Projects / system call tracker

system call tracker

The system call tracker is a Linux kernel module and supporting user space applications which allow interception of and possibly taking action upon system calls that match user-defined criteria. It allows you to set such rules as "tell me when someone tries to open /etc/passwd" and "if user '500' tries to connect to the network, fail the system call". It can also be thought of as strace on steroids.

Tags
Licenses
Operating Systems
Implementation

Recent releases

  •  06 Feb 2003 01:36

    Release Notes: This release adds support for matching and logging the current working directory, so that you can know if 'open("passwd", ...)' relates to '/etc/passwd' rather than '/home/joe/tmp/passwd'." It also contains a bugfix when detecting whether the kernel modules are loaded in the user space libraries, and a fix for sctrace where sctracing a program with command line arguments could fail to find the program to trace.

    •  28 Jan 2003 13:37

      Release Notes: This release includes support for matching against void pointers (addresses) and re-enables support for tracking the shmat and msgrcv calls. sctrace now supports strace's 'follow forks' mode, and tracking was implemented for the last two remaining syscalls, sys_vfork and sys_bdflush. The userspace tools now behave sensibly when the kernel modules aren't loaded and complain. The '-h' and '--help' command line flags for sct_logctrl were added. This release also includes assorted other bugfixes for kernel modules, so an upgrade is recommended.

      •  23 Nov 2002 20:30

        Release Notes: This release contains support for multiple readers of the log device. It is now possible to have two (or more) different log device readers. Each log device reader can set its own log device parameter, such as the log format and the log buffer size. See sct_logctrl(1) and sctlog(1) for further details. This release disables support for the 'shmat', 'semctl', and 'msgrecv' system calls (muxed functions of the sys_ipc system call, to be precise). This will be fixed and included in the next release.

        •  13 Sep 2002 20:11

          Release Notes: This release contains complete autotools support for the entire syscalltrack system: kernel modules, libraries, and applications. It also contains support for 'kill process' and 'suspend process' actions. Now you can set rules to kill any process that matches a rule, or to suspend it. This release also contains two major bugfixes, one for an SMP race and the other for the bdflush() system call, and many more supported system calls. Upgrading is recommended.

          •  31 Aug 2002 22:26

            Release Notes: The major change in this release is the addition of support for over 100 system calls. It includes infrastructure support for 64 bit system call parameters, such as long long and loff_t. This release also fixes bugs in various areas. Most notable are the bugfixes to the syscall data file parser (which is used by sctrace and sct_config), and to sctrace and the logging mechanism. This release has been extensively tested on 2.4 kernels. It should work on 2.5 kernels. It does not work on 2.2 kernels, due to technical difficulties.

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.