USER ACTIVITIES MONITORING SYSTEM USING LKM Bhaumik Patel B.E., Sardar Patel University, INDIA, 2008 PROJECT Submitted in partial satisfaction of the requirements for the degree of MASTER OF SCIENCE in COMPUTER SCIENCE at CALIFORNIA STATE UNIVERSITY, SACRAMENTO FALL 2011 USER ACTIVITIES MONITORING SYSTEM USING LKM A Project By Bhaumik Patel Approved by: __________________________________, Committee Chair Jinsong Ouyang, Ph.D. __________________________________, Second Reader Chung-E Wang, Ph.D. __________________________________ Date ii Student: Bhaumik Patel I certify that this student has met the requirements for format contained in the University format manual, and that this project is suitable for shelving in the Library and credit is to be awarded for the Project. __________________________, Graduate Coordinator ________________ Nikrouz Faroughi, Ph.D. Date Department of Computer Science iii Abstract of USER ACTIVITIES MONITORING SYSTEM USING LKM by Bhaumik Patel Security is one of the major challenge while single machine is shared among multiple users. Linux is the operating system which supports multiple users. All the users can have access to different files in the system and they can access the file using local machine or the network connection. Any inappropriate action by some user can cause system failure or some unexpected troubles. All the activities by different users must be monitored in order to identify the exact reason for system failure and the user who is responsible for that. In the operating system, system call is the only window for a user process to get into the kernel and access different resources provided by the kernel. Linux Security Module (LSM) is a Loadable Kernel Module(LKM) which intercept the file i/o system calls and network i/o system calls in order to log the valuable information. It adds a layer between the user process and actual system call by replacing the actual system call with spy system call. The LSM supports 32 bit machine and older version of the kernel. As 64 bit machines are common today, LSM is required to be ported on a 64 bit machine with the latest version of kernel source. To port the actual LSM on latest hardware and latest iv kernel, changes are required and LSM need to be upgraded based on current system call structure. User activities monitoring system using LKM includes upgraded LSM as system layer utility. This is required to hack the file i/o and network i/o and to generate the log files based on gathered information. And as application layer utility it also includes automation system , which required to filter the data from log file and insert that data into the database. It also has a GUI based web interface to query the data in the database and to generate the report for system administrator. The entire system will be really helpful to monitor user activities both on local machine as well as on the network. Using this tool, the administrator of the system can trace the file i/o and network i/o, so in case the system goes down, the admin can investigate about the activities done by different users. And can explore the actual reason for crash. , Committee Chair Jinsong Ouyang, Ph.D. _________________________ Date v DEDICATION Dedicated to my loving parents who inspired me to work hard and my brother for his constant support. vi ACKNOWLEDGMENTS I would like to thank everyone who encourage and motivate me throughout Master’s Project. I am grateful to Dr. Jinsong Ouyang for his constant guidance and useful advices all the time. He helped me a lot in identifying different problems and to build the solution step by step. He also provided me reading materials like books, published papers etc. to explore the Linux kernel even more. At the same time, I would also like to thank Prof. Chung-E Wang for being a driving force for my interest in different algorithms and providing me continuous support. Furthermore, I would also like to thank the entire Linux Kernel Developers community. This community has helped me a lot by providing me guidance on kernel module development. Linux developers around the world are really active at providing answers in discussion forum and it always helped me to solve different problems. In the end, I would like to thank my parents and all my friends for giving me full support and motivation in completion of the project. vii TABLE OF CONTENTS Page Dedication .................................................................................................................... vi Acknowledgments....................................................................................................... vii List of Tables ............................................................................................................... ix List of Figures ...............................................................................................................x Chapter 1. INTRODUCTION ....................................................................................................1 1.1 Overview ..........................................................................................................1 1.2 Objectives ........................................................................................................2 2. LOADABLE KERNEL MODULE (LKM) ..............................................................4 2.1 What is LKM? .................................................................................................4 2.2 Basic Structure of LKM ...................................................................................5 2.3 System Call ......................................................................................................7 2.4 LSM (Linux Security Module) ........................................................................8 2.5 Porting .............................................................................................................9 3. KERNEL INSTRUMENTATION FOR MONITORING FILE I/O AND NETWORK I/O…... ................................................................................................11 3.1 System part overview ....................................................................................11 3.2 Basic pseudo code for LKM ..........................................................................11 3.3 Locating System call Table ..........................................................................12 viii 3.4 Overwriting the addresses of system call ......................................................17 3.5 Writing a new system call ..............................................................................19 3.6 Cleanup part of the module ............................................................................28 3.7 Output of phase-I ...........................................................................................29 4. A WEB-BASED APPLICATION FOR MONITORING FILE I/O AND NETWORK I/O ......................................................................................................30 4.1 Why filtering is required? ..............................................................................30 4.2 Automation Schema .......................................................................................31 4.3 Filtering script ................................................................................................32 4.4 Insert data script .............................................................................................35 4.5 Database design .............................................................................................37 4.6 Web interface ................................................................................................37 5. SUMMARY ............................................................................................................39 5.1 Summary ........................................................................................................39 6. FUTURE WORK ....................................................................................................40 6.1 Future work ....................................................................................................40 References ................................................................................................................... 41 ix LIST OF TABLES Page Table 1 System calls related to file i/o and network i/o ................................................2 Table 2 LKM commands and their functionality ..........................................................6 Table 3 Comparison of system call structure between 32 and 64 bit machine ...........10 Table 4 System calls and corresponding system call numbers ...................................13 Table 5 Information captured by hacking file i/o and network i/o .............................37 x LIST OF FIGURES Page Figure 1 Overall structure of system and position of system call ................................. 7 Figure 2 Automation schema ...................................................................................... 31 Figure 3 Screenshot of Form to query the database .................................................... 38 Figure 4 Screenshot of result of query ........................................................................ 38 xi 1 Chapter 1 INTRODUCTION 1.1 Overview Linux is a multi-user operating system. Many different users can share a single Linux machine and can access the machine locally or through the network. In the Linux, all the file system requests and network