The Guardian Kernel Module (GKM) README Maintainers/Developers ---------------------- Louis Brooks lbrooks@cs.fsu.edu Sarah Diesburg diesburg@cs.fsu.edu 6/14/2006 Introduction: What is GKM? -------------------------- GKM is a security-based loadable kernel module for the Linux 2.6.x series of kernels. GKM's main purpose is to detect malicious kernel rootkits and to maintain the running system's integrity in the face of kernel rootkit attacks and actions. GKM's Roots ----------- GKM is loosely based on an older kernel module known as St. Michael (http://freshmeat.net/projects/stmichael_lkm/). St. Michael was built for the 2.2.x and 2.4.x series of kernels, and also attempts to detect and prevent kernel rootkits. While many of GKM's detection mechanisms are similar to those of St. Michael, GKM differs greatly in design decisions and code. Our code is very different than St. Michael's due to interface changes from 2.4 to 2.6. In fact, we had to implement so many things in a completely different way that none of St. Michael's code is in GKM's code. The actions and design decisions of GKM also differ greately from those of St. Michael. For example, we believe that when malicious activity is discovered, the decisions of how to handle this activity are best left to the system maintainer instead of in the hands of a kernel module. In this light, GKM will *never* halt or reboot a system. GKM will instead do what it can do to insure system stability until appropriate action can be taken. Building GKM ------------------ **Note: At this time, GKM is only tested to compile correctly with gcc version 3.3. This will be fixed at a later time. 1. Untar the source ball using the command: tar xvfz gkm.tar.gz 2. Change directories into the main directory of guardian: cd guardian 3. Make the module: make If everything has gone correctly, there should be a file named 'gkm.ko' in the guardian directory. Loading GKM ----------- **Note: Once GKM is loaded, it cannot be unloaded until a reboot because it is able to hide (cloak) itself from the kernel to avoid detection. 1. To insert GKM into the running kernel, type as root: insmod gkm.ko GKM Logging Messages and Their Meanings --------------------------------------- Normal Messages: * GKM: Initializing Guardian Kernel Module The kernel module is starting up. * GKM: Guardian Kernel Module Loaded The kernel module is loaded. * GKM: module [name] detected and loaded. GKM noticed the [name] module being loaded. * GKM: module [name] has been removed from the system. GKM noticed the [name] module being removed. Problem Messages: Any of these messages represent a severe problem and must be addressed immediately. * GKM: Please take appropriate action and reboot soon. Something "very bad" has happened. Please look at the messages directly preceeding this one. * GKM: Cloaked module inserted into system! GKM noticed that a module is trying to hide itself from the system. * GKM: Could not find module [name] to delete! Yikes. A module was deleted from the kernel's module list without calling the appropriate system call. * GKM: Unknown Module Found! Module name = [name] Yikes. A module was inserted into the kernel's module list without calling the appropriate system call. * GKM: Bad body checksum for [name] Someone has overwritten [name]'s module body code in running memory! * GKM: Bad exit checksum for [name] Someone has overwritten [name]'s module exit code in running memory! * GKM: Danger, Danger Will Robinson - attempt to unload GKM Someone has attempted to unload GKM. * GKM: Found inconsistency in system call table! GKM: System call mapping restored. Someone has attempted to redirect a system call! This is a normal rootkit attack. Fortunately, GKM keeps its own copies of the system call pointers and is able to restore them without any damage. * GKM: System call number [number] has been compromised! GKM: Please look in unistd.h for the corresponding system call. Someone has overwritten a system call in memory. To find out which system call was overwritten, look in the file unistd.h (this is in /usr/include/linux/ in my distro). * GKM: System call number [number] has been replaced with a null system call. This is bad. To protect the system from segfaulting or panicing, we repoint the effected system call to an empty function that returns zero. This action will *completely* disable the above mentioned system call, thereby stopping the attack while trying to keep the system in a semi-stable state. Strange Messages: If any of the following messages are seen, GKM is in dire need of an update. * GKM: Unable to get System Call Table GKM cannot find the system call table in memory and will not load.