>Number:         15837
>Category:       kern
>Synopsis:       Kernel should log loading of all loadable modules
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 08 08:06:03 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Joe Laffey
>Release:        NetBSD 1.5.3
>Organization:
Laffey Computer Imaging
>Environment:
	
System: NetBSD moog.laffeycomputer.com 1.5.2 NetBSD 1.5.2 (BADASS) #2: Tue Sep 10 01:07:20 CDT 1935 joe@moog:/root/mysrc/src/sys/arch/mac68k/compile/BADASS mac68k


>Description:
	It came to my attention that loadable kernel modules are not 
logged when they are loaded. I think that this could be a major risk when 
it comes to rootkits. Imagine a rootkit that loaded a kernel module that 
trapped a bunch of system calls. This module could intercept inode calls 
and all, making it virtually undetectable. If the initial loading were 
logged in gross detail (and the admin was smart enough to log everything 
to a second host or LPR) then there would be a trail to follow.

Since this is probably very easy to implement and could have some good 
benefits to help admins find rootkits I think it is a good idea.

 >How-To-Repeat:
N/A
>How-To-Repeat:
>Fix:
 Have the kernel log loading of ALL kernel modules in explicit deatail 
(size of module, name of module, inode, and anything else you can think 
of)

>Release-Note:
>Audit-Trail:
>Unformatted: