From owner-freebsd-questions@FreeBSD.ORG Sun Apr 5 11:40:05 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FAED106564A for ; Sun, 5 Apr 2009 11:40:05 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 0E5118FC16 for ; Sun, 5 Apr 2009 11:40:05 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1LqQhm-00034I-TD for freebsd-questions@freebsd.org; Sun, 05 Apr 2009 11:40:02 +0000 Received: from 93-141-3-137.adsl.net.t-com.hr ([93.141.3.137]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 05 Apr 2009 11:40:02 +0000 Received: from ivoras by 93-141-3-137.adsl.net.t-com.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 05 Apr 2009 11:40:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Ivan Voras Date: Sun, 05 Apr 2009 13:38:47 +0200 Lines: 37 Message-ID: References: <20090405023053.BSQ12123@expms2.cites.uiuc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigA5DDD14D3EED5102C5A86FF8" X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 93-141-3-137.adsl.net.t-com.hr User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) In-Reply-To: <20090405023053.BSQ12123@expms2.cites.uiuc.edu> X-Enigmail-Version: 0.95.7 Sender: news Subject: Re: I would like to know about tracing system call in FreeBSD. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Apr 2009 11:40:05 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA5DDD14D3EED5102C5A86FF8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable hjung20@illinois.edu wrote: > Dear, >=20 > I have tried to trace system call using C language. >=20 > I would like to detect privilege escalation through traceing system cal= l. > Although freebsd announce the patch of telnet demon to remove malicious= access to esaclate privilege, I would like to implement the detecting pr= ogram. >=20 > My idea is if I detect the change of uid of process then I can recongni= ze the privilege escalation. Maybe the audit(4) framework will be useful to you. --------------enigA5DDD14D3EED5102C5A86FF8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknYmEcACgkQldnAQVacBciGvQCgtGSifzvsuwzAs1GQcMj3tyUH +LsAnRLmcnEO5hOx8mybQIu+MDh0Yxsh =ivg4 -----END PGP SIGNATURE----- --------------enigA5DDD14D3EED5102C5A86FF8--