Tuesday, November 20, 2007
Eyes on Exec reloaded
10 years ago or so, I wrote a tool called "Eyes on Exec" (EoE) which was a kernel module for the 2.0, 2.2 and 2.4 Kernel.
It created a device /dev/exec from which one could read all the commands executed recently
including callers PID, EUID etc. Some simple hostbased IDS used this input to ensure that e.g.
pop3d never executed anything. It worked very well. Additionally, code reviewers (myself :)
found it usefull since you easily see if some daemons/applications execute shell programs
in a way that is not obvious to the auditor due to weird library calls. The famous modprobe bug
which used ping as a trigger was found by me with the help of EoE (google for rootprobe exploit).
2.2 times are gone, but the new 2.6 Kernel has a nice API called proc connector which allows
to register for certain events such as fork/exec etc. into the proc FS. One is then notified
whenever the questioned event arrives. Ever wanted to know what man really executes or how
acroread is handling mail sent from within a PDF? :-) Jump towards here.