/FileAudit

file auditing based on reloading system call

Primary LanguageVueGNU General Public License v3.0GPL-3.0

File Auditing

Requirements

  • gcc 7.5.0
  • sqlite 3.22.0
  • python 3.6.9

Install Sqlite3

aptitude install sqlite3
aptitude install libsqlite3-dev
# or
apt install libsqlite3-0=3.22.0-1ubuntu0.4
apt install sqlite3
apt install libsqlite3-dev

Build Kernel Module

Init

make
insmod AuditModule.ko

Log

dmesg
dmesg -c // clear the log

Exit

rmmod AuditModule.ko

Illustration

the following sentence reloads the system call

sys_call_table[__NR_openat] = (demo_sys_call_ptr_t) hacked_openat;

Build Audit Module

gcc auditdemo.c db.h -l sqlite3 -o audit

Start Django

python manage.py runserver 0.0.0.0:4000

Start Frontend

npm install --registry=https://registry.npm.taobao.org
npm run dev

Todo List

  • functions in db.h to be completed except insert_record()