search

bytedance / Elkeid

Elkeid is an open source solution that can meet the security requirements of various workloads such as hosts, containers and K8s, and serverless. It is derived from ByteDance's internal best practices.
https://elkeid.bytedance.com
2.28k stars 441 forks source link

insmod: ERROR: could not insert module hids_driver.ko: Invalid parameters #16

Closed shen771 closed 3 years ago

shen771 commented 3 years ago

换了台机器测试还是有insmod: ERROR: could not insert module hids_driver.ko: Invalid parameters问题

root@st-arch-sec-tool-1 (17:24:02) LKM # uname -a Linux st-arch-sec-tool-1 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

root@st-arch-sec-tool-1 (17:24:02) LKM #yum install kernel-devel //安装版本3.10.0-1160.15.2.el7

root@st-arch-sec-tool-1 (17:24:02) LKM #cd /lib/modules/3.10.0-514.el7.x86_64/ root@st-arch-sec-tool-1 (17:24:02)3.10.0-514.el7.x86_64#ln -s /usr/src/kernels/3.10.0-1160.15.2.el7.x86_64/ ./build //建立软链接

root@st-arch-sec-tool-1 (17:23:30) LKM # make clean && make make -C /lib/modules/3.10.0-514.el7.x86_64/build M=/tmp/AgentSmith-HIDS-main/driver/LKM clean make[1]: Entering directory /usr/src/kernels/3.10.0-1160.15.2.el7.x86_64' /tmp/AgentSmith-HIDS-main/driver/LKM/Makefile:23: make[1]: Leaving directory/usr/src/kernels/3.10.0-1160.15.2.el7.x86_64' make -C /lib/modules/3.10.0-514.el7.x86_64/build M=/tmp/AgentSmith-HIDS-main/driver/LKM modules make[1]: Entering directory /usr/src/kernels/3.10.0-1160.15.2.el7.x86_64' /tmp/AgentSmith-HIDS-main/driver/LKM/Makefile:23: CC [M] /tmp/AgentSmith-HIDS-main/driver/LKM/src/init.o CC [M] /tmp/AgentSmith-HIDS-main/driver/LKM/src/kprobe.o CC [M] /tmp/AgentSmith-HIDS-main/driver/LKM/src/trace.o CC [M] /tmp/AgentSmith-HIDS-main/driver/LKM/src/smith_hook.o CC [M] /tmp/AgentSmith-HIDS-main/driver/LKM/src/anti_rootkit.o CC [M] /tmp/AgentSmith-HIDS-main/driver/LKM/src/filter.o CC [M] /tmp/AgentSmith-HIDS-main/driver/LKM/src/util.o LD [M] /tmp/AgentSmith-HIDS-main/driver/LKM/hids_driver.o Building modules, stage 2. /tmp/AgentSmith-HIDS-main/driver/LKM/Makefile:23: MODPOST 1 modules CC /tmp/AgentSmith-HIDS-main/driver/LKM/hids_driver.mod.o LD [M] /tmp/AgentSmith-HIDS-main/driver/LKM/hids_driver.ko make[1]: Leaving directory/usr/src/kernels/3.10.0-1160.15.2.el7.x86_64'

root@st-arch-sec-tool-1 (17:24:02) LKM # dmesg //展示最近部分日志,多余的我裁掉了 8652677.623901] device veth57b0d02 left promiscuous mode [18652677.623912] docker0: port 1(veth57b0d02) entered disabled state [22480499.183461] hids_driver: loading out-of-tree module taints kernel. [22480499.183654] hids_driver: module verification failed: signature and/or required key missing - tainting kernel [22480499.183864] hids_driver: Unknown symbol __check_object_size (err 0) [22480499.183961] hids_driver: Unknown symbol x86_indirect_thunk_rax (err 0) [22480499.183973] hids_driver: Unknown symbol x86_indirect_thunk_rdx (err 0) [22480499.183987] hids_driver: Unknown symbol page_offset_base (err 0) [22480499.183997] hids_driver: disagrees about version of symbol dentry_path_raw [22480499.183998] hids_driver: Unknown symbol dentry_path_raw (err -22) [22480499.184064] hids_driver: Unknown symbol _raw_qspin_lock (err 0) [22480499.184073] hids_driver: disagrees about version of symbol d_path [22480499.184074] hids_driver: Unknown symbol d_path (err -22)

root@st-arch-sec-tool-1 (17:35:19) LKM # cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 60 model name : Intel Core Processor (Haswell, no TSX) stepping : 1 microcode : 0x1 cpu MHz : 2095.072 cache size : 16384 KB physical id : 0 siblings : 1 core id : 0 cpu cores : 1 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm arat fsgsbase bmi1 avx2 smep bmi2 erms invpcid xsaveopt bogomips : 4190.14 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management:

processor : 1 vendor_id : GenuineIntel cpu family : 6 model : 60 model name : Intel Core Processor (Haswell, no TSX) stepping : 1 microcode : 0x1 cpu MHz : 2095.072 cache size : 16384 KB physical id : 1 siblings : 1 core id : 0 cpu cores : 1 apicid : 1 initial apicid : 1 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm arat fsgsbase bmi1 avx2 smep bmi2 erms invpcid xsaveopt bogomips : 4190.14 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management:

processor : 2 vendor_id : GenuineIntel cpu family : 6 model : 60 model name : Intel Core Processor (Haswell, no TSX) stepping : 1 microcode : 0x1 cpu MHz : 2095.072 cache size : 16384 KB physical id : 2 siblings : 1 core id : 0 cpu cores : 1 apicid : 2 initial apicid : 2 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm arat fsgsbase bmi1 avx2 smep bmi2 erms invpcid xsaveopt bogomips : 4190.14 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management:

processor : 3 vendor_id : GenuineIntel cpu family : 6 model : 60 model name : Intel Core Processor (Haswell, no TSX) stepping : 1 microcode : 0x1 cpu MHz : 2095.072 cache size : 16384 KB physical id : 3 siblings : 1 core id : 0 cpu cores : 1 apicid : 3 initial apicid : 3 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm arat fsgsbase bmi1 avx2 smep bmi2 erms invpcid xsaveopt bogomips : 4190.14 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management:

EBWi11 commented 3 years ago

https://elixir.bootlin.com/linux/v3.10/source/fs/dcache.c#L2704

EBWi11 commented 3 years ago

uname -a Linux st-arch-sec-tool-1 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

yum install kernel-devel //安装版本3.10.0-1160.15.2.el7

make[1]: Entering directory /usr/src/kernels/3.10.0-1160.15.2.el7.x86_64' /tmp/AgentSmith-HIDS-

看下这里是不是kernel-header不一致

shen771 commented 3 years ago

3.10.0-514版本 yum -y install kernel-devel-$(uname -r) 没找到对应的devel包,所以才装的3.10.0-1160.

EBWi11 commented 3 years ago

@shen771 这个必须对应,你可以升级你的centos,或者去找514的headers来装,https://buildlogs.centos.org/c7.1611.01/kernel/20161117160457/3.10.0-514.el7.x86_64/

EBWi11 commented 3 years ago

我们后期会release出来常见的ko开箱即用