To receive notifications about scheduled maintenance, please subscribe to the mailing-list gitlab-operations@sympa.ethz.ch. You can subscribe to the mailing-list at https://sympa.ethz.ch

Commit aea0d354 authored by Axel Beckert's avatar Axel Beckert

Add generic Diamorphine-based LKM detection

parent 563e7aa0
......@@ -10,7 +10,9 @@ How it works
------------
`ioc-local-check.pl` is the actual check which runs on the system
being checks.
being checks. It checks for known file IOCs and Linux kernel module
IOCs as well as for generic Diamorphine based kernel modules of
unknown name.
`ioc-remote-check.sh` copies `ioc-local-check.pl` to all to-be-checked
systems via scp, calls it, and removes it again. Currently only
......@@ -64,4 +66,7 @@ Requirements
* `getent`
* `awk` (`mawk` suffices, no `gawk` needed.)
* `hostname`
* `kill`
* `lsmod`
* `sort`
* `diff`
......@@ -94,17 +94,33 @@ foreach my $glob (sort keys %ioc) {
}
}
# Check for the diamorphine Linux Kernel Module
# Check for the Diamorphine Linux Kernel Module
# (https://github.com/m0nad/Diamorphine)
# First check for known bad LKM names
# Perl's "kill(63, $$);" kills the script, so let's put a /bin/sh inbetween.
system('kill -63 $$');
my @lsmod = `lsmod`;
my @suspicious = grep /\b(diamorphine|scsi|iscsi|readaps)\b/, @lsmod;
foreach my $lkm (@suspicious) {
print "$hostname: SUSPICIOUS KERNEL MODULE: $lkm";
print "$hostname: KNOWN SUSPICIOUS KERNEL MODULE: $lkm";
$found++;
}
# Now do the same, just diff-based
system('kill -63 $$');
system("lsmod | sort > $0.$$.lsmod1");
system('kill -63 $$');
system("lsmod | sort > $0.$$.lsmod2");
my @diff = `diff $0.$$.lsmod1 $0.$$.lsmod2`;
unlink("$0.$$.lsmod1", "$0.$$.lsmod2");
foreach my $diffline (@diff) {
print "UNKNOWN SUSPICIOUS KERNEL MODULE: $diffline";
$found++ if $diffline =~ /^[<>]/;
}
# Summary
if ($verbose) {
if ($found == 0) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment