search

tclahr / uac

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
https://tclahr.github.io/uac-docs
Apache License 2.0
782 stars 120 forks source link

An artifact does not work in kernel_tainted_state.yaml #262

Closed mnrkbys closed 3 months ago

mnrkbys commented 3 months ago

The following artifact in kernel_tainted_state.yaml does not work. It seems to be missing some options or other commands.

  -
    description: Display what modules are marked at tainting the kernel.
    supported_os: [linux]
    collector: command
    command: grep "(.*)" /proc/modules
    output_file: modules_tainting_the_kernel.txt
tclahr commented 3 months ago

That code returns modules tainting the kernel. Here is an example:

$ grep "(.*)" /proc/modules
taint_module 12288 0 - Live 0x0000000000000000 (POE)
tclahr commented 3 months ago

I have added an additional artifact to kernel_tainted_state.yaml:

-
    description: Display dmesg messages related to loaded modules tainting the kernel.
    supported_os: [linux]
    collector: command
    command: dmesg | grep -i taint
    output_file: modules_tainting_the_kernel_dmesg.txt

So here is all info collected by kernel_tainted_state.yaml:

# cat /proc/sys/kernel/tainted
12289

# dmesg | grep -i taint
[  592.445287] taint_module: loading out-of-tree module taints kernel.
[  592.445291] taint_module: module license 'Proprietary' taints kernel.
[  592.445292] Disabling lock debugging due to kernel taint
[  592.445294] taint_module: module verification failed: signature and/or required key missing - tainting kernel
[  592.445295] taint_module: module license taints kernel.
[  592.445727] Loading tainted module...

# grep "(.*)" /proc/modules
taint_module 12288 0 - Live 0x0000000000000000 (POE)
tclahr commented 3 months ago

Simple testing code that taints the kernel when loaded:

taint_module.c

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>

static int __init taint_module_init(void) {
    printk(KERN_INFO "Loading tainted module...\n");

    // Simulate tainting the kernel with a proprietary license
    add_taint(TAINT_PROPRIETARY_MODULE, LOCKDEP_STILL_OK);

    return 0;
}

static void __exit taint_module_exit(void) {
    printk(KERN_INFO "Unloading tainted module...\n");
}

module_init(taint_module_init);
module_exit(taint_module_exit);

MODULE_LICENSE("Proprietary");
MODULE_DESCRIPTION("A simple tainted kernel module example");
MODULE_AUTHOR("Your Name");

Makefile

obj-m += taint_module.o

all:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Compiling:

$ make
$ sudo insmod taint_module.ko
mnrkbys commented 3 months ago

Thanks for sharing the detailed explanation and sample code. My method of checking was not appropriate.