From owner-freebsd-questions@freebsd.org Tue Sep 8 16:29:11 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 51C0C9CC94F for ; Tue, 8 Sep 2015 16:29:11 +0000 (UTC) (envelope-from markham_breitbach@ssimicro.com) Received: from smail.ssimicro.com (smail.ssimicro.com [64.247.129.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smail.ssimicro.com", Issuer "test CA 1" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 122A8129B for ; Tue, 8 Sep 2015 16:29:10 +0000 (UTC) (envelope-from markham_breitbach@ssimicro.com) Received: from markham.ssimicro.com (markham.ssimicro.com [64.247.130.99]) (authenticated bits=0) by smail.ssimicro.com (8.15.1/8.14.9) with ESMTPSA id t88GSNQP022856 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Tue, 8 Sep 2015 10:28:24 -0600 (MDT) (envelope-from markham_breitbach@ssimicro.com) Subject: Re: LD_PRELOAD References: <55EA1251.4020704@ssimicro.com> <20150906011200.GB94488@neutralgood.org> Cc: FreeBSD Questions From: markham_breitbach@ssimicro.com X-Enigmail-Draft-Status: N1110 Message-ID: <55EF0CD9.6000009@ssimicro.com> Date: Tue, 8 Sep 2015 10:29:13 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <20150906011200.GB94488@neutralgood.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 16:29:11 -0000 On 2015-09-05 7:12 PM, kpneal@pobox.com wrote: > On Fri, Sep 04, 2015 at 03:51:13PM -0600, markham_breitbach@ssimicro.co= m wrote: >> I am trying to configure the security/snoopy package as a solution for= >> logging shell activity within jails (I'm also open to alternative >> suggestions!). Snoopy works as an execve() wrapper that basically jus= t >> logs and passes through the calls. For it to work though, I need to s= et >> the LD_PRELOAD variable in the environment to force the linker to load= >> snoopy.so first, presumably so the snoopy execve wrapper is found befo= re >> the libc version. >> >> If I set LD_PRELOAD=3D/usr/local/lib/snoopy.so on the command line, an= d >> then launch a new shell, events get logged as expected, but I need to >> figure out how to make that happen by default for everything in the ja= il. > Try starting the jail with a shell script in the jail's /etc to set (ex= port!) > the environment variable and then exec /etc/rc "$@" to go through the r= est > of the normal startup for the jail. You'll need to change your jail con= fig > to start your script instead of /etc/rc though. > > Be aware that it isn't possible to guarantee that snoopy will catch _ev= ery_ > _single_ call if your system is breached. In some cases an attacker can= > just eliminate the environment variable. You may be able to determine > the starting point of the breach, however, if the attacker doesn't chan= ge > the snoopy log on you. Can snoopy log to a remote syslogd? That would > keep an attacker from removing evidence logged. > I actually shoved that right into /etc/rc inside the jail, and that seems to do the trick. I will have to play around and see if I can't find a more graceful way to handle that, but it's a proof of concept. I suspect there is already a facility for that. I will have to poke around rc and see what I can unearth. :) I understand that there are security implications of this, It is actually intended more for audit logging of my own authorized users i.e. who made that change? WTF were they thinking!?! :) as it is for any form of security. Of course, once root is breached, all bets are off anyway. I have looked at the auditing features of FreeBSD, but jail support is sadly lacking, so far snoopy seems to be about the bet thing I can find to fill that hole. Thanks, -Markham