “correct” and “perfect” is that approach. Seems prone to error if at runtime I delete/modify one of those files.
1:16 AM
That means you are hashing the wrong content
e

Eoin Miller

11/01/2019, 2:28 PM
I think that could that be said about hashing any file on disk? I would think that attackers would want the module they dropped to stay there for persistence.
8:12 PM
maybe do the
on_disk
column as well?
theopolis

theopolis

11/05/2019, 12:41 AM
You could hack this together with a query, right? Knowing the kernel version and the common path structure?
12:43 AM
The on_disk is a little different, /prod provides a symlink/fd to the program that was executed and signals if the current path has the same inode (I may be getting some specific details incorrect), but it’s a high fidelity column that is strictly related to the pid