Date: Tue, 8 Sep 2015 10:29:13 -0600 From: markham_breitbach@ssimicro.com Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: LD_PRELOAD Message-ID: <55EF0CD9.6000009@ssimicro.com> In-Reply-To: <20150906011200.GB94488@neutralgood.org> References: <55EA1251.4020704@ssimicro.com> <20150906011200.GB94488@neutralgood.org>
index | next in thread | previous in thread | raw e-mail
On 2015-09-05 7:12 PM, kpneal@pobox.com wrote: > On Fri, Sep 04, 2015 at 03:51:13PM -0600, markham_breitbach@ssimicro.com wrote: >> I am trying to configure the security/snoopy package as a solution for >> logging shell activity within jails (I'm also open to alternative >> suggestions!). Snoopy works as an execve() wrapper that basically just >> logs and passes through the calls. For it to work though, I need to set >> the LD_PRELOAD variable in the environment to force the linker to load >> snoopy.so first, presumably so the snoopy execve wrapper is found before >> the libc version. >> >> If I set LD_PRELOAD=/usr/local/lib/snoopy.so on the command line, and >> then launch a new shell, events get logged as expected, but I need to >> figure out how to make that happen by default for everything in the jail. > Try starting the jail with a shell script in the jail's /etc to set (export!) > the environment variable and then exec /etc/rc "$@" to go through the rest > of the normal startup for the jail. You'll need to change your jail config > to start your script instead of /etc/rc though. > > Be aware that it isn't possible to guarantee that snoopy will catch _every_ > _single_ call if your system is breached. In some cases an attacker can > just eliminate the environment variable. You may be able to determine > the starting point of the breach, however, if the attacker doesn't change > the snoopy log on you. Can snoopy log to a remote syslogd? That would > keep an attacker from removing evidence logged. > I actually shoved that right into /etc/rc inside the jail, and that seems to do the trick. I will have to play around and see if I can't find a more graceful way to handle that, but it's a proof of concept. I suspect there is already a facility for that. I will have to poke around rc and see what I can unearth. :) I understand that there are security implications of this, It is actually intended more for audit logging of my own authorized users i.e. who made that change? WTF were they thinking!?! :) as it is for any form of security. Of course, once root is breached, all bets are off anyway. I have looked at the auditing features of FreeBSD, but jail support is sadly lacking, so far snoopy seems to be about the bet thing I can find to fill that hole. Thanks, -Markhamhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55EF0CD9.6000009>