Simple hack, auditing the FS

Simple hack, auditing the FS

Post by Peat Bak » Fri, 27 Jun 1997 04:00:00



Heya,
        I've been having some trouble with this, and I was wondering if
I could get some help.  I'm brand new to kernel hacking, so I was hoping
I could get some help from you folks.
        Here's the problem:  I want a message printed to /var/log/messages
every time someone tries to open /etc/passwd.  I've decided to start with
sys_open() -- what I'm having trouble with is figuring out if the file being
opened is /etc/passwd.  :P
        My first idea was just a simple strcmp() .. however, I started
realizing that not all calls have absolute pathnames (ie, instead of
/etc/passwd, it could just be passwd, or even ../passwd), so I've decided
to try and keep track of the inode.
        Finding the inode of passwd is simple from the shell .. ls -i ..
but for the life of me, I can't get namei() to give me the same number.
Am I totally off base here, or am I sort of on the right track?  :)

Thanks,
        Peat

--

http://www.europa.com/~pb/       a living.  The world owes you nothing.  It
Powered by Linux since '95      was here first."  -- Mark Twain

 
 
 

Simple hack, auditing the FS

Post by Scott Lai » Fri, 27 Jun 1997 04:00:00



>    Here's the problem:  I want a message printed to /var/log/messages
>every time someone tries to open /etc/passwd.  I've decided to start with
>sys_open() -- what I'm having trouble with is figuring out if the file being
>opened is /etc/passwd.  :P

You *do* realize just how many Unix programs read /etc/passwd, don't
you?  Little things like 'ls' open it all the time.  I just ran
'strings /usr/bin/* | grep /etc/passwd | wc' and got 19 hits.

I suspect you're going to be swimming in /etc/passwd hits, but it's
your syslog :-).

Scott

 
 
 

Simple hack, auditing the FS

Post by David Manda » Sat, 28 Jun 1997 04:00:00


A very quick and dirty hack would be to:
1) Reverse the string (use strrev).
2) Find the first occorance of / and replace it with a null (if there is a
path attached remove it). (Use strtok or write your own function.)
3) Reverse the string so its readable again (strrev again).
4) Do your compare to passwd (strcmp).
5) Log it if it matches.

Its quick, its dirty, but it will work.


>Heya,
>        I've been having some trouble with this, and I was wondering if
>I could get some help.  I'm brand new to kernel hacking, so I was hoping
>I could get some help from you folks.
>        Here's the problem:  I want a message printed to /var/log/messages
>every time someone tries to open /etc/passwd.  I've decided to start with
>sys_open() -- what I'm having trouble with is figuring out if the file being
>opened is /etc/passwd.  :P
>        My first idea was just a simple strcmp() .. however, I started
>realizing that not all calls have absolute pathnames (ie, instead of
>/etc/passwd, it could just be passwd, or even ../passwd), so I've decided
>to try and keep track of the inode.
>        Finding the inode of passwd is simple from the shell .. ls -i ..
>but for the life of me, I can't get namei() to give me the same number.
>Am I totally off base here, or am I sort of on the right track?  :)

>Thanks,
>        Peat

Online Partners
(415) 252-6700 Voice (415) 252-6738 Fax
 
 
 

Simple hack, auditing the FS

Post by Colin Plu » Sat, 28 Jun 1997 04:00:00



> Heya,
>         I've been having some trouble with this, and I was wondering if
> I could get some help.  I'm brand new to kernel hacking, so I was hoping
> I could get some help from you folks.
>         Here's the problem:  I want a message printed to /var/log/messages
> every time someone tries to open /etc/passwd.  I've decided to start with
> sys_open() -- what I'm having trouble with is figuring out if the file being
> opened is /etc/passwd.  :P
>         My first idea was just a simple strcmp() .. however, I started
> realizing that not all calls have absolute pathnames (ie, instead of
> /etc/passwd, it could just be passwd, or even ../passwd), so I've decided
> to try and keep track of the inode.
>         Finding the inode of passwd is simple from the shell .. ls -i ..
> but for the life of me, I can't get namei() to give me the same number.
> Am I totally off base here, or am I sort of on the right track?  :)

namei just returns success/failure.  It puts the inode it found into
res_inode, the second argument.  Check (*res_inode)->i_ino for the
number.  Be sure to check that it's the right file system too!

There's a much simpler, and more general way.  chattr.

Grab an ext2fs attribte bit, call it log_open.  When you open a file
with that bit set, log it.  Set that bit on /etc/passwd, and anything
else you want.  (Hacking the chattr source may be a good idea.)
--
        -Colin

 
 
 

Simple hack, auditing the FS

Post by Heiko Schlitterma » Sat, 28 Jun 1997 04:00:00



>Heya,
>    I've been having some trouble with this, and I was wondering if
>I could get some help.  I'm brand new to kernel hacking, so I was hoping
>I could get some help from you folks.
>    Here's the problem:  I want a message printed to /var/log/messages
>every time someone tries to open /etc/passwd.  I've decided to start with
>sys_open() -- what I'm having trouble with is figuring out if the file being
>opened is /etc/passwd.  :P
>    My first idea was just a simple strcmp() .. however, I started
>realizing that not all calls have absolute pathnames (ie, instead of
>/etc/passwd, it could just be passwd, or even ../passwd), so I've decided
>to try and keep track of the inode.

