syscalltrack-0.66, the 4th _alpha_ release of the linux kernel system call tracker, is available. syscalltrack supports both versions 2.2.x and 2.4.x of the linux kernel. The current release contains some major enhancements, and various bug fixes and code cleanups. * What is syscalltrack? syscalltrack is a linux kernel module and supporting user space environment which allow interception, logging and possibly taking action upon system calls that match user defined criteria (syscalltrack can be thought of as a sophisticated, system wide strace). * Where can i get it? Information on syscalltrack is available on the project's homepage: http://syscalltrack.sourceforge.net, and in the project's file release. You can download the source directly from: http://prdownloads.sourceforge.net/syscalltrack/syscalltrack-0.66.tar.gz * Call for developers: The syscalltrack project is looking for developers, both for kernel space and user space. If you want to join in on the fun, get in touch with us on the 'syscalltrack-hackers' mailing list (http://lists.sourceforge.net/lists/listinfo/syscalltrack-hackers). * License and NO Warrany 'syscalltrack' is Free Software, licensed under the GNU General Public License (GPL) version 2. The 'sct_ctrl_lib' library is licensed under the GNU Lesser General Public License (LGPL). 'syscalltrack' is in _alpha_ stages and comes with NO warranty. If it breaks something, you get to keep all of the pieces. You have been warned (TM). Happy hacking and tracking! ======================================================================= Major new features for 0.66 --------------------------- * Support for tracking some socket calls (e.g. 'socket', 'listen', 'accept', 'connect') - yet still without the ability to match against the address that a socket connects to. * Support for 'after' rules (i.e. rules that are matched right after a syscall is invoked, and thus can match and log also the syscall's return value). This in addition to the existing 'before' rules (which are matched right before entering into the system call). Defining if a rule is a 'before' or 'after' rule is done using the 'when' keyword. Also, log formats can be specified seperatly for the 'before' rules and for the 'after' rules. Note: syntax for specifying a 'log_format' in the config file has changed. please look at doc/sct_config_manual.txt for details. * Support for an 'in' operator in filter expressions (e.g: filter_expression { PARAMS[1] in ("passwd", "nsswitch.conf") } With strings it looks for a substring match. With numbers it looks for an exact match. * Optimization - variables values are now calculated only when they are used (using a callback mechanism) - rather then all values assigned before invoking the rule matching engine. * Modified the behaviour of unregistering system calls that are 'busy' - they are fully unregistered by 'sct_rules.o', so it could be unloaded at will. However, 'syscall_hijack.o' unregisters them without yet reducing its module use count - it'll do that when the 'busy' syscall invocation(s) return. Some syscalls may be blocking for days (e.g. sshd version 1.X blocks on 'accept' until a client connects to it, which could be days) - and not allow unloading 'syscall_hijack.o' - but it won't incur any overhead on new system call invocations. major bug fixes for version 0.66: * Quoted strings in filter expressions could not contain any special characters (e.g. dot, equals sign and other operators, brackets, etc). now they can, and they may also contain escaped double quotes, e.g.: "Tom said \"hello there!\"" * Fix for a potential reference-count breaking problem in syscall_hijack. * Fixes for potential memory leaks in the rule engine and filters code. * The 'tester' stability testing program now only prints real error messages, so its output can actually be read. * Various other minor bug fixes, as well as various code rewrites, aggregating variables into structures, etc. ======================================================================= -- mulix http://vipe.technion.ac.il/~mulix/ http://syscalltrack.sf.net/ -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ IRC Channel: irc.openprojects.net / #kernelnewbies Web Page: http://www.kernelnewbies.org/