LD_PRELOAD

markham_breitbach at ssimicro.com markham_breitbach at ssimicro.com
Tue Sep 8 16:29:11 UTC 2015 

On 2015-09-05 7:12 PM, kpneal at pobox.com wrote:
> On Fri, Sep 04, 2015 at 03:51:13PM -0600, markham_breitbach at ssimicro.com wrote:
>> I am trying to configure the security/snoopy package as a solution for
>> logging shell activity within jails (I'm also open to alternative
>> suggestions!).  Snoopy works as an execve() wrapper that basically just
>> logs and passes through the calls.  For it to work though, I need to set
>> the LD_PRELOAD variable in the environment to force the linker to load
>> snoopy.so first, presumably so the snoopy execve wrapper is found before
>> the libc version.
>>
>> If I set LD_PRELOAD=/usr/local/lib/snoopy.so on the command line, and
>> then launch a new shell, events get logged as expected, but I need to
>> figure out how to make that happen by default for everything in the jail.
> Try starting the jail with a shell script in the jail's /etc to set (export!)
> the environment variable and then exec /etc/rc "$@" to go through the rest
> of the normal startup for the jail. You'll need to change your jail config
> to start your script instead of /etc/rc though.
>
> Be aware that it isn't possible to guarantee that snoopy will catch _every_
> _single_ call if your system is breached. In some cases an attacker can
> just eliminate the environment variable. You may be able to determine
> the starting point of the breach, however, if the attacker doesn't change
> the snoopy log on you. Can snoopy log to a remote syslogd? That would
> keep an attacker from removing evidence logged.
>
I actually shoved that right into /etc/rc inside the jail, and that
seems to do the trick.  I will have to play around and see if I can't
find a more graceful way to handle that, but it's a proof of concept.  I
suspect there is already a facility for that.  I will have to poke
around rc and see what I can unearth. :)

I understand that there are security implications of this, It is
actually intended more for audit logging of my own authorized users i.e.
who made that change?  WTF were they thinking!?!  :) as it is for any
form of security.  Of course, once root is breached, all bets are off
anyway.  I have looked at the auditing features of FreeBSD, but jail
support is sadly lacking, so far snoopy seems to be about the bet thing
I can find to fill that hole.

Thanks,
-Markham

More information about the freebsd-questions mailing list