Re: intercepting syscalls

From: Richard B. Johnson
Date: Fri Apr 15 2005 - 15:40:59 EST

Next message: Nish Aravamudan: "Re: [PATCH] char/tpm: use msleep(), clean-up timers, fix typo"
Previous message: Chris Wright: "Re: intercepting syscalls"
In reply to: Chris Wright: "Re: intercepting syscalls"
Next in thread: Daniel Souza: "Re: intercepting syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 15 Apr 2005, Daniel Souza wrote:

On 4/15/05, Arjan van de Ven <arjan@xxxxxxxxxxxxx> wrote:
On Fri, 2005-04-15 at 13:10 -0700, Daniel Souza wrote:
You're welcome, Igor. I needed to intercept syscalls in a little
project that I were implementing, to keep track of filesystem changes,

I assume you weren't about tracking file content changing... since you
can't do that with syscall hijacking.. (that is a common misconception
by people who came from a MS Windows environment and did things like
anti virus tools there this way)

No, I was tracking file creations/modifications/attemps of
access/directory creations|modifications/file movings/program
executions with some filter exceptions (avoid logging library loads by
ldd to preserve disk space).

It was a little module that logs file changes and program executions
to syslog (showing owner,pid,ppid,process name, return of
operation,etc), that, used with remote syslog logging to a 'strictly
secure' machine (just receive logs), keep security logs of everything
(like, it was possible to see apache running commands as "ls -la /" or
"ps aux", that, in fact, were signs of intrusion of try of intrusion,
because it's not a usual behavior of httpd. Maybe anyone exploited a
php page to execute arbitrary scripts...)

--

The requirements can be easily met in user-mode, probably
a lot easier than anything in the kernel.

LD_PRELOAD some custom 'C' runtime library functions, grab open()
read(), write(), etc. Write information to a pipe. Secure reader
daemon logs whatever it wants, based upon configuration settings.
After writing information to the pipe, executes the appropriate
syscall.

Done, no hacks, everything working in the correct context.

Cheers,
Dick Johnson
Penguin : Linux version 2.6.11 on an i686 machine (5537.79 BogoMips).
Notice : All mail here is now cached for review by Dictator Bush.
98.36% of all statistics are fiction.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nish Aravamudan: "Re: [PATCH] char/tpm: use msleep(), clean-up timers, fix typo"
Previous message: Chris Wright: "Re: intercepting syscalls"
In reply to: Chris Wright: "Re: intercepting syscalls"
Next in thread: Daniel Souza: "Re: intercepting syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]