[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

fupids



hi.

sorry for my poor english but i hope it is readable even though.

i would make a proposal for some kernel code i called 'fupids'
(for fuzzy-user-profile-intrusion-detection-system).

what is it?
-----------
fupids creates profiles for every user who does an execve() syscall
on obsd systems. it isn't complete at the moment (see last section
of this mail) but i just would see if there is an interest from the
developers to include some code like this.

how does it work?
-----------------
User X opens a programm (-> execve() syscall).I modified execve() so,
that it runs fupids-code. fupid has a single link ist (one entry for
every UID) and searchs for the entry with UID X. Then it opens the
sub single-link-list for the users programms (there is one programm
slist for every user) and search(s?) for the current programm.
If the programm is already registrered on the list, it just increments
a counter for this programm. if this programm is new, it creates a
new entry in the slist.
If this is done, fupid calls a function that checks the attacker
level of a user. A new registr. programm has bigger changes for this
level than a new call of the programm and the 10000st call of a
programm changes the attacker-level less than the 2nd call of it.
So i calculate an attacker level (stored in the main-slist) which
can have a value between 0 (definitively an attacker) and 1 (seems to
be a valid user).

on this way fupids can checking for overtaked user acounts.

it is not complete
------------------
i must write some code before it is done:

- the path protection (/bin/ls and /home/user/bin/ls) are the same at the
  moment. i have an 'char *path' value for this problem but the check methode
  is not implemented @the moment.

- link protection: if you create an link on gcc, delete the link, create
  a new link (same name) to emacs then fupids only knows the new programm
  with name >>link<<. i must modify the unlink-syscall in future so that
  i remove the entrys for this programm in the users proclist.

but...
------
before fupids is realy helpfull for the admin, it must create an acount
of every user which produces a lot of warn--messages for the user (due to
the fact that he first must use some programms to create his profile).
if you have a server for 1000 users you may see 100 warnings of this kind
on every day.
this is why i have different levels of warnings (low, medium and maximum
attacker levels are printed to the logs). but may you just grep the medium
and maximum levels or may i write a sysctl-parameter for setting the minimal
log-level for fupids.


init_main.c just initializes fupids, kern_exec.c is for calling the fupids-
code.

i would be pleased for some comments.
- are the developers from obsd interested on this code (i mean the finished
  version, not this basic-version)?
- are there any comments or suggestions from someone in this list?)

bye, Steffen.

-- 

{ http://cdp.doomed-reality.org/ }

[demime 0.98d removed an attachment of type application/octet-stream which had a name of fupids.c]

[demime 0.98d removed an attachment of type application/octet-stream which had a name of init_main.c]

[demime 0.98d removed an attachment of type application/octet-stream which had a name of kern_exec.c]

[demime 0.98d removed an attachment of type application/octet-stream which had a name of fupids.h]