/tmp event logger

From: Michal Zalewski (lcamtufat_private)
Date: Sat Mar 14 1998 - 04:09:02 PST

Next message: Michal Zalewski: "Vunerable shell scripts"

Previous message: Peter van Dijk: "Re: Security problem in Slackware."
Next in thread: Theo de Raadt: "Re: /tmp event logger"
Reply: Theo de Raadt: "Re: /tmp event logger"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Due to excessive amount of /tmp races reported last months, here's
/tmp event logger. This simple and small program logs file activity
in given directory, giving clear, reusable, space-saving format
(including operation, filename, uid/gid, file type, permissions,
current time). It's very useful when you're looking for possible
vunerabilities, or trying to trace attacks.

--
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
#include <dirent.h>
#include <time.h>

#define OPENED_MAX 5000
#define LAG 5

#define nopp(x) if (strlen(x)<5) nope='\t'; else nope=0;

int wannadies=-1,a;
char* opened[OPENED_MAX];
char present[OPENED_MAX],nope;
time_t costam;

int infect(struct dirent *s) {
  struct stat x;
  if (!(strcmp(s->d_name,"..")&&strcmp(s->d_name,"."))) return -1;
  for (a=0;a<=wannadies;a++) if (!strcmp(opened[a],s->d_name)) {
    present[a]=1;
    return -1;
  }
  strncpy((opened[++wannadies]=malloc(strlen(s->d_name)+1)),s->d_name,
          strlen(s->d_name)+1);
  present[wannadies]=1;
  if (wannadies>OPENED_MAX) {
    fprintf(stderr,"Out of file handlers, dying...\n");
    exit(-1);
  }
  stat(s->d_name,&x);
  time(&costam);
  nopp(s->d_name);
  printf("++ %s%c\t%6o\t%d\t%d\t%d\t%s",s->d_name,nope,x.st_mode,
        x.st_uid,x.st_gid,x.st_size,ctime(&costam));
  return -1;
}

int foo(struct dirent **a,struct dirent **b) {}

int main(int argc,char* argv[]) {
  struct dirent **x;
  int a;
  fprintf(stderr,"/tmp watcher 1.0 by <lcamtufat_private>\n");
  if (argc==2) if (chdir(argv[1])) {
    fprintf(stderr,"Can't change to given directory, dying.\n");
    return -1;
  } else fprintf(stderr,"Using %s.\n",argv[1]); else {
    fprintf(stderr,"No parameter given, using /tmp.\n");
    chdir("/tmp");
  }
  fprintf(stderr,"\nOP FILENAME\tTYPPRM\tUID\tGID\tSIZE\tTIME\n");
  while (1) {
    bzero(present,sizeof(present));
    scandir("/tmp",&x,infect,foo);
    for (a=0;a<=wannadies;a++) if (!present[a]) {
      time(&costam);
      nopp(opened[a]);
      printf("-- %s%c\t-\t-\t-\t-\t%s",opened[a],nope,ctime(&costam));
      free(opened[a]);
      present[a]=present[wannadies];
      if (a<wannadies) opened[a]=opened[wannadies--]; else wannadies--;
    }
    usleep(LAG);
  }
}
--

It isn't visual, multimedial, and it hasn't a lot of more or less
useful features. Feel free to modify it...

_______________________________________________________________________
Michał Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private]
Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=

Next message: Michal Zalewski: "Vunerable shell scripts"
Previous message: Peter van Dijk: "Re: Security problem in Slackware."
Next in thread: Theo de Raadt: "Re: /tmp event logger"
Reply: Theo de Raadt: "Re: /tmp event logger"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:25 PDT