Hi,

SPY allows you to monitor and/or selectively block syscalls on your
system. It could be used either as a safety monitoring device, policy
enforcement, or debugging tool. You can download the sources (NOTE:
-current only) from:

        http://www.freebsd.org/~abial/spy-0.1.tgz

Excerpt of README follows:

---------------------------------------------------------------------

This kernel module allows you to selectivly monitor and/or disable
execution of system calls (syscalls) on your system, and log detailed
info to syslog service.

It's sometimes desirable to monitor selected syscalls for security
reasons, or for debugging. For example, many security holes are
related to setuid/setgid programs. You can monitor and log all
attempts to use these syscalls. You can also disable certain syscalls
altogether, if you really know what you're doing...

Already existing tools (like ktrace(1) or truss(1)) can provide
much more detailed information, but they are more fit to tracing
single processes or process groups, and not setting overall system
policy (speaking of which: this module is an example of very primitive
auditing and policy enforcing device).

Features
--------

Using SPY module you can set up your system to:

* log detailed info on execution of any selected syscall. In case of
  a few most important ones, there are specific handlers to log also
  the arguments of the syscall in understandable format. They are
  as follows:
        execve, set*id, chdir, open, link, unlink, chmod, chown,
        mkdir, rmdir

  (You are welcome to add others :-) Any syscall can be monitored, but
  in general case its arguments cannot be interpreted.

* set kind of information to be logged. You can restrict logging on
  a per syscall basis, with the following constraints (OR-ed):
        - uid or gid
        - superuser only
        - all users except superuser
        - combination of the above
  You can also adjust level of logging on a per syscall basis. There are
  three levels available:
        - basic: logs minimum information sufficient to identify the
          syscall and process owner
        - arg: logs also the arguments of the syscall, if possible
        - full: logs all information available.

* disable selected syscalls, which prevents specified categories of
  users to use them at all, and any such attempt is logged.

By default the SPY module logs attempts to use execve syscall by
root owned processes, and setuid/setgid by any user owned process.
Default mode for other syscalls, used when you add them to monitoring,
is to log all uses with all arguments.

---------------------------------------------------------------------


Andrzej Bialecki

//  <[EMAIL PROTECTED]> WebGiro AB, Sweden (http://www.webgiro.com)
// -------------------------------------------------------------------
// ------ FreeBSD: The Power to Serve. http://www.freebsd.org --------
// --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ----




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to