From owner-freebsd-current Mon Nov 22 3:26:33 1999 Delivered-To: freebsd-current@freebsd.org Received: from freja.webgiro.com (freja.webgiro.com [212.209.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 9F8E914C12 for ; Mon, 22 Nov 1999 03:26:23 -0800 (PST) (envelope-from abial@webgiro.com) Received: by freja.webgiro.com (Postfix, from userid 1001) id 947AC1932; Mon, 22 Nov 1999 12:27:01 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by freja.webgiro.com (Postfix) with ESMTP id 9329949D2 for ; Mon, 22 Nov 1999 12:27:01 +0100 (CET) Date: Mon, 22 Nov 1999 12:27:01 +0100 (CET) From: Andrzej Bialecki To: freebsd-current@freebsd.org Subject: ANNOUNCE: SPY-0.1 - syscalls monitor Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, SPY allows you to monitor and/or selectively block syscalls on your system. It could be used either as a safety monitoring device, policy enforcement, or debugging tool. You can download the sources (NOTE: -current only) from: http://www.freebsd.org/~abial/spy-0.1.tgz Excerpt of README follows: --------------------------------------------------------------------- This kernel module allows you to selectivly monitor and/or disable execution of system calls (syscalls) on your system, and log detailed info to syslog service. It's sometimes desirable to monitor selected syscalls for security reasons, or for debugging. For example, many security holes are related to setuid/setgid programs. You can monitor and log all attempts to use these syscalls. You can also disable certain syscalls altogether, if you really know what you're doing... Already existing tools (like ktrace(1) or truss(1)) can provide much more detailed information, but they are more fit to tracing single processes or process groups, and not setting overall system policy (speaking of which: this module is an example of very primitive auditing and policy enforcing device). Features -------- Using SPY module you can set up your system to: * log detailed info on execution of any selected syscall. In case of a few most important ones, there are specific handlers to log also the arguments of the syscall in understandable format. They are as follows: execve, set*id, chdir, open, link, unlink, chmod, chown, mkdir, rmdir (You are welcome to add others :-) Any syscall can be monitored, but in general case its arguments cannot be interpreted. * set kind of information to be logged. You can restrict logging on a per syscall basis, with the following constraints (OR-ed): - uid or gid - superuser only - all users except superuser - combination of the above You can also adjust level of logging on a per syscall basis. There are three levels available: - basic: logs minimum information sufficient to identify the syscall and process owner - arg: logs also the arguments of the syscall, if possible - full: logs all information available. * disable selected syscalls, which prevents specified categories of users to use them at all, and any such attempt is logged. By default the SPY module logs attempts to use execve syscall by root owned processes, and setuid/setgid by any user owned process. Default mode for other syscalls, used when you add them to monitoring, is to log all uses with all arguments. --------------------------------------------------------------------- Andrzej Bialecki // WebGiro AB, Sweden (http://www.webgiro.com) // ------------------------------------------------------------------- // ------ FreeBSD: The Power to Serve. http://www.freebsd.org -------- // --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message