***************************************
# Saint Jude - Linux Kernel Module 0.11
***************************************


Update 0.10->0.11 (March 18, 2000)
-----------------------------------

-- Improper IFDEF test in StJude_lkm.h would prevent compiles
   on 2.4.0 kernel. Fixed.

-- StJude_Learning_Parser.pl would produce a output in some
   instances that could not be compiled. This occured due
   to unescaped '\'s at the end of the line.

-- (This one sounds odd, but it may be necessary sometimes)
   Non-SMP compiles under an SMP kernel would fail -- fixed.

-- If a process exec'd() without forking, and it was an override
   rule -- the first execution wouldn't be recorded through learning.
   (example -- pppd starting at boot on rh7 systems). Fixed.

Update 0.07->0.10 (March 16, 2000)
-----------------------------------

-- Version Increase reflects increase in usability and 
   less unstable nature seen through testing as a result
   of fixes and tests over the past two months.

-- Compatable with Version 2.4.X (Lockups and Oops's 
   with prior versions resolved )

-- Updated Instructions in README -- READ the README!
   If you are a Technical Documentation Wizzard.. 
   Your help is needed ;)

-- Added Learning Parser to facilitate the generation
   of the Rulebase from the Learning Mode output. Combined
   with the Override directive (see README), remote root
   attacks may be thwarted... Long live named 4.2!

Comming Soon:

  -- Alpha Support (Thanks JAS)
  -- Updated execve syscall dispatch (pulled 
     from this release due to lack of testing)
  -- Filesystem protection mechanisms.
 

Update 0.06-0.07 (Dec 18, 2000)
-------------------------------

More changes, and compile failures on some 
linux systems. Two problems:

1. Include file <sys/mman.h> changed to <linux/mman.h>.
   This gives us the information necessary, but <sys/mman.h>
   would include other files that caused compile problems.

2. Make file now defines explicitly where the linux include
   files are. This fixes a major crapping out when the
   include files were expected to be found in /usr/include/linux
   and /usr/include/asm. 

   If your linux kenrel tree is not under /usr/src/linux you
   will need to modify the Makefile appropriately.

   Thanks goes out to those who wrote in with compile problems,
   especially Daniel Tabuenca <dtabuenc@cs.ucr.edu> who helped
   sort this affair with the Include files.

Update 0.05-0.06 (Dec 16, 2000)
-------------------------------

Got the update out to sourceforge, to find
that I shipped a broken package. Fixed the
*cough* omission from when I pulled out
some unstable-still-cookin code.

Last time I do a release at 2am.


Update 0.04-0.05 (Dec  3, 2000)
-------------------------------

-- Incorperated Patch to address RedHat 7 wierdness.

-- Added new responce method, StJude_response_redirect.
   From the file:

   
   This responce will execute the program pointed to by sjfilename
   with the command line arguments defined in sjargv (remember argv[0]
   is the filename). 

   This provides the opportunity to redirect the execution to a application
   of our choosing. This application executes in the context of the process
   that has genrated the event. This affords us a great opportunity to
   further analyze the situation from the point-of-view of the potental
   attacker (mabey take a snapshot of the history and filesystem), 
   or initate a responce.

   It is likely to be noted by an astute individual that this also affords
   the opportunity to counter-attack the attacker, using their control
   channel aginst them. This is a distinct possiblity, but something I
   want to personally discourage.

   Additionally, make note that the process spawned with run with the
   privlages the attacker tried to acquire. This means:

            1) Do not execeve anything without first dropping privlages.
 
			Else Endless loop.

            2) Be Very Careful.

   To use the new response, edit the Makefile setting of RESPONSE accordingly.
   Additonally, you will likely with to modify the StJude_Response_Redirect.c
   file to point to the file and argv your external program needs.


Update 0.03-0.04 (Oct 31, 2000)
-------------------------------

-- Modified output of Learning for Learning parser. 

-- Reorg of Code to make more manageable, added makefile and niceities. 

-- Further Work on SMP support. To date, we have 30days on a busy Duel PIII
   No problems! *knock on wood*


-- Fixed bug where it would not be noticed that a SUID root process droped 
   privlages upon execution of a setuid non-root application. The
   non-suid-root process this would be flagged as in violation if it
   attempted to execute any other suid root application.


-- Made the guessing of where the old exeve is more difficult, but this 
   will still be a problem. The landmine needs to have more teeth -- its a 
   honeypot function -- if it is ever called then someone is mucking around
   where they should not be.


-- StJude is now a SourceForge Project,
   The project can be found at http://www.sourceforge.net/projects/stjude


-- Lisence change to BSD. This is done because some future releases may not
   be able to do source releases (non-linux) due to lisencing restrictions on
   the in-kernel technology. This is a possible reality, I hope it can be 
   avoided.

   If anyone can offer experience on the lisencing stuff, I would be
   greatly appreciate.. I did want to leave it all under GNU.


Update 0.02-0.03 (Aug 11, 2000)
-----------------------

Added Spinlocks. 
                 Tested on 1,2 and 4 CPU Intel PIII Xenon Systems running
                 SMP kernel (2.2.16).

Enabled Module Sealing.
                 When not compiled in LEARNING mode, the module will attempt
                 to replace the load and unload syscalls with dummy calls. If
                 the -DNOSEAL option is used during compile time this behavior
                 is bypassed. 

                 After the dummy calls are loaded, no further modules may
                 be loaded and StJude may not be unloaded without rebooting.

                 Note: The module may still be directly attacked thru
                 /dev/kmem. Protections are being examined to thwart
                 this type of attack.

Updated Requirements: Kernel Version 2.2.11 or greater is required. 
                 Prior to the 2.2.11 kernel the init_task_union strutrue
                 was not available to modules. 

                 If you want to run StJude and are running a kernel 
                 version 2.2.0 -> 2.2.10, contact me for a patch.

ARGV_MEMORY freed on unload.
                 The ARGV_memory structure was not being freed on
                 unload. This could cause a memory leak in the kernel
                 after multiple load and unloads. This has been fixed.

                 See note about Module Sealing above.
 

Update 0.01-0.02
-----------------------

Fixed bug that would cause setreuid to be lost and replaced by setuid.
Bad.


