syscalltrack-0.80, the 12th alpha release of the Linux kernel system
call tracker, is now available. syscalltrack supports version 2.4.x of
the Linux kernel on the i386 platform.
This release containes many bug fixes and logging improvements.
* What is syscalltrack?
syscalltrack is made of a pair of Linux kernel modules and supporting
user space environment which allow interception, logging and possibly
taking action upon system calls that match user defined
criteria. syscalltrack can operate either in tweezers mode, where
only very specific operations are tracked, such as only track and log
attempts to delete /etc/passwd, or in strace(1) compatible mode,
where all of the supported system calls are traced. syscalltrack can
do things that are impossible to do with the ptrace mechanism, because
its core operates in kernel space.
* Where can I get it?
Information on syscalltrack is available on the project's homepage:
http://syscalltrack.sourceforge.net, and in the project's file
release.
The source for the latest version can be downloaded directly from:
http://osdn.dl.sourceforge.net/sourceforge/syscalltrack/syscalltrack-0.80.tar.gz
or any of the other sourceforge mirrors.
* Call for developers:
The syscalltrack project is looking for developers, both for kernel
space and user space. If you want to join in on the fun, get in touch
with us on the syscalltrack-hackers mailing list
(http://lists.sourceforge.net/lists/listinfo/syscalltrack-hackers).
* License and NO Warrany
syscalltrack is Free Software, licensed under the GNU General Public
License (GPL) version 2. The 'sct_ctrl_lib' library is licensed under
the GNU Lesser General Public License (LGPL).
syscalltrack is in _alpha_ stages and comes with NO warranty. We put
it through extensive testing and routinely run it on our systems, but
if it breaks something, you get to keep all of the pieces.
* PGP Signature
All syscalltrack releases from now on will be signed. This release is
signed with my pgp public key, which you can get from
http://www.mulix.org/pubkey.asc or via
'gpg --keyserver wwwkeys.pgp.net --recv-keys 0xBFD537CB'
Happy syscalltracking!
===
New in version 0.80, Tanned Otter
---
* This release contains support for multiple readers of the log
device. It is now possible to have two (or more) different log
device readers, e.g. one running in a terminal ('sctlog'), and the
other being a daemon reading directly from the log device and
parsing its output to warn about anomalities. Each log device reader
can set its own log device parameter, such as the log format and the
log buffer size. See sct_logctrl(1) and sctlog(1) for further
details.
* Log output now goes to the log device by default, not to syslog. use
sctlog(1) (or 'cat /dev/sct_log') to see it.
* The user can now configure the 'max record length' of records
printed to the log device file. 'max record length' is useful when
logging the parameters for read() or write(), for example, because
the 'buffer' parameter could be very large and filled with garbage,
thus flooding the log device. This patch allows you to set the max
record length to something sane, so only the first bytes of the
buffer are printed, followed by '...'. Setting it to 0 disables it.
* This release disables support for the 'shmat', 'semctl' and
'msgrecv' system calls (muxed functions of the sys_ipc system call,
to be precise). It will be fixed and included in the next release.
* Make rules printed by 'sct_config download' look nicer.
===
New in version 0.75, Boffing Hyrax
---
* This release contains complete autotools support for the entire
syscalltrack system: kernel modules, libraries and
applications. Download, run './configure make sudo make install'
and everything should just work [famous last words]. The autotools
support includes automatic kernel version detection (which can
be overridden at configure time), correct user space compilation on
the various linux distributions, correct kernel modules compilation
(unlike the ad-hoc CFLAGS selection we had until now), support for UML
and 2.5 kernels, a working install and uninstall target (sct_load,
sct_config, sctrace, sct_unload are installed) and lots of other good
stuff.
* This release also contains support for 'kill process' and 'suspend
process' actions. Until now, all you could do was log system call
invocations (that match a certain rule), or return error values from
them. Now you can set rules to kill any process that matches a rule
(tries to connect to a certain host, tries to delete a certain file,
or just does getpid() *muhahaha*), or, if you're feeling kinder and
gentler, just suspend it