For a starting point, try to find ``logwrites'', written by Adam Richter
(Yggdrasil (sp?)).  It uses some ELF-magic (?) to keep track of
all file open/close/write/append ...

But be aware, /etc/passwd is used very often!  At least for reading.

Heiko
--

pgp   : A1 7D F6 7B 69 73 48 35  E1 DE 21 A7 A8 9A 77 92

voice : +49-351-4638321                  +49-172-7909055

 
 
 

Simple hack, auditing the FS

Post by Nir Soff » Sat, 28 Jun 1997 04:00:00


Wouldn't that log all accesses to /usr/games/passwd, /usr/bin/passwd, etc.
etc. etc.?

Regards,
Nir.

: A very quick and dirty hack would be to:
: 1) Reverse the string (use strrev).
: 2) Find the first occorance of / and replace it with a null (if there is a
: path attached remove it). (Use strtok or write your own function.)
: 3) Reverse the string so its readable again (strrev again).
: 4) Do your compare to passwd (strcmp).
: 5) Log it if it matches.

: Its quick, its dirty, but it will work.


: >Heya,
: >        I've been having some trouble with this, and I was wondering if
: >I could get some help.  I'm brand new to kernel hacking, so I was hoping
: >I could get some help from you folks.
: >        Here's the problem:  I want a message printed to /var/log/messages
: >every time someone tries to open /etc/passwd.  I've decided to start with
: >sys_open() -- what I'm having trouble with is figuring out if the file being
: >opened is /etc/passwd.  :P
: >        My first idea was just a simple strcmp() .. however, I started
: >realizing that not all calls have absolute pathnames (ie, instead of
: >/etc/passwd, it could just be passwd, or even ../passwd), so I've decided
: >to try and keep track of the inode.
: >        Finding the inode of passwd is simple from the shell .. ls -i ..
: >but for the life of me, I can't get namei() to give me the same number.
: >Am I totally off base here, or am I sort of on the right track?  :)
: >
: >Thanks,
: >        Peat
: >

: Online Partners
: (415) 252-6700 Voice (415) 252-6738 Fax

--
--

http://www.cs.huji.ac.il/~scorpios/
'Keyboard not responding, press F1 to continue.'
Mail me with the subject "get pgp key" to get my PGP Public key.

 
 
 

Simple hack, auditing the FS

Post by Bob Tinsl » Sat, 28 Jun 1997 04:00:00


[Cc'd to Remy Card]



Quote:> There's a much simpler, and more general way.  chattr.

> Grab an ext2fs attribte bit, call it log_open.  When you open a file
> with that bit set, log it.  Set that bit on /etc/passwd, and anything
> else you want.  (Hacking the chattr source may be a good idea.)

I was thinking about doing precisely this a couple of weeks ago, and decided
you could get pretty good logging from creating a complete set of new
ext2fs attributes:

        R/W/(?A/X?)     which log the device, inode and uid of any process
                        opening the marked item for read/write/append/execute;

        U/G             which don't log if the process has the same uid/gid
                        as the file owner;

        Z               which simulates a seg-fault (or some other fatal error)
                        if someone attempts to execute the file.

The purpose of this last is to assist in taking a pro-active role in
detecting anyone trying the latest exploit against some rarely-used
s[ug]id program.

Needless to say, these attributes should only be able to be read/set by root.
(Or, possibly, the file-owner...)

Comments, anyone? I don't, unfortunately, have any time to work on this,
but most of it (possibly apart from Z) would appear to be fairly easy to
implement. Then again, I'm definitely no kernel hacker.

--
        -- Bob


 
 
 

Simple hack, auditing the FS

Post by Robert Nicho » Sat, 28 Jun 1997 04:00:00




:>
:>   Here's the problem:  I want a message printed to /var/log/messages
:>every time someone tries to open /etc/passwd.  I've decided to start with
:>sys_open() -- what I'm having trouble with is figuring out if the file being
:>opened is /etc/passwd.  :P
:
:You *do* realize just how many Unix programs read /etc/passwd, don't
:you?  Little things like 'ls' open it all the time.  I just ran
:'strings /usr/bin/* | grep /etc/passwd | wc' and got 19 hits.

That's greatly understating the problem since you're not seeing the
programs that just use the getpwent() family of library calls to read
the password file and never explicitly reference /etc/passwd elsewhere.
You won't find the string "/etc/passwd" in the 'ls' executable, for
example.

--


PGP public key 1024/9A9C7955
Key fingerprint = 2F E5 82 F8 5D 06 A2 59  20 65 44 68 87 EC A7 D7

 
 
 

Simple hack, auditing the FS

Post by Zack Weinbe » Wed, 02 Jul 1997 04:00:00




>A very quick and dirty hack would be to:
>1) Reverse the string (use strrev).
>2) Find the first occorance of / and replace it with a null (if there is a
>path attached remove it). (Use strtok or write your own function.)
>3) Reverse the string so its readable again (strrev again).
>4) Do your compare to passwd (strcmp).
>5) Log it if it matches.

[snip]

Much easier and less CPU intensive:

file = strrchr(path, '/') + 1;

(if strrchr isn't in the kernel, you can write your own scanning loop that
walks the string and remembers the position of the last '/'.)

zw