-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Here's some more information on identifying the linux distro which you guys
might find helpful.
The file /var/log/dmesg contains the info on the kernel, linux distro as well
as the gcc version used to compile the kernel (provided the distro
information was available when you compiled the kernel).
Now, for the origin of this line of code: Try the command
"strings /boot/vmlinux-2.X.XX-XX | grep redhat" on your redhat distribution.
It will show the same output as can be seen in dmesg. So you see, the string
is embedded in the kernel executable when you _compile_ the kernel.
Now the catch is that when I compile the kernel, I can remove all
instances of "redhat" ( or whatever, for that matter) from the source and
replace it with another string. Then what??
The standard (dont think every release follows it) for identifying releases
is lsb-release. It's documented in the LSB specification. You can see all the
major releases follow the /etc/<distro_name>-version style nowadays. So
unless you have played around, just "ls /etc/*release" should show you the
file name containing your distro name name and release info.
Anyways, kernel sources show that for certain redhat applications to run, the
/etc/redhat-release file should be present, as it checks for an existing
redhat installation. Same goes for /etc/slackware-version, /etc/SuSE-release,
/etc/UnitedLinux-release, /etc/mandrake-release etc. These distros use these
file info to lauch their custom apps. So if your sysadmin removes the files,
some apps wdnt work.
So running the "strings..." command and grepping for a particular distro
should be able to show us the original distro used when the kernel was
compiled. This can be simplified with a simple script to verify for all
distros (there are more than 350 distros available, so listing them is
another task!).
For the webmin trick suggested by Raj, you can check the files
/usr/libexec/webmin/os_list.txt as to how the detection works. For better
info, check the file /usr/libexec/webmin/oschooser.pl. This script shows that
the detection is done by reading /etc/.issue or /etc/issue (whichever is
available) and doing "uname -a". So you are back to square one if /etc/issue
or /etc/.issue is removed. Then you better give the distro name and version
manually to webmin or it wud do terrible things to ur system!
Another thing to note is that knowing a distro isnt much help if you have
recompiled the kernel several times and manually upgraded or changed most
packages. Anyways, this is unimportant as all linux distros have the same
basic kernel. Linus torvalds was quite clever in leaving the packaging part
to others and just hackin on the kernel. All 350+ distros use the same
kernels. So the dirty politics is not torvalds' responsibility. Why not leave
it those who are already into it?
If no distro info is found by any means, probably the
system is made from scratch (!!!) check www.linuxfromscratch.org if you havent
yet.
Someone had talked about nmap and OS fingerprinting. I think remote
fingerprinting an OS by checking banners or headers or flags etc does not
look for distros. Knowing the versions of the running servers is quite enough
to look for vulnerabilities. Browsing thru the nmap-hackers lists provide
some valuable info.
Fooling queso, nmap etc is possible. You can do it by adjusting HTTP headers,
hacking the initial tcp sequence number generator in the kernel, changin the
tcp window size, the default ttl of my ip packets etc.
Another note on dmesg : as you compile the kernel using gcc, you get the
version number in the output. sometimes you see "Red Hat Linux 3.2.2-5"
instead of "Red Hat Linux 9.0 3.2.2-5". That's because the distro number
could be found when the kernel was compiled.
For the /proc/version stuff, check this::
/proc/sys/kernel/ or /proc/sys/ has the following files :
ostype
osrelease
version
which give info for /proc/version (these files exclude the matter in brackets
generally). If you refer to /usr/src/linux-2.X/kernel/sysctl.c (lines
163-167) you will see that these files show info for the kernel only.
If you have read till here, I hope your problems are solved. If you change
/etc/issue or /etc/*-release, recompile the kernel and remove any distro
information, you are basically left to yourself to maintain it; the
upgradation process wont be possible (provided the system went to the moon
for a face-lift ;-) ). But you can always play around with the kernel
without such problems!
Regards,
Bhaskar.
On Tuesday 16 Sep 2003 1:01 am, linuxlingam wrote:
> think i have finally found that command, though i need you guys to
> counter-check and verify it on your respective distributions of gnulinux.
>
> it occured to me through a throught that struck me watch a pc boot up
> "wonder how they do so much branding of the distribution during boot up but
> never afterwards...?'
>
> and then the magic command:
>
> $ dmesg |less
>
> LL
>
- ---------------------------
Bhaskar Dutta <[EMAIL PROTECTED]>
GPG Key fingerprint = AA56 1EB5 D7E8 DD9C 298E 8F4D 375F D416 01D5 671C
- ---------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/aLhcN1/UFgHVZxwRAsSGAKCSH6/GRgwMxWdbs0u2FtdnwsZB3QCcDHZt
GUV4RHByxoqTFe3b83/o11E=
=3pQB
-----END PGP SIGNATURE-----
_______________________________________________
ilugd mailing list
[EMAIL PROTECTED]
http://frodo.hserus.net/mailman/listinfo/ilugd
