[0x00] Download
Source Forge.net
[0x01] Info
Syscall logger is Linux kernel module.
It enables logging of particular syscalls.
It is configurable at run time thru /proc file.
Logs are also accessible thru /proc file.
[0x02] Usage
+ Adjust configurable options of sl module to your needs, like sl_open_opts (GID of group, whose users will be logged)
+ Compile
# make
gcc -D__KERNEL__ -DMODULE -c -Wall sl.c
gcc -D__KERNEL__ -DMODULE -c -Wall sl_syscall.c
ld -r -o sl_mod.o sl.o sl_syscall.o
gcc -g -Wall sld.c -o sld
#
+ Install sl module in the running kernel
# insmod sl_mod.o
#
+ Turn on loggin of particular syscall, for example "open"
# echo +open > /proc/sl
sl: Added rule for open[5]
#
+ Any time, you can remove logging of particular syscall
# echo -open > /proc/sl
Removed rule for open[5]
#
+ To see logs collected by the module, read file "/proc/sl"
# cat /proc/sl
open /lib/libc.so.6 0 0 [500,500,1620]
#
Fields are separated by space.
First field is name of the syscall.
Second is the first argument.
Third is the second argument.
...
The last field contains UID,GID,PID of the current proccess.
So, in the example above, "/lib/libc.so.6" is name of the file that proccess with PID 1620 owned by user with UID 500 and GID 500 have opened with flags 0 and mode 0.
+ To unload sl module from the running kernel
# rmmod sl_mod
#
[0x03] Remarks
+ The module works only on 2.4.x Linux kernels
+ Currently sfd isn't working. I've focused on coding kernel module, user applications will be created later.
+ Please send your comments, bug-reports, enhancements, patches to my account on google mail.
+ Adam Siemion