hey,

right, I have a little query.... I want to write a security feature that will monitor all calls and commands made during a bash session on the terminal on my local machine. To do this I was thinking of altering the source code for bash, so whenever I or someone else types on the command line and tries to execute any command, that command is checked to see if it is allowed. My thinking behind this is that any system calls could then be intercepted and checked to ensure that they are allowed before being executed in Kernel Space.

As an aside, nothing has to be logged as such, but only just to ensure no unwanted (only predefined and allowed) system calls are allowed to execute.

However...... I am new to Linux and am not sure if this is even possible. Can the Bash script be modified in this way to catch system calls before they are excuted. And how would the bash script know what a system call was, without having to delve into Kernel code to look out trap calls? Is this approach stupid or would a Kernel based approach be better??

Any help, suggestions, or "what are you, stupid??!!" comments would be greatly appreciated...

yours in hope,
Gearoid

Hi.

You can just set which users (or groups) can execute which commands with chmod. There wouldn't be much point in Users and Groups otherwise. Most system calls aren't allowed to be executed by normal uses anyway...

As for the logging, it's already done for you (kind of) - there's a file in each user's home directory called .bash_history which lists all the commands executed by BASH (although I think it only gets updated when the user logs out or closes their xterm).

Any use??

Dave

thanks Dave,

I'm looking for something more than just the file access that chmod would provide. maybe if I spell out the problem....

what I am trying to do is to create a type of bash terminal "sandbox", from which user commands and program invokations will be screened and from which the lower kernel can be protected. The customised shell will check the command (which may have embedded system calls) and execute it if it is allowed - according to some list or database table for each user. So any applications allowed to be launched from this shell will then be spawned / forked from this shell and will always interact with the shell before trying to acces the Kernel and make OS / system calls.... So any system calls that that application wants to make will pass through the shell first, for interogation.

But that brings me to another point though.... This sounds really awkard but could a program (say a web browser) that was launched from this shell have all subsequent system calls monitored through the tailored shell before they are carried out by the OS?

Does a running program interact directly with the Kernel or can it run from a shell and through a shell, where the shell will be acting as a "sandbox", protecting the kernel?

I am new to Linux so this might seem totally rediculous. If anybody thinks so I would be delighted if they would tell me so....

I am really just asking if this is possible. Or if anyone has better ideas I would love to hear them....

thanks again,
Gearoid

I want to write a security feature that will monitor all calls and commands made during a bash session
Please tell us the purpose... SOHO snooping, corporate snooping, honeypot/honeynet or just curious if you can pull it off?


To do this I was thinking of altering the source code for bash
Talking strictly Bash logging, here's Antonomasia's homepage, his patch and my rpm.


so whenever I or someone else types on the command line and tries to execute any command, that command is checked to see if it is allowed.
It's the place you want to implement this that matters (kernel runs init, init runs getty, getty calls login, login calls shell), so Bash is way down the "tree". If you want to log syscalls and deny some process access to syscalls then you'll LOVE Syscalltrack! Guaranteed uncountable hours of fun making 'em fail! :-]
Other implementations of logging syscalls are LQ preloading like libunlink (and I think Elliot, but you'll have to check out yourself).


Any help, suggestions, or "what are you, stupid??!!" comments
I don't think this is stupid. NOT asking, that's stupid.
Besides I don't often call people or their actions stupid, if I do I'll make sure I have a damn good reason (calling people stupid usually makes 'em try to shoot the messenger instead of focussing on what I try to point out).

the reason I am doing this....

This is part of my Master's thesis. It is one approach to host security I am looking into, but wanted to ask people "in the know" if this is a possibility before I spend ages looking into it, and possibily coming up with nothing when someone that's knows more than me could have tole me straight off. I am new to Linux afterall...

Thanks for the suggestions, keep 'em coming anyone that can think of any more...

Another thing I was wondering is if it is possible to actually possible to see what kind of system calls an application is making from a "bash sandbox" that it might be running from, or if it is too far down the tree as you said?

OpenBSD does something very similar to this with systrace. You might do some checking into it.