hey,

right, I have a little query.... I want to write a security feature that will monitor all calls and commands made during a bash session on the terminal on my local machine. To do this I was thinking of altering the source code for bash, so whenever I or someone else types on the command line and tries to execute any command, that command is checked to see if it is allowed. My thinking behind this is that any system calls could then be intercepted and checked to ensure that they are allowed before being executed in Kernel Space.

As an aside, nothing has to be logged as such, but only just to ensure no unwanted (only predefined and allowed) system calls are allowed to execute.

However...... I am new to Linux and am not sure if this is even possible. Can the Bash script be modified in this way to catch system calls before they are excuted. And how would the bash script know what a system call was, without having to delve into Kernel code to look out trap calls? Is this approach stupid or would a Kernel based approach be better??

Any help, suggestions, or "what are you, stupid??!!" comments would be greatly appreciated...

yours in hope,
Gearoid

It might be simpler if you restricted root access to yourself, and grant privileged access to one group of users, and put all of the users in other groups. That is the original design concept for unix anyway.

Maybe if you defined what your problem is, we could give you a simple solution. re-writing bash is NOT a simple solution. It sounds a like a basic sysadmin problem to me.

what I am trying to do though is to create a type of bash terminal "sandbox", from which user commands and program invokations will be screened and protected. The customised shell will check the command (which may have embedded system calls) and execute it if allowed. So any applications allowed to be launched from this shell will then be spawned / forked from this shell and will always interact with the shell before trying to acces the Kernel and make OS / system calls....

Yeah, that brings me to another point though.... This sounds really awkard but if a program (say a web browser) was then launched from this shell could subsequent system calls from this app also be monitored through the tailored shell?

It is really just a curious question into if this can be done and how, as opposed to actually doing it for a sys admin fix to be totally functional.

Does this make any sence or am I going about this the totally ass-ways?

The standard security provided by Linux will be sufficient I would imagine. It won't check what system calls a program is going to make, but with properly set read/write permissions, any nasties will be rendered ineffective... i.e. a program that attempts to read the shadow password file will be unable to, as will any attempts to change any system files. In light of this, is there any need for the system you are describing.
Outline a hypothetical situation and how your proposed system would counter it, and I'll try and outline how standard Unix security would deal with the same situation.

I know this sounds like unnecessary overkill given te inbuilt security already in Linux / Unix but it is something I need to look into as part of my masters thesis. So, a hypothetical situation...

Say a web browser accesses some web page and code is passed back through to my local machine and attemps to run some unwanted program. Or say some user downloads some program form the web thinking it does one thing and when it run it starts to do something else (calling system calls to disrupt the O/S, etc.). Well, for each user (and maybe each / some applications) there will be an "allowed list". This will have to be checked each time a user or application (whether knowingly or unknowingly) tries to perform a system call or some other predefined action.

I was wondering though could programs be run and have each step of their execution checked from within a shell. Could a shell be implemented or modified in such a way. I'm not asking anyone to tell me how, just wondering if it is possible to begin with.

This is for a project so it doesn't have to be totally functional, it's just one approach I am investigating. The problem is I'm not sure if it is possible or even any way practical.

I'm sure what you're describing would be possible... GDB intercepts calls in this way.
Standard security would nullify the threats you describe above. If permissions are set properly, no program will be able to 'disrupt the O/S' or do anything else unwanted. Everything vulnerable should be protected by having write/execute (and sometimes read) priveleges restricted to the root user.

ok cool, thanks. I'm gonna have my work cut out trying to understand and re-engineer the bash code though....

I'm in Ireland too... if there's any help I can give you, email or PM me.

aw, sweet deal, thanks for that!!!

Most programs uses libc.. well .. all do.. maybe one could add an security "layer" ontop of libc? .. Then replace the old libc with your "secured" libc.

You could look how libtrash works.. It preloads its signtures before libc.. And overrides calls to "unlink".. The library moves files to a trash directory instead of unlinking them (removing them)... and this without any change to "rm -rf /". Check this link: http://www.m-arriaga.net/software/libtrash/