synack.fr
snet - userspace Security for NETwork syscalls
The main idea is to capture events coming from userspace, whenever a processus is doing some network syscall (sys_listen, sys_bind, ..). For that, it's seems that LSM structure is the most simple, as far as we just have to connect on LSM hooks with struct security_operations {}
snet is divided in two codes, a kernel part and a userspace part.
kernel code is using LSM, and communicate with userspace with libnl. userspace code is build as a library, so it's easy to use it in you own code, in order to intercept "event". here are some example of data you will get thanks to the library callback function:
verdict_id=0xd syscall=CONNECT protocol=6 [tcp] family=2 uid=256 pid=23886 [tcpconnect] 0.0.0.0:0->127.0.0.1:80
verdict_id=0x4 syscall=LISTEN protocol=6 [tcp] family=2 uid=123 pid=5059 [tcplisten] 127.0.0.1:10000->0.0.0.0:0
As you can guess, at this point it's really easy to log this into database or build a personnal firewall.
The great improvement is that it's supporting transparently all network protocols and all network family.
  • kernel
    Download latest kernel git version
    mkdir devel/
    cd devel/
    git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
    
    Download latest snet patches (version 4)
    mkdir linux-snet
    cd linux-snet
    wget http://www.synack.fr/project/snet/files/v4/linux-snet-v4.tar.bz2
    tar xjvf linux-snet-v4.tar.bz2
    cd ../
    
    Patch the linux kernel with snet patches
    cd linux
    for i in ../linux-snet/*.patch; do patch -p1 < $i; done
    
    Configure the kernel
    make menuconfig
    
    Set up the options for snet security module:
    Security options  ---> 
        [*] Socket and Networking Security Hooks
        [ ] NSA SELinux Support
        [ ] Simplified Mandatory Access Control Kernel Support
        [ ] TOMOYO Linux Support
        [ ] AppArmor support
        [*] snet - Security for NETwork syscalls
        Default security module (snet)  --->
    
    make and install kernel and modules
    make
    make modules
    sudo make modules_install
    sudo make install
    
    Before rebooting you should be aware of 2 important kernel options:
    snet_verdict_delay: the time in seconds before applying a default policy to the event
    snet_verdict_policy: the default behavior when delay is reached. 0:accept, 1:deny
    
    Once here, you are done with the kernel part

  • userspace
    lib : libsnet-0.1.tar.bz2
    userspace exemple : snet-tools.tar.bz2
kernel code is release under the GPLv2.
lib code is release under the LGPL.
Samir Bellabes <sam at synack dot fr>