I need to control dhcp address renew actions on Linux in my application written in C. I am trying to find the best way to retrieve this information from the system. So far I have actually come up with only one way - parsing the system logs and looking for address renewal information. However, this way is very inefficient. I can try to improve this by redirecting the logs from dhclient to a separate file and check only this one file. But it still seems to be a poor solution. Do you have any idea how to retrieve this information in a better way in C or bash? Thank you very much for any hints.
Related
I have a set of independent programs that I wrote in C. I would like all of them to write their log to the same file. Obviously comes the issue of control access. Two or more of them could end up writing simultaneously.
What is the most pragmatic way to achieve this?
I came across solutions using pthread/mutexes/etc but that sounds overkill implementation for something like that.
I am also looking at syslog but wonder if this is really for the purpose of what I need to do?
I feel that I need a daemon service taking the message and control when they are written. I wonder if that already exists.
I am also looking at syslog but wonder if this is really for the purpose of what I need to do?
Yes
I feel that I need a daemon service taking the message and control when they are written. I wonder if that already exists.
It exists in the Unix derivatives (including Linux) and is called... syslogd
More seriously, the syslog function is intended to pass a message to a syslogd daemon that will route it according to its configuration file. Most common uses include writing it down to a file or to the system console (specially for panic level messages when nobody can be sure whether the file system is still accessible). The syslog system may come with more features than what you are asking for, but it is an extremely robust and extensively tested piece of software. In addition, it is certainly already active on your system, so you should have a strong reason to roll your own instead of using it.
You have two way :
First : Using something that already exist.
For the logging part, syslog (and syslog-ng) are well-know and well-used.
From that point, you can parametre syslog-ng to listen to an ip connection, and scan a dir for new file.
Your program can, when they will want to log, either connect to syslogng directly and send the log, and if the connection fail, write a new file in the directory that syslogng watch.
That allow to not have the loss of the log is syslog-ng are interrupted for a reason or another.
Second : Develop something really similar to syslog-ng.
In that case, it's up to you.
When I execute on solaris 11.0:
pfiles /proc/PROCESSID
The result is process information, a small chunk of output is what interest me:
4: S_IFSOCK mode:0666 dev:543,0 ino:46228 uid:0 gid:0 size:0
O_RDWR|O_NONBLOCK
SOCK_STREAM
SO_REUSEADDR,SO_KEEPALIVE,SO_SNDBUF(49152),SO_RCVBUF(128480)
sockname: AF_INET6 ::ffff:10.10.50.28 port: 22
peername: AF_INET6 ::ffff:10.16.6.150 port: 55504
The process I pfiles /proc/PROCESSID is the sshd session itself.
My question is given a process id, how can i get this (pfiles) information from within a kernel code ?
When looking in struct proc i could not find something that give me this data.
Is there a pointer to struct that hold all open files occupied by the process on the proccess' proc?
I also executed truss pfiles /proc/PROCESSID but could not find the exact call
If you look in /usr/include/sys/user.h you'll see the open file information can be found in the p_user.u_finfo structure of the current process.
Walking that structure is not trivial. Just look at what the proc filesystem code has to do to look up the attributes of just one open file descriptor. There's lots of locking needed - you can't simply walk the data structures while things are running.
And, the following is beyond the scope of the question, but it's important...
For what it's worth, what you're doing can't work. It's fundamentally flawed - technically and legally.
What you're trying to do - track users who share a user account - is worthless anyway. You will never be able to prove that just because a certain login session executed some code that the code was executed because the user logged into that session purposely ran that code. Because any of the users with access to that account can modify the environment of the shared account such that malware is run by someone else. And they can make it look just like a typed-in command.
Shared credentials and accounts violate nonrepudiation. That's your insurmountable legal flaw in using any data your custom kernel tracking may produce - even if you manage to produce a system that's foolproof, which isn't likely.
If I'm logged into a shared account, you can never prove that the code I ran was run intentionally.
Well, that's not entirely true - if you have perfect auditing where you can trace every thing a user does down to the bytes modified on disk, you can. And "perfect" in this case means those users have no access whatsoever to change any part of the auditing system.
But if you already have perfect auditing in place, you don't need to write kernel modules to try and implement it.
Of course, it's impossible to prove you have perfect auditing in place because you can't prove that you don't have holes in it.
See the problem?
We're right back to "You CAN'T prove I did it intentionally."
You'd be much better off just using the OS-provided auditing services. Whatever you come up with isn't going to be useful in proving "who did it" for any intelligent bad actor - like someone who figures out a way to insert malicious code into another user's session. And the OS auditing will be sufficient to catch anyone who has no clue in how to cover their tracks.
But you won't be able to provably catch any bad actor who knows what he's doing when shared accounts are involved. And if you can't prove it, you might not even be able to do anything at all to someone you suspect. Because someone who really knows what they're doing will be able to pin the apparent blame on someone who's innocent - if they can't hide or destroy the evidence of the bad act[s] in the first place.
What are you going to do if you find the shared .profile file has a line in it that after a certain date emails sensitive data to a throwaway email account, but only when the login comes from a certain IP address?
Any one of the users who share that one account could have put it in there.
No auditing system in the world can solve that problem unless it's perfect and tracks every file change.
If the data you're trying to protect is important, whoever is tasking you to solve the problem by writing custom kernel modules needs to grow a brain and solve the real problem - shared user accounts. Get rid of them.
There's a reason why every security guide says not to use shared accounts, and every security audit I've ever seen will fail anyone using shared accounts.
