Sptrace 1.4.2 released

New version of sptrace was released today. Sptrace is a secure ptrace() Linux Kernel Module (LKM). It limits users’ access to the ptrace() call. Module was updated to reflect changes in new kernel releases and tested with 2.6.26.

When someone not allowed to trace processes uses program that call ptrace() (like strace, ltrace or gdb) current and parent processes names, pids, uids and euids are logged, e.g.:

Mar 13 08:51:11 ghost kernel: [ 8086.730499] sptrace: ptrace() DENIED for (gdb:6810) UID(1000) EUID(1000), parent (gdb:6785) UID(1000) EUID(1000)
Mar 13 08:51:11 ghost kernel: [ 8086.984694] sptrace: ptrace() DENIED for (gdb:6785) UID(1000) EUID(1000), parent (tcsh:32216) UID(1000) EUID(1000)
Mar 13 08:51:44 ghost kernel: [ 8119.928920] sptrace: ptrace() DENIED for (gdb:6923) UID(1000) EUID(1000), parent (tcsh:32216) UID(1000) EUID(1000)

Program that call ptrace() will get EPERM error:

$ strace ls
strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted
$ ltrace ls
PTRACE_TRACEME: Operation not permitted
PTRACE_SETOPTIONS: Operation not permitted
$ gdb -p 32215
GNU gdb 6.8-debian
[...]
This GDB was configured as "i486-linux-gnu".
Attaching to process 32215
ptrace: Operation not permitted.

Module log both allowed and denied ptrace() calls. Allowed traces as logged as:

Mar 11 19:14:48 ghost kernel: [ 6445.524669] sptrace: ptrace() by (ltrace:27558) UID(1000) EUID(1000), parent (ltrace:27557) UID(1000) EUID(1000)
Mar 11 19:14:48 ghost kernel: [ 6445.525460] sptrace: ptrace() by (ltrace:27557) UID(1000) EUID(1000), parent (tcsh:26606) UID(1000) EUID(1000)

By default sptrace deny access to ptrace() to all non root users (GID != 0). Root group (or wheel) is allowed to use this call. To disable tracing for all users, including those in root group pass parameter ptrace_group=-1, e.g.:

$ insmod ./sptrace.ko ptrace_group=-1

Download: sptrace-1.4.2.tar.gz (.asc)

md5sum: 9a23198cbdcd256b11e2b0dc2c03b331
sha1sum: 458f9b15e9a5b02cd18759b6b09a4b41d062d7cd

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>