Fsnoop - monitor file operations
Fsnoop
is a tool to monitor file operations on GNU/Linux systems. Its primary purpose is to detect bad temporary file usages and therefore, file race condition vulnerabilities.
Download
- Fsnoop 2.0 (release date: 2013/01/27)
- Fsnoop 1.2 tool renamed (release date: 2012/08/23)
- Dirspy 1.1 (release date: 2012/08/18)
- Dirspy 1.0 (release date: 2012/07/16)
Usage
$ ./fsnoop --help
fsnoop monitors file operations by using the Inotify mechanism.
Usage: fsnoop [OPTIONS] [DIR1[,DIR2,...]] [-- COMMAND]
-d Run as a daemon
-fd Open file descriptors when it's possible
-k Send SIGSTOP signal to the running process (COMMAND)
-o filename Output is redirected to a specific file
-r Monitor directory contents recursively
-t Prefix each line with the time of day
If no DIR is specified, default writable directories such as /tmp,
/var/tmp, /dev/shm, etc. are monitored.
If COMMAND is specified, it will monitor activities during the process
duration.
Output
On events, it displays lines as shown below:[C] -rw------- 1 root root 0 Tue May 8 22:17:10 2012 /var/tmp/test [M] -rw-r--r-- 1 root root 0 Tue May 8 22:17:10 2012 /var/tmp/test [U] -rw-r--r-- 1 root root 1741 Tue May 8 22:17:27 2012 /var/tmp/test [M] -rwxrwxrwx 1 root root 1741 Tue May 8 22:17:27 2012 /var/tmp/test [D] F /var/tmp/testAn event begins with an action character (placed between brackets):
- 'C' for Create;
- 'M' for Modify (means that metadata changed, e.g. permissions, timestamps, link count, UID, GID, etc.);
- 'U' for Update (means that file content was modified);
- 'D' for Delete.
Some examples
To monitor activities in the "/etc" and "/tmp" directories:# ./fsnoop /etc,/tmp Starting fsnoop version 2.0 [+] monitor /etc [+] monitor /tmpTo run Fsnoop as a daemon in order to monitor the "/var/tmp" directory and record activities in the "/root/fsnoop.log" file:
# ./fsnoop -d -t -o /root/fsnoop.log /var/tmp Starting fsnoop version 2.0Output log will look like this:
# cat /root/fsnoop.log [+] monitor /var/tmp (20:10:00) [C] -rw-r--r-- 1 root root 0 Mon Jul 9 20:10:00 2012 /var/tmp/blurb-lock (20:10:00) [M] -rw-r--r-- 1 root root 0 Mon Jul 9 20:10:00 2012 /var/tmp/blurb-lock (20:13:02) [D] F /var/tmp/blurb-lockTo monitor file activities just during a process duration:
$ ./fsnoop /tmp -- Xorg -ac :1 Starting fsnoop version 2.0 [+] monitor /tmpTo send the SIGSTOP signal to a process right after an event occurs:
$ ./fsnoop -k /tmp/.tX1-lock -- Xorg -ac :1 [...] [C] F /tmp/.tX0-lock *** PID 30342 stopped, type [Enter] to resume execution: *** PID 30342 resumed ...To read the content of a file that has been erased:
$ ./fsnoop -fd /var/tmp
[+] monitor /var/tmp
[+] As then "-fd" option is being used, you can launch new shell by
using "ctrl-c" and disclose file descriptors content.
[C] -rw-r--r-- 1 root root 0 Tue Jan 1 21:39:55 2013 /var/tmp/temp.2oPahVp (opened fd=5)
[U] -rw-r--r-- 1 root root 13 Tue Jan 1 21:40:37 2013 /var/tmp/temp.2oPahVp
[D] F /var/tmp/temp.2oPahVp
^C
Here are opened file descriptors. You can display their contents by
using the "cat" command. For example, to display fd #4 use: "cat <&4"
lrwx------ 1 vladz vladz 64 1 janv. 21:43 0 -> /dev/pts/3
lr-x------ 1 vladz vladz 64 1 janv. 21:43 5 -> /var/tmp/temp.2oPahVp (deleted)
fsnoop$ cat <&5
To monitor directories recursively:
If /tmp is being monitored and someone runs:
$ mkdir -p /tmp/a/b/c/d/e/f $ touch /tmp/a/b/c/d/e/f/aEvent will be caught:
$ ./fsnoop -r /tmp [+] monitor /tmp [C] -rw-r--r-- 1 vladz vladz 0 Thu Jan 24 13:10:30 2013 /tmp/a/b/c/d/e/f/a
Credits
Thanks to Larry Cashdollar for testing the tool and bringing new ideas.
Fsnoop - monitor file operations
![Fsnoop - monitor file operations]()
Reviewed by Kembolle Amilkar
on
terça-feira, abril 09, 2013
Rating:
Nenhum comentário