I am new to device driver programming. I've followed the available tutorials on the web which has provided helpful information to get started. However now I have embarked on a new project where the exclusive goal is to search for functions which have been hooked by malware or keyloggers. So I think I have sorted out what I need to accomplish this though I still need to be able to locate the load address of the system dll's (i.e. kernel32.dll, user32.dll and the like) that are already loaded in memory. I need the load address so that I can parse their PE to get to the export and import sections. Furthermore adding the load address to the file size will give me a address range to cross reference the addresses of the export functions no ? Cross referencing the the IMPORT address will be a little more involved but it can be done according to my estimates. I thought that building a kernel mode driver would be the right way to go since accessing memory outside the kernel driver's address range would not be an issue for the driver as opposed to a user mode app. How else will I be able to access the addresses located in the EAT and IAT of the target dll ? I know there exist a user mode API that can provide the load address mainly being GetModuleHandle but I would like to find the equivalent in kernel mode. I could write a user mode application that could relay this information to the driver but prefer that this all be done in kernel mode if possible. Any suggestions or comments would be most welcome.
Thanks in advance
Victor
p.s This post has been edited for more clarity. Hopefully it will make it more clear as what I am trying to accomplish.
This is probably not a very good idea to do in kernel mode. When are you going to actually do this and guarantee the process is in a state where you could walk the IAT?
What if the process is in the middle of loading a DLL? If you're executing in-thread (i.e. from a syscall or device IOCTL), what if other threads are executing too? Doing this when you're not the OS is a very difficult proposition to correctly do, and it's very easy to destabilize your customers' machines (hell, it's reasonably hard to do even if you are the OS)
Take a look at LdrGetProcedureAddress and the rest of the gang.
Edit:
MmGetSystemRoutineAddress might also be helpful.
Just wanted to thank everyone for their contribution. I did manage to some further research and discovered that there is a kernel mode API called PsLoadImageNotifyCallback that is able to find the base addresss of any process.
I am afraid that several terminologies in my question are wrong. Please bear with me and correct me wherever I am wrong.
I have to write a library/program that will provide set of function to operate a card reader attached at Serial Port. Like to eject card that was inserted in it, user will simply have to call in his code, for example,
cardEject(); // or
track2Data( response); // to read data of track 2 of magnetic stripe.
cardEject() and other functions will themselves take care of opening serial port, writing data to it, checking the acknowledgement, checking error code, resending command in case of failure, etc. I am pretty clear about communicating with devices on serial port.
My question is, after writing all these functions and testing them, how should I provide them to the user.
Should I give him a header file (.h) and an object file (.o)? So that he can link to the object while compiling his actual program.
Should I provide a static library (.a)?
Which one is a better idea?
Is it a good idea that each function open serial port and then close it? Or a initCardReader() opens it, sets its properties and closeCardReader() should close it? All other functions can only be called after initCardReader()?
Now a silly but real question :-) what is the terminology used for such programs? Is it a driver or library or device interface? What is the correct label for such projects?
Thanks for your time.
Edit
Thanks to all of you for guiding me. Really appreciated.
This API has to become part of a larger project. In fact, I will be working on that project too. But there is a strong possibility that this API will be used in other projects with or without me. I think, considering the possible use in other projects, library makes more sense. Kindly correct me if I am wrong.
I'll go with the answer from Anders K. you are writing a API for your card reader.
My two cents about the more general questions:
Your question about open/close connection, there are two aspects that you have to keep in mind. Lets assume you proceed the way in which you leave it up to the user to open and close the connection. What if he forgets to close it after he finished, what when multiple processes access the card-reader? In those scenarios you may want to free the port to the other processes after each write/read. In the end it depends on the operations that will be done, the process using your API will usually always call your read method multiple times you might want to leave it open or you could implement a read multiple records in your API again avoiding the possibility that a connection gets left open.
I would make a library if it is mainly used in other projects. It also puts you into the position of changing the lib at one place for everyone to implement. Again depending on where you will implement it, there are numerous scenarios when adding your code is the better option.
I think you should do it as simple as possible, a static library and a header file should be a good start.
One way is to treat the card reader in the same way any other resource like a file, meaning you open/init the card reader and return some handle that identifies the card reader. Then subsequently use that in all functions when accessing the card reader.
My two cents:
I think how you provide the output depends on the user. Is this person working closely with you in the same company / project, or is this going to an external source?
If its going external definitely make it a library...it may be easier to create a library in the other case as well, since it would mean less things for this other user to worry about.
Is your code going to be integrated into a larger project? If so, you should just build your code into a subfolder in this project and provide him with the required functions that are needed. I think this portion is more subjective than anything.
Regarding opening/closing the ports, again it depends how it will work. If you are simply providing the API for other programmers to use (and don't know how it will work), I would say abstract it into an initCardReader/closeCardReader function call. That way, if the user wants to do multiple transactions he doesn't need to worry about wasting processing time with each call he makes...he can simply open/close at his discretion.
And it sounds to me like you are writing API calls for a card-reader device driver ;)
You can put this set of functions in the shared lib (like: libCardReader.so) and give away with the Header file to the programmer to reference and use it in his/her code. The following link provide very good intro about building the SO file (http://www.network-theory.co.uk/docs/gccintro/)
I have some C code that parses a file and generates another file of processed data. I now need to post these files to a website on a web server. I guess there is a way to do a HTTP POST but I have never done this in c (using GCC on Ubuntu). Does anyone know how to do this? I need a starting point as I have no clue of doing this in C. I also need to be able to authenticate with the website.
libcurl is probably a good place to start.
I think Hank Gay's suggestion of using a library to handle the details is the best one, but if you want to "do it yourself", you need to open a socket to the web server and then send your data in the HTTP POST format which is described here. Authentication can mean a variety of different things, so you need to be more specific.
Unfortunately, all of the above three jobs involve a fair bit of complexity, so you need to break the question down into stages and come back and ask about each bit separately.