New version of sptrace was released today. Sptrace is a secure ptrace() Linux Kernel Module (LKM). It limits users’ access to the ptrace() call. Module was updated to reflect changes in new kernel releases and tested with 2.6.26.
When someone not allowed to trace processes uses program that call ptrace() (like strace, ltrace or gdb) current and parent processes names, pids, uids and euids are logged, e.g.:
Mar 13 08:51:11 ghost kernel: [ 8086.730499] sptrace: ptrace() DENIED for (gdb:6810) UID(1000) EUID(1000), parent (gdb:6785) UID(1000) EUID(1000) Mar 13 08:51:11 ghost kernel: [ 8086.984694] sptrace: ptrace() DENIED for (gdb:6785) UID(1000) EUID(1000), parent (tcsh:32216) UID(1000) EUID(1000) Mar 13 08:51:44 ghost kernel: [ 8119.928920] sptrace: ptrace() DENIED for (gdb:6923) UID(1000) EUID(1000), parent (tcsh:32216) UID(1000) EUID(1000)
Program that call ptrace() will get EPERM error:
$ strace ls strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted $ ltrace ls PTRACE_TRACEME: Operation not permitted PTRACE_SETOPTIONS: Operation not permitted $ gdb -p 32215 GNU gdb 6.8-debian [...] This GDB was configured as "i486-linux-gnu". Attaching to process 32215 ptrace: Operation not permitted.
Module log both allowed and denied ptrace() calls. Allowed traces as logged as:
Mar 11 19:14:48 ghost kernel: [ 6445.524669] sptrace: ptrace() by (ltrace:27558) UID(1000) EUID(1000), parent (ltrace:27557) UID(1000) EUID(1000) Mar 11 19:14:48 ghost kernel: [ 6445.525460] sptrace: ptrace() by (ltrace:27557) UID(1000) EUID(1000), parent (tcsh:26606) UID(1000) EUID(1000)
By default sptrace deny access to ptrace() to all non root users (GID != 0). Root group (or wheel) is allowed to use this call. To disable tracing for all users, including those in root group pass parameter ptrace_group=-1, e.g.:
$ insmod ./sptrace.ko ptrace_group=-1
Download: sptrace-1.4.2.tar.gz (.asc)
md5sum: 9a23198cbdcd256b11e2b0dc2c03b331
sha1sum: 458f9b15e9a5b02cd18759b6b09a4b41d062d7cd