Hi ppl, I released a new version (2.1) of SCSLog, my systemcall logging module. I just cut some parts from the README file to show you what's new. --- README --- SCSLog provides you with the ability to log security relevant system calls like: - socketcall() + connect() + accept() + shutdown() - chmod() + make a file setuid + make a file setgid + make a file world-writeable - open() + create world-writeable files + create file without O_EXCL - symlink() - setuid() - setgid() - setreuid() - setregid() This informations should help you to track down security violations. Some nice features of this tool =============================== If you want to make SCSLog unremoveable/invisible, then load SCSUnrmv/SCSHide with parameter module=<modulesname>. # insmod scsunrmv.o modules="scslog" # rmmod scsunrmv # insmod scshide.o modules="scslog" # rmmod scshide If you want to make it persistent _and_ invisible you should 1) insmod scsunrmv.o and 2) insmod scshide.o _not_ vice versa! USAGE ===== scslog.o: logsocket={0,1} -> log socketcall() logchown={0,1} -> log chown() logopenww={0,1} -> log open() - world-writeable files logopenexcl={0,1} -> log open() - open file w/o O_EXCL flag (could lead to sym link attacks) logsymlink={0,1} -> log symlink() logsetuid={0,1} -> log setuid() logsetgid={0,1} -> log setgid() logsetreuid={0,1} -> log setreuid() logsetregid={0,1} -> log setregid() scshide.o: module="<string>" -> module to hide messages={0,1} -> log just error and syscall messages scsunrmv.o: module="<string>" -> module to make persistent messages={0,1} -> log just error and syscall messages --- README --- You'll find SCSLog 2.1 at http://www.suse.de/~thomas I would be happy if you test it and send me your bugreports and improvements. TIA. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47