***************************************
# Saint Jude - Linux Kernel Module 0.10
***************************************

Copyright October, 2000. Tim Lawless, lawless@netdoor.com
Updated 3/01/01

NOTICE: This is experimental software. 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I.   Introduction
   A. What is StJude_LKM?
   B. Contacting the Author
II.  Usage
   A. Overview
   B. Special Notes for SMP Systems
      1. Kernel Patch
      2. Building StJude
   C. Preparations for Using Saint Jude
   D. Learning Mode
      1. Compiling the Saint Jude Module for Learning Mode
      2. Defining Overrides
      3. Install the Kernel to Spawn from Init
      4. Generating the Rulebase for Normal Mode
      5. Reboot
   E. Normal Mode
   E. If Something Goes Wrong...
III. Further Considerations
   A. Proper Deployment Enviorment
   B. Other Interesting Work
      1. Projects
      2. Papers/Books
IV.  Help Wanted
   A. Programmers / Analysists
   B. Technical Writers
   C. Web Designers


I. Introduction
===============

A. What is Saint Jude?

     Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels.
     This module implements the Saint Jude model for improper privilege
     transitions. This will permit the discovery of local, and ultimately,
     remote root exploits during the exploit itself. Once discovered, Saint 
     Jude will terminate the execution, preventing the root exploit from 
     occurring. This is done without checking for attack signatures of 
     known exploits, and thus should work for both known and unknown exploits.

ENGLISH:

     This software stops local, and remote root exploits on the Linux 
     Operating system. Dead. Kaput. RIP.

B. Contact the Author

     The Saint Jude Project is homed at 
     http://www.sourceforge.net/projects/stjude.  The Author, Tim Lawless, 
     may be reached at lawless@netdoor.com


II. Usage
==============

A. Overview

    Saint Jude exists in the Linux universe as a kernel module. The module
    should be loaded as soon as possible. The easiest way for this to
    be done is to cause init to load the module before going through
    the rc scripts, this permits StJude to monitor daemon processes that
    may be started through the rc scripts, as well as the behavior of
    the rc scripts themselves.

    The use of saint jude will involve compiling the module in two modes:
    learning mode, and normal mode. Learning mode generates a series
    of log entries via klogd that will be used to produce a ruleset appropriate
    for the host system. After the ruleset has been generated, it will
    replace the default ruleset shipped with StJude, and the module will
    be compiled in normal mode, where it will enforce the behavior that was
    modeled during the learning mode.

    We will cover how to do the various tasks involved in the following 
    sections. 

B. Special Notes for SMP systems.

   1. Kernel Patch

      It is necessary to patch the kernel on SMP systems inorder to 
      export a symbol that is not normally exported. The symbol is
      the spinlock for the task structure. A one-line patch is
      included in the StJude_LKM directory, SMP-linux-2.2.16.patch.

      This patch works for all versions of linux from 2.2.16 up to
      and including 2.2.18. Due to its simplicity, it should work
      for other later versions as they are released.

      To apply the patch, cd into your Linux tree, and do:

      patch -p1 < ../path/to/patch/SMP-linux-2.2.16.patch

      Recompile the kernel as normal.

   2. Building StJude

      In all the examples that will be given on building StJude,
      there will be a line in the Makefile with the same options
      advised to used, but with -D__SMP__ included. SMP systems
      will need to use this line instead.

C. Preparations for Using Saint Jude

     Due to the nature of Saint Jude, it is recommended that the
     host system not rely on modules for operation. When launched
     in normal mode, by default, StJude will seal the kenrel. This
     will prohibit the loading and removing of modules from the
     kernel. 

     This should not be an issue on dedicated servers as much as
     it may be on desktop and (in the worst case) laptops that
     rely on modules to handle the insertion and removal of hardware
     components. 

     Version 2.4 of the Linux kernel promises features that will make
     the reliance on module for these hardware needs less of a concern.
   
D. Learning Mode

     Before running Saint Jude in normal mode it is necessary to learn
     or model the behavior of the host system that will be running Saint
     Jude. This modeling of the behavior is referred to as Learning. During
     the learning process copious amounts of output may be displayed on
     console and recorded via syslog. The output will look much like:



     These lines will be used by a parser for the purpose of building
     the rulesets that will be used in normal mode.


     1. Compiling the Saint Jude Module for Learning Mode
    
        The Makefile for Saint Jude ships ready to go into Learning Mode. At
        the Head of the Makefile, the "DFLAGS" variable is defined as:

        DFLAGS = -DLEARNING

        You may wish to change the MINESUP and MINESDOWN values to be anything
        between 1 and 12 inclusive.

        Save the Makefile, and compile StJude_LKM by typing "make".

        The compilation will produce a file, StJude.o. This is the 
        Kernel Module.

    2.  Defining Overrides

        Overrides is the mechanism by which we allow StJude to manage
        daemon processes. Normally, these processes would be exempt
        from management by StJude by being associated with the
        "ALL" rule. The override list is used to link certain programs
        to a new default rule, overriding the default behavior.

