Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20201203065748.GA7214@pi3.com.pl>
Date: Thu, 3 Dec 2020 07:57:48 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: Corrupted 'off' flag

Hi

Sorry for late reply. However, I've been working on adding a new debugging 
logic to the LKRG code.
I have a few questions:
 - Do you have any ftrace* related tools which might run in the background? 
Especially, around the time when you see that problem? It could be any perf* 
tool as well since they are using tracing infrastructure under the hood
 - New LKRG's debugging infrastructure can independently track state for each 
process. However, it requires a lot more memory. If you are willing to enable 
it, it will produce much more useful information which I can use. To be able to 
do it, please uncomment the following definition in the file:
 
  "src/modules/print_log/p_lkrg_log_level_shared.h"
  /* Do we want to precisely track changes of 'off' flag per each process?
   * If yes, uncomment it here */
  #define P_LKRG_TASK_OFF_DEBUG

 - If you have anough resource and sucessfully load such build of LKRG, you 
should see more debug information in the logs when such problem appears.

The newest Linux kernel changed the behavior of KPROBES and FTRACE and I'm 
actively researching these changes. It is worth to note that if FTRACE is being 
disabled e.g. via /proc/sys/kernel/ftrace_enabled it can affect KPROBES as 
well. Some tools heavily using such interface.

Thanks,
Adam

On Tue, Nov 17, 2020 at 11:30:34AM +0000, Paweł Krawczyk wrote:
> 
> Seeing these periodically:
> 
> Nov 17 11:25:18 curie kernel: [p_lkrg] <Exploit Detection> ON
> process[25086 | last] has corrupted 'off' flag!
> 
> Nov 17 11:25:18 curie kernel: [p_lkrg] <Exploit Detection> Trying to
> kill process[last | 25086]!
> 
> 
> I suspect this is the `last` command is being run periodically by Wazuh.
> When run as root from command line LKRG doesn't kick in. No harm done
> otherwise, so just reporting this as a minor annoyance.
> 
> Kernel:
> 
> Linux curie 5.4.0-54-generic #60-Ubuntu SMP Fri Nov 6 10:37:59 UTC 2020
> x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> LKRG is the latest git branch pulled & compiled yesterday.
> 



-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.