Date: Tue, 8 Sep 2015 10:29:13 -0600 From: markham_breitbach@ssimicro.com Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: LD_PRELOAD Message-ID: <55EF0CD9.6000009@ssimicro.com> In-Reply-To: <20150906011200.GB94488@neutralgood.org> References: <55EA1251.4020704@ssimicro.com> <20150906011200.GB94488@neutralgood.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2015-09-05 7:12 PM, kpneal@pobox.com wrote: > On Fri, Sep 04, 2015 at 03:51:13PM -0600, markham_breitbach@ssimicro.co= m wrote: >> I am trying to configure the security/snoopy package as a solution for= >> logging shell activity within jails (I'm also open to alternative >> suggestions!). Snoopy works as an execve() wrapper that basically jus= t >> logs and passes through the calls. For it to work though, I need to s= et >> the LD_PRELOAD variable in the environment to force the linker to load= >> snoopy.so first, presumably so the snoopy execve wrapper is found befo= re >> the libc version. >> >> If I set LD_PRELOAD=3D/usr/local/lib/snoopy.so on the command line, an= d >> then launch a new shell, events get logged as expected, but I need to >> figure out how to make that happen by default for everything in the ja= il. > Try starting the jail with a shell script in the jail's /etc to set (ex= port!) > the environment variable and then exec /etc/rc "$@" to go through the r= est > of the normal startup for the jail. You'll need to change your jail con= fig > to start your script instead of /etc/rc though. > > Be aware that it isn't possible to guarantee that snoopy will catch _ev= ery_ > _single_ call if your system is breached. In some cases an attacker can= > just eliminate the environment variable. You may be able to determine > the starting point of the breach, however, if the attacker doesn't chan= ge > the snoopy log on you. Can snoopy log to a remote syslogd? That would > keep an attacker from removing evidence logged. > I actually shoved that right into /etc/rc inside the jail, and that seems to do the trick. I will have to play around and see if I can't find a more graceful way to handle that, but it's a proof of concept. I suspect there is already a facility for that. I will have to poke around rc and see what I can unearth. :) I understand that there are security implications of this, It is actually intended more for audit logging of my own authorized users i.e. who made that change? WTF were they thinking!?! :) as it is for any form of security. Of course, once root is breached, all bets are off anyway. I have looked at the auditing features of FreeBSD, but jail support is sadly lacking, so far snoopy seems to be about the bet thing I can find to fill that hole. Thanks, -Markham
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55EF0CD9.6000009>