terça-feira, abril 09, 2013

Fsnoop - monitor file operations

Fsnoop


is a tool to monitor file operations on GNU/Linux systems. Its primary purpose is to detect bad temporary file usages and therefore, file race condition vulnerabilities.

Download

Usage

   $ ./fsnoop --help
   fsnoop monitors file operations by using the Inotify mechanism.
   
   Usage: fsnoop [OPTIONS] [DIR1[,DIR2,...]] [-- COMMAND]
  
     -d            Run as a daemon
     -fd           Open file descriptors when it's possible
     -k            Send SIGSTOP signal to the running process (COMMAND)
     -o filename   Output is redirected to a specific file
     -r            Monitor directory contents recursively
     -t            Prefix each line with the time of day
   
   If no DIR is specified, default writable directories such as /tmp,
   /var/tmp, /dev/shm, etc. are monitored.
  
   If COMMAND is specified, it will monitor activities during the process
   duration.

Output

On events, it displays lines as shown below:
   [C] -rw------- 1 root root 0     Tue May  8 22:17:10 2012 /var/tmp/test
   [M] -rw-r--r-- 1 root root 0     Tue May  8 22:17:10 2012 /var/tmp/test
   [U] -rw-r--r-- 1 root root 1741  Tue May  8 22:17:27 2012 /var/tmp/test
   [M] -rwxrwxrwx 1 root root 1741  Tue May  8 22:17:27 2012 /var/tmp/test
   [D] F /var/tmp/test
An event begins with an action character (placed between brackets):
  • 'C' for Create;
  • 'M' for Modify (means that metadata changed, e.g. permissions, timestamps, link count, UID, GID, etc.);
  • 'U' for Update (means that file content was modified);
  • 'D' for Delete.
And followed by an output similar to the "ls -l" command, or a shortened output (when fsnoop wasn't able to stat() the file). In the shortened output, only the file type information is displayed ('F' for File and 'D' for directory).

Some examples

To monitor activities in the "/etc" and "/tmp" directories:
   # ./fsnoop /etc,/tmp
   Starting fsnoop version 2.0
   [+] monitor /etc
   [+] monitor /tmp
To run Fsnoop as a daemon in order to monitor the "/var/tmp" directory and record activities in the "/root/fsnoop.log" file:
   # ./fsnoop -d -t -o /root/fsnoop.log /var/tmp
   Starting fsnoop version 2.0 
Output log will look like this:
   # cat /root/fsnoop.log
   [+] monitor /var/tmp
   (20:10:00) [C] -rw-r--r-- 1 root root 0  Mon Jul  9 20:10:00 2012 /var/tmp/blurb-lock
   (20:10:00) [M] -rw-r--r-- 1 root root 0  Mon Jul  9 20:10:00 2012 /var/tmp/blurb-lock
   (20:13:02) [D] F /var/tmp/blurb-lock
To monitor file activities just during a process duration:
   $ ./fsnoop /tmp -- Xorg -ac :1
   Starting fsnoop version 2.0
   [+] monitor /tmp
To send the SIGSTOP signal to a process right after an event occurs:
   $ ./fsnoop -k /tmp/.tX1-lock -- Xorg -ac :1
   [...]
   [C] F /tmp/.tX0-lock
   *** PID 30342 stopped, type [Enter] to resume execution:
   *** PID 30342 resumed ...
To read the content of a file that has been erased:
   $ ./fsnoop -fd /var/tmp
   [+] monitor /var/tmp
   [+] As then "-fd" option is being used, you can launch new shell by
       using "ctrl-c" and disclose file descriptors content.
   [C] -rw-r--r-- 1 root root 0  Tue Jan  1 21:39:55 2013 /var/tmp/temp.2oPahVp (opened fd=5)
   [U] -rw-r--r-- 1 root root 13  Tue Jan  1 21:40:37 2013 /var/tmp/temp.2oPahVp
   [D] F /var/tmp/temp.2oPahVp
   ^C
   
   Here are opened file descriptors.  You can display their contents by
   using the "cat" command.  For example, to display fd #4 use: "cat <&4"
   
   lrwx------ 1 vladz vladz 64  1 janv. 21:43 0 -> /dev/pts/3
   lr-x------ 1 vladz vladz 64  1 janv. 21:43 5 -> /var/tmp/temp.2oPahVp (deleted)
   fsnoop$ cat <&5
To monitor directories recursively:
If /tmp is being monitored and someone runs:
   $ mkdir -p /tmp/a/b/c/d/e/f
   $ touch /tmp/a/b/c/d/e/f/a
Event will be caught:
   $ ./fsnoop -r /tmp
   [+] monitor /tmp
   [C] -rw-r--r-- 1 vladz vladz 0  Thu Jan 24 13:10:30 2013 /tmp/a/b/c/d/e/f/a

Credits

Thanks to Larry Cashdollar for testing the tool and bringing new ideas.

0 comentários:

Postar um comentário