Re: module information
I just stumbled across my answer (not sure how long it's been in the
kernel, but for 3.7.2):
x CONFIG_MODULE_SRCVERSION_ALL:
x
x Modules which contain a MODULE_VERSION get an extra "srcversion"
x field inserted into their modinfo section, which contains a
x sum of the source files which made it. This helps maintainers
x see exactly which source was used to build a module (since
x others sometimes change the module source without updating
x the version). With this option, such a "srcversion" field
x will be created for all modules. If unsure, say N.
On Thu, Jan 3, 2013 at 12:55 AM, shawn wilson <ag4ve.us@gmail.com> wrote:
> On Wed, Jan 2, 2013 at 6:55 PM, Igor Cicimov <icicimov@gmail.com> wrote:
>>
>
>> By the way, by
>> manually loading something from different location but the default one don't
>> you already know the location of that file :)
>
> This assumes that I'm the only one that touches a system and/or that I
> keep detailed logs (or maybe auditd would show?) I really find it hard
> to believe there's no way of auditing what modules are in memory.
> However if modules can't be audited, this is the perfect for a rootkit
> ... until a box is rebooted - which also means no trace of the rootkit
> need be left behind.
Reply to: