Processes are not always written to submit willingly to debuggers. It's entirely possible to replace ptrace, provide you the output of another process or some other such malfeasance. As you probably know, hooking system calls is a favourite technique of rootkit authors.There are two problems with this approach: has already said, ptrace is a system call that strace, gdb and the like make to monitor a processes' actions. To re-iterate in a slightly different way what D.W. If yes, Is there another reliable, secure method of "monitoring" system calls (and, maybe receiving signals), that process can not break (assuming proper Linux implementation) ? ![]() If you audit all the processes executed by a given user (as opposed to only a single process and its descendants), you'll be able to log everything. The spawned process can typically break the process tree with something like ssh localhost. For example, it could use mmap to write to a file without the file contents ever appearing as the arguments of system calls, make this file executable and spawn a process executing it. Note that a malicious program could spawn a process that is not audited and can execute code that won't be logged. I couldn't tell you how off the top of my head, but it should be possible for a monitored program to make the right ptrace calls to evade monitoring. Strace or associated programs using ptrace are reliable ways of monitoring system calls, but I would be wary of using them on a malicious program. You'll find simple examples of auditctl usage on this site, on Server Fault, and on Unix Stack Exchange. Each logged operation is recorded in /var/log/audit/audit.log (on typical configurations). ![]() Make sure the auditd daemon is running, then configure what you want to log with auditctl. On Linux, you can reliably monitor a selection of system calls or file accesses with the audit subsystem.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |