-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, Here's some more information on identifying the linux distro which you guys might find helpful. The file /var/log/dmesg contains the info on the kernel, linux distro as well as the gcc version used to compile the kernel (provided the distro information was available when you compiled the kernel). Now, for the origin of this line of code: Try the command "strings /boot/vmlinux-2.X.XX-XX | grep redhat" on your redhat distribution. It will show the same output as can be seen in dmesg. So you see, the string is embedded in the kernel executable when you _compile_ the kernel. Now the catch is that when I compile the kernel, I can remove all instances of "redhat" ( or whatever, for that matter) from the source and replace it with another string. Then what?? The standard (dont think every release follows it) for identifying releases is lsb-release. It's documented in the LSB specification. You can see all the major releases follow the /etc/<distro_name>-version style nowadays. So unless you have played around, just "ls /etc/*release" should show you the file name containing your distro name name and release info. Anyways, kernel sources show that for certain redhat applications to run, the /etc/redhat-release file should be present, as it checks for an existing redhat installation. Same goes for /etc/slackware-version, /etc/SuSE-release, /etc/UnitedLinux-release, /etc/mandrake-release etc. These distros use these file info to lauch their custom apps. So if your sysadmin removes the files, some apps wdnt work. So running the "strings..." command and grepping for a particular distro should be able to show us the original distro used when the kernel was compiled. This can be simplified with a simple script to verify for all distros (there are more than 350 distros available, so listing them is another task!). For the webmin trick suggested by Raj, you can check the files /usr/libexec/webmin/os_list.txt as to how the detection works. For better info, check the file /usr/libexec/webmin/oschooser.pl. This script shows that the detection is done by reading /etc/.issue or /etc/issue (whichever is available) and doing "uname -a". So you are back to square one if /etc/issue or /etc/.issue is removed. Then you better give the distro name and version manually to webmin or it wud do terrible things to ur system! Another thing to note is that knowing a distro isnt much help if you have recompiled the kernel several times and manually upgraded or changed most packages. Anyways, this is unimportant as all linux distros have the same basic kernel. Linus torvalds was quite clever in leaving the packaging part to others and just hackin on the kernel. All 350+ distros use the same kernels. So the dirty politics is not torvalds' responsibility. Why not leave it those who are already into it? If no distro info is found by any means, probably the system is made from scratch (!!!) check www.linuxfromscratch.org if you havent yet. Someone had talked about nmap and OS fingerprinting. I think remote fingerprinting an OS by checking banners or headers or flags etc does not look for distros. Knowing the versions of the running servers is quite enough to look for vulnerabilities. Browsing thru the nmap-hackers lists provide some valuable info. Fooling queso, nmap etc is possible. You can do it by adjusting HTTP headers, hacking the initial tcp sequence number generator in the kernel, changin the tcp window size, the default ttl of my ip packets etc. Another note on dmesg : as you compile the kernel using gcc, you get the version number in the output. sometimes you see "Red Hat Linux 3.2.2-5" instead of "Red Hat Linux 9.0 3.2.2-5". That's because the distro number could be found when the kernel was compiled. For the /proc/version stuff, check this:: /proc/sys/kernel/ or /proc/sys/ has the following files : ostype osrelease version which give info for /proc/version (these files exclude the matter in brackets generally). If you refer to /usr/src/linux-2.X/kernel/sysctl.c (lines 163-167) you will see that these files show info for the kernel only. If you have read till here, I hope your problems are solved. If you change /etc/issue or /etc/*-release, recompile the kernel and remove any distro information, you are basically left to yourself to maintain it; the upgradation process wont be possible (provided the system went to the moon for a face-lift ;-) ). But you can always play around with the kernel without such problems! Regards, Bhaskar. On Tuesday 16 Sep 2003 1:01 am, linuxlingam wrote: > think i have finally found that command, though i need you guys to > counter-check and verify it on your respective distributions of gnulinux. > > it occured to me through a throught that struck me watch a pc boot up > "wonder how they do so much branding of the distribution during boot up but > never afterwards...?' > > and then the magic command: > > $ dmesg |less > > LL > - --------------------------- Bhaskar Dutta <[EMAIL PROTECTED]> GPG Key fingerprint = AA56 1EB5 D7E8 DD9C 298E 8F4D 375F D416 01D5 671C - --------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/aLhcN1/UFgHVZxwRAsSGAKCSH6/GRgwMxWdbs0u2FtdnwsZB3QCcDHZt GUV4RHByxoqTFe3b83/o11E= =3pQB -----END PGP SIGNATURE----- _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd