Giter VIP home page Giter VIP logo

ttrapd's Introduction

Tiny Trap

"ttrapd" is a very simple and lightweight trap, written in C, that can help to detect an intruder or "integrity violator" with root privileges in a Linux computer system.

The "integrity violation" or "intrusion detection" pitfall is based upon the curiosity potency of intruders.

When a root privileged intruder is wandering a compromised system, most likely, he or she is trying to identify sensitive files. Followed by inspecting the content of a few files that are chosen, simply based upon their interesting (or commonly used) names and locations.

For example, files like /etc/shadow, /etc/ssl/private/vpn.key or /etc/pf.conf can't be left without inspecting by generally every root privileged intruder. Especially, when you take in account that the intruder probably gained root privileges, just for the purpose to gain access to these sensitive files.

In Linux, the inotify API provides a mechanism for monitoring filesystem events. From the man page: "Inotify can be used to monitor individual files..."

This concept makes it possible to monitor a file for an inotify event, and therefore to notice that somebody is currently using that file.

This is simply what ttrapd does. It forks itself into the background, and monitors a specified file for an inotify event. This can be just a dummy file with an interesting name, ownership and file permissions. Only meant to trigger the intruders curiosity, as a decoy. In case the inotify event has been triggered, ttrapd will notice and alert.

In practice, system administrators can together agree on a small set of (dummy) files that should never be touched, and run a few ttrapd daemons to monitor those files. With this approach, you might detect persons within your own organization, that violate integrity.

You can also place traps on real used private keys. This approach is best for detecting hackers, intruders that do not belong to your organization. Check this example: https://github.com/nkoster/ttrapd/wikis/Example-Wiki

Install: https://github.com/nkoster/ttrapd/wikis/home

Notes for OpenBSD:

  • I am converting this concept into a kqueue/libinotify version for OpenBSD. I'll create a new project for that. Not finished yet.
     You can you use ttrapd-atime.c, which monitors a file for an atime update.
  • I have no intention of creating an OpenBSD project anymore.

ttrapd's People

Contributors

nkoster avatar

Stargazers

avatar

Watchers

James Cloos avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.