Demonstrating name confusion attacks.
Running through the examples:
# Run the scenarios
./nc-scenarios.shTo collect auditd logs of scenarios:
# Trace: icase mount point
sudo service auditd rotate
sudo auditctl -w /mercury/research/casefolding -k icase
./nc-scenarios.sh
sudo auditctl -D
sudo service auditd rotate
# Search these logs
sudo ausearch -k icase | tee logs.auditd # OR
sudo ausearch -k icase -i # to view on console
ausearch -if examples/logs-1.auditd -i # provide log file
ausearch -if examples/logs-1.auditd -i -a 10947 # search using msg ID
# Delete logs
sudo rm /var/log/audit/audit.log.1Find bad create-use pairs:
# Run program on script
go run ncmonitor.go -verbose -file logs.auditd
go run ncmonitor.go -file examples/logs-2.auditd # run on example
go run ncmonitor.go -abspath # use abs. paths (for non-json reporting)
go run ncmonitor.go -json # output in json
go run ncmonitor.go -json -pretty # output in json (pretty printed)
go run ncmonitor.go -h # prints usage
# For docs
go doc -cmd -uTrace a command:
# Run cmd (ls) & find bad create-use pairs
go run . -cmd="ls"
# Additionally, save the collected traces
go run . -cmd="ls" -savetraceInstall ncmonitor:
go build -o $GOPATH/bin/ncmonitorUsing git from docker container (os=alpine):
VER=v2.24.1 # uid=0 (root)
VER=v2.24.3-user # uid=1000
git() {
docker run -ti --rm -v $(pwd):/git alpine/git:${VER} "$@"
}
git --versionCollect strace logs:
# Recorded on: 16-Jun-2021, 11:56 am EDT
strace git clone srcrepo tgtrepo 2>clone.strace
rm -rf tgtrepo
# Search for FS related syscalls
egrep -v "mprotect|munmap|mmap|getdents|brk|rt_sigaction" clone.strace | less