From: Daniel Souza <thehazard@gmail.com>
To: Arjan van de Ven <arjan@infradead.org>
Cc: Igor Shmukler <igor.shmukler@gmail.com>, linux-kernel@vger.kernel.org
Subject: Re: intercepting syscalls
Date: Fri, 15 Apr 2005 13:19:55 -0700 [thread overview]
Message-ID: <e1e1d5f4050415131977a776e9@mail.gmail.com> (raw)
In-Reply-To: <1113596014.6694.87.camel@laptopd505.fenrus.org>
On 4/15/05, Arjan van de Ven <arjan@infradead.org> wrote:
> On Fri, 2005-04-15 at 13:10 -0700, Daniel Souza wrote:
> > You're welcome, Igor. I needed to intercept syscalls in a little
> > project that I were implementing, to keep track of filesystem changes,
>
> I assume you weren't about tracking file content changing... since you
> can't do that with syscall hijacking.. (that is a common misconception
> by people who came from a MS Windows environment and did things like
> anti virus tools there this way)
No, I was tracking file creations/modifications/attemps of
access/directory creations|modifications/file movings/program
executions with some filter exceptions (avoid logging library loads by
ldd to preserve disk space).
It was a little module that logs file changes and program executions
to syslog (showing owner,pid,ppid,process name, return of
operation,etc), that, used with remote syslog logging to a 'strictly
secure' machine (just receive logs), keep security logs of everything
(like, it was possible to see apache running commands as "ls -la /" or
"ps aux", that, in fact, were signs of intrusion of try of intrusion,
because it's not a usual behavior of httpd. Maybe anyone exploited a
php page to execute arbitrary scripts...)
--
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
next prev parent reply other threads:[~2005-04-15 20:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-15 18:04 intercepting syscalls Igor Shmukler
2005-04-15 18:11 ` Arjan van de Ven
2005-04-15 19:41 ` Igor Shmukler
2005-04-15 19:51 ` Daniel Souza
2005-04-15 19:59 ` Igor Shmukler
2005-04-15 20:10 ` Daniel Souza
2005-04-15 20:13 ` Arjan van de Ven
2005-04-15 20:19 ` Daniel Souza [this message]
2005-04-15 20:25 ` Chris Wright
2005-04-15 20:38 ` Richard B. Johnson
2005-04-15 21:00 ` Daniel Souza
2005-04-15 20:55 ` Steven Rostedt
2005-04-18 11:54 ` Rik van Riel
2005-04-18 14:48 ` Igor Shmukler
2005-04-18 14:59 ` Arjan van de Ven
2005-04-18 15:06 ` Igor Shmukler
2005-04-18 15:20 ` Arjan van de Ven
2005-04-18 18:56 ` Terje Malmedal
2005-04-18 19:19 ` Timur Tabi
2005-04-18 19:40 ` Arjan van de Ven
2005-04-19 8:32 ` Terje Malmedal
2005-04-18 15:17 ` Randy.Dunlap
2005-04-18 16:20 ` Igor Shmukler
2005-04-18 16:26 ` Christoph Hellwig
2005-04-15 20:03 ` Randy.Dunlap
2005-04-15 18:12 ` Chris Wright
2005-04-15 18:16 ` Timur Tabi
2005-04-15 19:27 ` Zan Lynx
2005-04-15 20:25 ` Petr Baudis
[not found] <3TDqB-32g-21@gated-at.bofh.it>
[not found] ` <3TDAk-38r-23@gated-at.bofh.it>
[not found] ` <3TEZl-4eW-23@gated-at.bofh.it>
[not found] ` <3TF9b-4lu-25@gated-at.bofh.it>
[not found] ` <3TFiG-4Cc-11@gated-at.bofh.it>
[not found] ` <3TFsj-4HP-3@gated-at.bofh.it>
[not found] ` <3TFsl-4HP-17@gated-at.bofh.it>
[not found] ` <3TFC7-4Og-29@gated-at.bofh.it>
[not found] ` <3TFVm-50J-5@gated-at.bofh.it>
2005-04-15 23:05 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1e1d5f4050415131977a776e9@mail.gmail.com \
--to=thehazard@gmail.com \
--cc=arjan@infradead.org \
--cc=igor.shmukler@gmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox