syscalltrack Tux

SourceForge Logo

Current Status

(Adapted from News)

New in version 0.82, "Minty Chinchilla"

  • This release adds support for matching and logging the current working directory. "I feel that the '%cwd' macro in logging format is really useful since it allows to know if 'open("passwd", ...)' relates to '/etc/passwd' rather than '/home/joe/tmp/passwd'." Patch from Simon Patarin.
  • This release allocates the memory for kernel logging buffer using vmalloc, which allows you to allocate much more memory for them than the previous version. Patch from Simon Patarin.
  • This release contains rewritten serialization/deserialization code for the rules library. The new code fits better with the overall design and is cleaner and more robust.
  • This release contains a bug fix when detecting whether the kernel modules are loaded in the user space libraries. Modules should now be correctly recognized as loaded/unloaded in all cases. Bug spotted by Mike Shea.
  • This release contains a bug fix for sctrace where sctracing a program with command line arguments could fail to find the program to trace.
  • This release contains several testing improvements, including a new regression test script, from Orna Agmon.
  • This release installs the syscalltrack binaries to ${prefix}/bin/name-version, to allow several syscalltrack versions to coexist. Kernel modules are installed to '/lib/modules/kernel-version/syscalltrack-version'.

New in version 0.81, "Cruel Ducky"

  • This release includes support for matching against void pointers (addresses). For example, you can match against msync's first parameter, const void* start.
  • This release re-enables support for tracking the shmat and msgrcv calls, after fixing a bug in their tracking support.
  • sctrace now supports strace's 'follow forks' mode.
  • Implement tracking for the last two remaining syscalls, sys_vfork and sys_bdflush.
  • Make the userspace tools behave sensibly when the kernel modules aren't loaded and complain to run, instead of giving obscure errors.
  • Make sct_config complain about AFTER rules with FAIL actions. A FAIL action is only valid in BEFORE rules.
  • Add '-h' and '--help' support to sct_logctrl.
  • Assorted other kernel modules bug fixes.

New in version 0.80, "Tanned Otter"

  • This release contains support for multiple readers of the log device. It is now possible to have two (or more) different log device readers, e.g. one running in a terminal ('sctlog'), and the other being a daemon reading directly from the log device and parsing its output to warn about anomalities. Each log device reader can set its own log device parameter, such as the log format and the log buffer size. See sct_logctrl(1) and sctlog(1) for further details.
  • Log output now goes to the log device by default, not to syslog. use sctlog(1) (or 'cat /dev/sct_log') to see it.
  • The user can now configure the 'max record length' of records printed to the log device file. 'max record length' is useful when logging the parameters for read() or write(), for example, because the 'buffer' parameter could be very large and filled with garbage, thus flooding the log device. This patch allows you to set the max record length to something sane, so only the first bytes of the buffer are printed, followed by '...'. Setting it to 0 disables it.
  • This release disables support for the 'shmat', 'semctl' and 'msgrecv' system calls (muxed functions of the sys_ipc system call, to be precise). It will be fixed and included in the next release.
  • Make rules printed by 'sct_config download' look nicer.

New in version 0.75, "Boffing Hyrax"

  • This release contains complete autotools support for the entire syscalltrack system: kernel modules, libraries and applications. Download, run './configure && make && sudo make install' and everything should just work [famous last words]. The autotools support includes automatic kernel version detection (which can be overridden at configure time), correct user space compilation on the various linux distributions, correct kernel modules compilation (unlike the ad-hoc CFLAGS selection we had until now), support for UML and 2.5 kernels, a working install and uninstall target (sct_load, sct_config, sctrace, sct_unload are installed) and lots of other good stuff.
  • This release also contains support for 'kill process' and 'suspend process' actions. Until now, all you could do was log system call invocations (that match a certain rule), or return error values from them. Now you can set rules to kill any process that matches a rule (tries to connect to a certain host, tries to delete a certain file, or just does getpid() *muhahaha*), or, if you're feeling kinder and gentler, just suspend it until you attach to it with a debugger.
  • This release contains a fix a serious SMP race which would cause a system call to fail with -ENOSYS in certain cases.
  • More system calls supported: shutdown, getsockname, getpeername, socketpair, send, sendto, recvfrom, shutdown, setsockopt, getsockopt, sendmsg, recvmsg. adjtimex, capset and capget, ptrace, stat64, lstat64 and fstat64.
  • Fix a bug where bdflush() was incorrectly hijacked, leading to the bdflush system call not working correctly.

Major new features for 0.74

  • Added a whole lot of new system calls. syscalltrack now supports almost all of the system calls available on 2.4.x: vhangup, wait4, swapoff, sysinfo, fsync, readv, writev, fdatasync, msync, getpgid, fchdir, personality, bdflush, flock, setdomainname, newuname, modify_ldt, mprotect, sigprocmask, create_module, init_module, delete_module, get_kernel_syms, setfsuid16, setfsgid16, llseek, quotactl, sysfs, getdents, select, sysctl, mlock, mlockall, munlockall, munlockall, sched_setparam, sched_getapram, sched_setscheduler, sched_getscheduler, sched_yield, sched_get_priority_max, sched_get_priority_min, sched_rr_get_interval, nanosleep, mremap, setresuid16, getresuid16, query_module, poll, nfsservctl, setresgid16, getresgid16, prctl, rt_sigpending, rt_sigtimedwait, rt_sigqueueinfo, chown16, getcwd, sendfile,getrlimit, mmap2, stat64, lstat64, fstat64, lchown, getuid, getgid, geteuid, getegid, setreuid, setregid, getgroups, setgroups, fchown, setresuid, getresuid, setresgid, getresgid, chown, setgid, setfsuid, setfsgid, pivot_root, mincore, madvise, getdents64, fnctl64, gettid, tkill, sched_setaffinity, sched_getaffinity, sys_olduname sys_ustat, old_select, getitimer, setitimer, uname. pread, pwrite, truncate64, ftruncate64, readahead.
  • Fix a bug where we wouldn't correctly print NULL system call parameters. Now we print <NULL>.
  • Add support for system calls with loff_t and long long parameters.
  • Fix several bugs in sctrace.
  • Fix several important bugs in the system call data file parser (used in sctrace(1) and sct_config(1)) which prevented valid configuration files from being accepted. Added much better error reporting.
  • Numerous other bug fixes and internal cleanups.

Major new features for 0.73

  • Added sctrace, an experimental strace(1) compatible tool based on the syscalltrack framework. 'sctrace command' or 'sctrace -p pid' will load rules matching the given executable (or pid) for all supported system calls and log their invocation to the log file (or log device).
  • experimental logging device file, /dev/sct_log, and a utility to control its behaviour, sct_logctrl. syscalltrack can now log system call invocation either to syslog or directly to a device file. Note that the format of information logged to the device file will change in future versions (from text based to a binary protocol).
  • Fixed a bug in the automatic code generated for system call stubs for system calls which have a pointer parameter. This bug exists in older syscalltrack versions and while it's harmless, users are still encouraged to upgrade.
  • Fixed a bug in the kernel module reference counting code when deleting a single rule. This code path wasn't in use until recently.
  • Fix wrong usage of size_t and other portability cleanups. Fix strstream/stringstream usage to work with gcc version before 3 and after 3.
  • Support all of the IPC system calls (contributed by Gilad Ben-Yossef).
  • More new syscalls: execve, statfs, fstatfs, newstat, newlstat, newfstat, getrusage, getgroups16, old_readdir and old_mmap.
  • a proof-of-concept GUI tool, gtksct(1).
  • new man pages, courtesy of Baruch Even for the debian package of syscalltrack.

Major new features for 0.72 (mostly a bug fix and new syscalls release)

  • Many new system calls supported, including but not limited to exit(1), fork(2), read(3) and write(4).
  • Fixed bug when evaluating a buffer node and a bug with pattern matching on a buffer node.
  • Fixed bug when matching for a constant [filter_expression {1}] to return true, as it should, instead of false, as it did.
  • Fixed several in-kernel memory leaks and erronous kernel string handling.

Major new features for 0.71 (mostly a bug fix and cleanup release)

  • add a 'get rule count' and 'get rules' API to to the sct_ctrl_lib. 'get rule count' will return the number of currently registered rules, 'get rules' will return to user space from the kernel a linked list of the before and after rules for each system call.
  • Support for constants when specifying matching rules, for example, O_RDONLY, O_EXCL and friends for open(2).
  • Support for octal/hex numbers in filter expressions.
  • Support for specifying and printing multiplex syscall ids as "syscall:func", for example "102:5" for accept(2).
  • Assorted internal cleanups, code refactoring, bug fixes and memory leaks plugged, too many to list here. Documentation and header file updates. See the ChangeLog for the gory details.

Major new features for 0.7

  • Support for dynamic-cast of 'struct' syscall parameters when filtering based on them, and for logging. See the relevant section in doc/sct_config_manual.html for how to use this feature. Mostly useful now for checking struct parameters in socket calls, so now its possible to check if a client prorgam tries to connect to a given port or IP address, etc.
  • Support for 'fail syscall' actions - allows you to specify that a matching syscall invocation will prematurely return a given error code (or '0') before the system call is actually performed. Handle with care, as failing the wrong syscall invocations might render your system unuseable. Good usage example: TODO
  • Support for convenience-macros in rule config files. Currently supported macros include:
    • ipaddr("127.0.0.1") -> translates an IP address to an unsigned long in network byte-order.
    • htons(7) -> host to network byte-order for 'short' numbers.
    • usernametoid("root") -> translates user name to UID.
    • groupnametoid("wheel") -> translates group name to GID.
  • Experimental Device-driver control support - the syscalltrack kernel module can now be controlled via a device-file interface - specify "-c device_file" when running 'sct_config' to use it. The interface is currently functionaly-equivalent to the existing 'sysctl' interface - but it will be enhanced in the future to support logging via a device-file interface, getting rule list via the device-file interface, etc.
  • Support for 'log_format' definition per rule, to override the global 'log_format'. Initial correctness-testing script added. Currently only runs 2 tests - will become more functional on the next release.
  • Support for new system calls - waitpid, close and creat.

major bug fixes for version 0.7:

  • Fixes for white-space parsing in 'sct_config'.
  • Fix small memory leak when deserializing 'log' actions
  • Fix bug in the kernel module that would leave dangling function pointers in case a user cleared only the 'before' function pointer. This bug wasn't triggered, since sct_config always erased _all_ rules, causing this code path to remain yet unused.

Major new features for 0.66.6 (mostly a bug-fix version)

  • Support for new process parameters: PPID, PCOMM. Special attention should be given to PCOMM, which allows matching on the name of the program the process parent is executing.

major bug fixes for version 0.66.6:

  • Fix the bug where filter expression with '!' or '~' weren't parsed correctly.
  • Fix the bug where filter expression first token was a '(' (LPAREN), we looped endlessly because we never advanced to the next token. thanks to Padraig Brady <padraig @ antefacto.com> for triggeting it.

Major new features for 0.66

  • Support for tracking some socket calls (e.g. 'socket', 'listen', 'accept', 'connect') - yet still without the ability to match against the address that a socket connects to.
  • Support for 'after' rules (i.e. rules that are matched right after a syscall is invoked, and thus can match and log also the syscall's return value). This in addition to the existing 'before' rules (which are matched right before entering into the system call). Defining if a rule is a 'before' or 'after' rule is done using the 'when' keyword. Also, log formats can be specified seperatly for the 'before' rules and for the 'after' rules.
    Note: syntax for specifying a 'log_format' in the config file has changed. please look at doc/sct_config_manual.txt for details.
  • Support for an 'in' operator in filter expressions (e.g: 
      filter_expression { PARAMS[1] in ("passwd", "nsswitch.conf") }
    With strings it looks for a substring match. With numbers it looks for an exact match.
  • Optimization - variables values are now calculated only when they are used (using a callback mechanism) - rather then all values assigned before invoking the rule matching engine.
  • Modified the behaviour of unregistering system calls that are 'busy' - they are fully unregistered by 'sct_rules.o', so it could be unloaded at will. However, 'syscall_hijack.o' unregisters them without yet reducing its module use count - it'll do that when the 'busy' syscall invocation(s) return. Some syscalls may be blocking for days (e.g. sshd version 1.X blocks on 'accept' until a client connects to it, which could be days) - and not allow unloading 'syscall_hijack.o' - but it won't incur any overhead on new system call invocations.

major bug fixes for version 0.66:

  • Quoted strings in filter expressions could not contain any special characters (e.g. dot, equals sign and other operators, brackets, etc). now they can, and they may also contain escaped double quotes, e.g.: 
      "Tom said \"hello there!\""
  • Fix for a potential reference-count breaking problem in syscall_hijack.
  • Fixes for potential memory leaks in the rule engine and filters code.
  • The 'tester' stability testing program now only prints real error messages, so its output can actually be read.
  • Various other minor bug fixes, as well as various code rewrites, aggregating variables into structures, etc.

Major new features for 0.64 (mostly a bug-fix version)

  • Filter expressions are now fully supported, and are the prefered method to define filtering criteria for rules. This includes better error messages, and full parameter/variable type checking.
  • Added support for pointer parameters in system calls, and printing the address they contain when logging them.

major bug fixes for version 0.64:

  • Unary operators ('~', '!') didn't work at all - now they do.
  • Fixed a bug in 'sct_config' that could cause crashes, due to a missing copy constructor/assigment operator for a struct that was pushed into an STL container.
  • Fixed a potential crasihng bug in filter expressions evaluation in the kernel.
  • Fixed a few potential memory leaks while evaluating filter expressions or while failing to get locks in system call stub functions.

Major new features for 0.63

  • User defined logging format: it is now possible to define the format the log message will take. The default log format is syscall: %pid[%comm]: %sid_%sname(%params) (rule %ruleid) For example, let us consider an invocation of the 'mkdir' system call: syscall: 876[mkdir]: 39_mkdir("foo", 509) (rule 1)
  • Validity checks on system call parameters: sct_config now makes it easier to catch rule file erros by making sure that the parameter, operand and operator are of matching types. Validity checks are implemented for 'param_condition' and 'process_condition' directives only.
  • Experimental filter expression: sct_config now allows writing clear, concise filter expressions. Here's a filter expression to match a system call invocation where the user is root (uid 0) and the first parameter contains "passwd": filter_expression: (UID == 0) && (PARAMS[1] ~= "passwd") (This feature is experimental and does minimal input validation at the moment).
  • Support for structure parameters: you can now match system calls which get a structure as one of their parameters - for example, settimeofday(), which gets a 'struct timeval' and 'struct timezone' parameters.
  • Support for (more) process parameters: we now support the following process parameters: UID, EUID, SUID, GID, EGID, SGID, PID, COMM. Special attention should be given to COMM, which allows matching on the name of the program the process is executing.
  • Improved sct_config error diagnostics: sct_config now gives clear, concise message on configuration file errors, with line numbers for easier rule file debugging.
  • syscalltrack should compile with the latest 2.2 kernel and every 2.4 kernel, and has been tested with at least 2.2.19, 2.4.5, 2.4.9, 2.4.10, 2.4.10-ac11 2.4.12, 2.4.12-ac3 and 2.4.12-um3.
  • Additional compilation and run time test programs.

major bug fixes for version 0.63:

  • memory leaks in the kernel plugged and eradicated.
$Id: status.html,v 1.29 2003/02/05 22:30:59 mulix Exp $