I just stumbled across my answer (not sure how long it's been in the kernel, but for 3.7.2):
x CONFIG_MODULE_SRCVERSION_ALL: x x Modules which contain a MODULE_VERSION get an extra "srcversion" x field inserted into their modinfo section, which contains a x sum of the source files which made it. This helps maintainers x see exactly which source was used to build a module (since x others sometimes change the module source without updating x the version). With this option, such a "srcversion" field x will be created for all modules. If unsure, say N. On Thu, Jan 3, 2013 at 12:55 AM, shawn wilson <[email protected]> wrote: > On Wed, Jan 2, 2013 at 6:55 PM, Igor Cicimov <[email protected]> wrote: >> > >> By the way, by >> manually loading something from different location but the default one don't >> you already know the location of that file :) > > This assumes that I'm the only one that touches a system and/or that I > keep detailed logs (or maybe auditd would show?) I really find it hard > to believe there's no way of auditing what modules are in memory. > However if modules can't be audited, this is the perfect for a rootkit > ... until a box is rebooted - which also means no trace of the rootkit > need be left behind. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/cah_obicdxxnc0rujypstbmy1dpebifuyfo3hgtpjg64o+yi...@mail.gmail.com
