syscalltrack Tux

SourceForge Logo

syscalltrack

New version, 0.82 "Minty Chinchilla" released on February 5th, 2003. Grab it while it's hot!

syscalltrack allows you - the 'root' user - to track invocations of system calls across your Linux system. You specify rules that specify which system call invocations will be tracked, and what to do when a rule matches a system call invocation. You can log the system call invocation, fail it (i.e. force it to return some error code), or suspend the process executing it (e.g. so you could attach a debugger to the process at that point, or so you could find who is the parent process of that process, etc.). You could even kill the process, if you were feeling particularly sadistic.

syscalltrack supports hijacking almost all of the system calls in the 2.4.x linux kernel. It supports logging to several device files, so you could have a 'cat /dev/sct_log' session running in one terminal for your viewing pleasure, and an automated anomaly detection system reading from another device file and alerting you if anything interesting happens.

syscalltrack is a useful debugging tool for those nasty problems that occur once in a blue moon. Who is deleting my files? who is adding another user to /etc/passwd? It can also be a valuable security tool, for enforcing policies, such as "don't let the user foo execute anything, unless he is trying to execute a specific program".

syscalltrack is released under the GNU General Public License (GPL) version 2. Parts of it, e.g. the libraries, are released under the GNU Lesser General Public License (LGPL).

sctlog in action
$Id: index.html,v 1.30 2003/02/05 22:30:57 mulix Exp $