User's guide
VXE Home
Overview
Installation guide
User's guide
Download
FAQ
Tips
Discussion
Contacts

VXE user's guide

1 Find out subsystem to protect

First task is to choose what subsystem to protect. This can be any program: user shell or network daemon. If it is needed that user should be allowed to see only the part of the system, VXE start can be placed in shell startup file (.cshrc, etc.). VXE start means start of named program under the control of named VXED, by vxe utility. To defend server from network attacks, it is needed to find out what servers run. Run netstat -an, and for each port marked as LISTEN, find corresponding server. Traditional places where network servers start are: /etc/rc.d scripts, and /etc/inetd.conf. To use VXE, each server start should be done by vxe.

To make better acquaintance with VXE, it's better to begin with simple UNIX command, such as /bin/date and then pass to more complex, such as /bin/bash.

2 VXED creation

To run program under the control of VXED vxe or vxed utility can be used. vxe is used for implicit VXED start and vxed for automatic. For explanation of VXE basics in what follows only implicit VXED start will be used.

In the first step, to make custom VXED is needed to get syscall summary of the subsystem to be protected. To get it - run this subsystem with predefined VXED - /usr/local/vxe/tracesum.vxt.

This VXED doesn't block syscalls, but collects information and prints results into syslog (/var/log/kernel) after the end of subsystem run (end of last process of the subsystem under examination).

cd /usr/local/vxe

./vxe tracesum.vxt /bin/date date

Any filename can be used for VXED, but VXE DS uses vxt extension for tracing VXED, vxe - extension for strict VXEDs and vxf - for filesystem VXEDs. Kernel part of VXE knows nothing about type of VXED or its filename. It only executes LISP text VXED consist of.

Sample syscall summary follows.

Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: started vxecb length=1582.
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: ended vxecb released.
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: syssum begin
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 1 1
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 3 6
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 4 1
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 1 "/usr/share/zoneinfo/Europe/Kiev" 0 438
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 1 "/etc/ld.so.cache" 0 1073818376
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 1  nil  0 796421485
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 1 "/var/intes/oracle8/app/oracle/product/8.0.5/lib/libc.so.6" 0 1918989871
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 2 "/lib/libNoVersion-2.1.1.so" 0 1073818376
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 1 "/etc/ld.so.preload" 0 1073818376
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 3  nil  0 1918989871
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 2  nil  0 909653353
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 1 "/home/local/vxe/libc.so.6" 0 1667393900
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 5 1 "/lib/libc-2.1.1.so" 0 1073818376
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 6 6
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 11 1 "/bin/date"
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 13 1
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 20 1
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 45 4
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 54 1
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 90 8
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 91 3
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 106 1 "/var/intes/oracle8/app/oracle/product/8.0.5/lib"
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 106 1 "/var/intes/oracle8/app/oracle/product/8.0.5/lib/i586"
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 106 1  nil
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 106 1 "/var/intes/oracle8/app/oracle/product/8.0.5/lib/mmx"
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 108 6
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 125 2
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: "syssum" 136 1
Nov  7 15:43:57 intes kernel: VXE 0xc3e2bc00 TraceSum: syssum end

VXE 0xc3e2bc00 - address of VXE table (VXE control block) in the kernel, used to identify different VXEs;

TraceSum - name of VXED;

"syssum" - type of the following information;

Format of "syssum" lines:

  • syscall number;
  • number of syscalls, done by subsystem, with the following parameters;
  • parameters of syscall, if any;

For performance reasons, not all parameters are passed to VXE.

In WWW browser open the following address http://your-host-address /cgi-bin/vxe/cvxe.tcl. VXE Editor page will appear (fig. 1). Fill in the name of new VXED (date, for example) and press the button, corresponding to chosen type of VXED. If existing VXED will be edited, select it's filename from the list Existing VXEs.

 

Fig. 1

New descriptions show summaries from kernel log, choose TraceSum summary (fig. 2).

Format of log lines (fig. 3):

  • syscall name;
  • syscall number;
  • number of syscalls, done by subsystem, with the following parameters;
  • parameters of syscall, if any;

Note: in some summaries nil occupies the position of filename. This means that syscall (open, for example) was called with NULL pointer instead of pointer to the string with filename.

 

Fig. 2

 

 

Fig. 3

Click Apply and OK.

Now Violations of existing descriptions shows information about violations in kernel log, if any (fig. 4).