        Make a list of the programs that run on the system as daemons
        that you want to be managed. These programs may include
        /usr/sbin/named, /usr/sbin/inetd, /usr/sbin/rpc.nfsd, 
        /usr/lib/sendmail, etc.

        Referring to your start-up scripts, and looking at
        the output from "ps aux | grep root" is a good start at
        identifying the daemons. You will need to know the
        filename, not what shows up in via ps.

        Good:  /usr/sbin/named
        Bad:   named

        Got it?

        Edit the StJude_Rulebase.h file, and add in the daemon
        processes via the Override structure. Match the pattern
        that is included in the example Override table.

    
    2.  Install the Kernel module to Spawn from Init

        Copy the StJude.o file to a perminant location in /lib/modules,
        such as (for a 2.2.18 system) /lib/modules/2.2.18/StJude.o

        Add the following line to your /etc/inittab, right after the line
        that begins with "si::"

             sj::once:/sbin/insmod /lib/modules/2.2.18/StJude.o

       Reboot the system. Do not do "init q". Reboot the system.

       3. Generating the Rulebase for Normal Mode.

       After the system has been put through a workout that mimics its 
       normal behavior, remove the StJude module by issuing the command:

            /sbin/rmmod StJude

      Collect the messages that were logged to syslog and store them
      in a file. It is not necessary to prune out the non-Stjude
      related lines, or cut the time stamps off.

      Included with StJude is a perl script, StJude_Learning_Parser.pl. 
      Run this script against the output, by issuing the command:

           ./StJude_Learning_Parser.pl filename

           Where filename is the file containing the output lines.

     This will produce a file called StJude_Rulebase__WORK.h.

     Edit this file. Within the file will be instructions on
     what modification will be necessary. Follow these directions.
     What you will be doing is copying over the overrides defined
     earlier, and linking those overrides to the head-end rule
     they should override to.

     After changes are made, copy the StJude_Rulebase__WORK.h file
     over the StJude_Rulebase.h file and go to Normal Mode

E. Normal Mode

     In Normal mode, the Saint Jude system actually is armed and
     beings protecting the system using the stuff we did in the
     Learning mode. Preparations for rebooting into normal mode are:

     1. Choose Your Response

        Saint Jude has the ability to use different responses.
        Currently there are only two responses available, but imagination
        is the limit. The two responses are:

        StJude_Response_default.c:
              This Response simply kills the process that requested
              the illegal execution, and outputs a message to klog.
       
        StJude_Response_redirect.c
              This response will redirect the illegal execution request
              to another pre-defined program. Refer to the comments
              at the head of this response for more information.
              Potential applications include the initiation of 
              complex responses from within users pace that include
              collection of evidence and signaling other systems that
              an attack may be underway.

        Select the appropriate response by modifying the Makefile.

     2. Modify the Makefile to Select Normal Mode

     Edit the Makefile, Select the DFLAGS line that does not have
     -DLEARNING on it. If using a SMP system, use the DFlags line
     that only includes -D__SMP__.

    3. Recompile.

       make clean;make

    4. Reboot.

       
F. If something goes wrong while in Normal mode.

     If something goes wrong in normal mode, and you want to disable
     the Stjude module, it will be necessary to reboot the system. At
     the lilo prompt enter:

     lilo:  linux init=/bin/bash

     Notice we are not going into single user mode, since that will 
     also include the loading of the module. By using the "init=/bin/bash"
     we redefine the init process to be /bin/bash. When you are dropped
     to a # prompt, execute the following:

     # mount -o remount,rw /

     and if necessary:

     # mount -a -t ext2

     Edit the /etc/inittab, and comment out the sj:: line.

     When you finish with the edit, execute "sync".

     Reboot by using the "ctrl-alt-del" key combo. The filesystems will
     come up dirty.


III. Further Considerations
=============================


A.  Proper Deployment Environment

    Saint Jude is not an end-all be-all project. It is a last-line of
    defense. It is not an execute to be the only-line. Additionally,
    it is recommended that steps be taken to protect the StJude.o
    kernel module, as well as the vmlinuz binary. You may want
    to store them on read-only media, change them to immutable,
    or deploy the LIDS project for filesystem protection.

B. Other Interesting Work

   1. Projects

      a. Pax Project
         Http://pageexec.virtualave.net 
   
   2. Papers

      Saint Jude, the Model
        http://download.sourceforge.net/stjude/StJude_Model.pdf

      Anything at http://www.raid-symposium.org


IV. Help Wanted
==================

    Currently I am unable to put all the time into this project that
    it deserves and demands. If you are, or would like to become 
    more fimiluar with host-based IDS technology, kernel programming,
    or are a kick-ass web developer or technical writer and are
    interested in getting involved.. by all means, write to
    me and we'll put ya to work.