Choose Edit, to see how VXED looks like now (fig. 5). Representation is different for strict and filesystem VXEDs.

 

Fig. 4

 

 

Fig. 5

3 Strict VXED

New syscall description can be added by Create button. To delete some line - put 0 in the Repeat position. nil in this position, means no check for number of syscalls, with such arguments will be done. Syscalls without descriptions are prohibited. To place nil in all Repeat fields - use Relax button at the bottom.

In arguments fields, * - means, that any argument is valid at this position. For filenames, * and + can be used at the end of the path. * means, that any filename, which begins with the path is valid. + means, that only files, from directory, presented by path are valid. (and files from subdirectories are not valid.). To apply changes, press Update button.

Don't use Back button of browser - use Back link at the top of each page instead.

4 Filesystem VXED

Perms field can have rwx flags which show allowed file operations. All syscalls, which doesn't work with paths (filenames) are allowed.

5 All VXEDs

After VXED creation, it resides in /usr/local/vxe (or path, used during installation). Locate it and edit with any text editor. The last two lines may be changed.

(setq vxe_name "Vxe1")

(setq Develop t)

To set VXED internal name, that will be used in kernel log, change placeholder Vxe1 to the real name. It's a good idea to use filename without extension. (setq Develop t) indicates, that VXE will run in soft mode, to set production mode - change t to nil.

5.1 VXED tuning

During distinct runs, programs work with different resources (except simplest cases, such as /bin/date without arguments), so VXED will be adjusted. To find out what will be changed in existing VXED, run it in the soft mode. Before use VXED can be copied to different place, outside /usr/local/vxe. So the last copy of VXED can be restored to undo changes made by VXE Editor, if needed. During current explanation, VXED located in /usr/local/vxe will be used. To run VXED, issue vxe command manually, or change start command in /etc/rc.d or /etc/inetd.conf. For our example:

cd /usr/local/vxe

./vxe date.vxe /bin/date date

Check kernel log. Start and stop records will appear. No violation records.

Nov  7 15:50:02 intes kernel: VXE 0xc772a800 DATE: started vxecb length=3263.
Nov  7 15:50:02 intes kernel: VXE 0xc772a800 DATE: ended vxecb released.

Try:

./vxe date.vxe /bin/date date -u

Violation record will appear:

Nov  7 15:54:18 intes kernel: VXE 0xc109d800 DATE: started vxecb length=3263.
Nov  7 15:54:18 intes kernel: VXE 0xc109d800 DATE: sysviolation 5 "/usr/share/zoneinfo/UTC0" 0 38
Nov  7 15:54:18 intes kernel: VXE 0xc109d800 DATE: ended vxecb released.

Sysviolation record means, that program have opened file /usr/share/zoneinfo/UTC0 , and this operation is not permitted in the current VXED, date.vxe. VXED was in the soft mode, so operation was performed. Arguments of syscall 5 (open) are: int open(const char *pathname, int flags, mode_t mode); VXED may be adjusted to accept this syscall. Enter VXED editor and choose date.vxe. The list of sysviolation summaries will be shown (fig. 6). Choose one, produced by date.vxe and apply it (fig. 7).

 

Fig. 6

 

 

Fig. 7

5.2 Automatic VXED start

To make VXED automatic startable, pattern description could be placed at the top of VXED text. For example:

#vxe_path
#/bin/date
#/usr/local/user
#end_path

This description cause VXED activation at start of /bin/date or any executable from /usr/local/user directory. Use vxed utility to load VXED into the kernel:

cd /usr/local/vxe

./vxed e date.vxe

 

Syntax of vxed:

vxed pos [vxed_conf_path]

Pos

Vxed_conf_path

Comment

-

 

Clean all queue in the kernel

n

-

Delete  n-th VXED

n

path

Replace n-th VXED

e

path

Append VXED to the queue

 

 

 

 

"-" - is minus sign; "e" - is letter "e"; n - is decimal number;

VXE activates VXED with longest matching pattern.

 

[VXE Home] [Overview] [Instalation guide] [User's guide] [Download] [FAQ] [Tips] [Discussion] [Contacts]

VXE is a trademark of  InteS. All other products mentioned are registered trademarks or trademarks of their respective companies. Questions or problems regarding this web site should be directed to webmaster@quercitron.com. Copyright © 1999-2004 InteS. All rights reserved.