Steps to trace PAMSC hooked system calls and PAMSC hooking functions using ftrace
Article ID: 411314
Updated On:
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
Sometimes it can be necessary to investigae if a certain system call that PAM SC will try to intercept is being called or if there is a related PAM SC hooking function. The present article presents a method to determine so based on the usage of the system ftrace tool
This is to use Linux ftrace tool to determine if a system call that PAMSC intercepts is called or if related PAMSC hooking function is called.
Environment
PAMSC 14.1
Resolution
Steps to trace PAMSC hooked system calls and PAMSC hooking functions using ftrace
1. Make sure ftrace is built in and enabled.
1.1 Check the following configurations are properly set in the /root/config-`uname -r` file used in building the running Linux kernel.
CONFIG_DYNAMIC_FTRACE=y
CONFIG_FTRACE=y
CONFIG_DEBUG_FS=y
CONFIG_FUNCTION_TRACER=y
1.2 Ensure ftrace is enabled by verifying /proc/sys/kernel/ftrace_enabled is set to 1.
(This is usually set to 1 by default. If it is not, enable it.)
# echo 1 > /proc/sys/kernel/ftrace_enabled
# cat /proc/sys/kernel/ftrace_enabled
1
2. Generate a list of PAMSC hooked functions and hooking functions, hooked.list and hooking.list respectively.
(We need to do this is because the list of hooked system calls varies depending on the running Linux kernel.)
2.1 Start PAMSC and go to its /procfs interface.
# cd <PAM_SC_HOME>/bin
# seload
# cd /proc/`cat /proc/seos_enabled`
# echo 32 > virtual_syscall
2.2 Generate a list of system calls intercepted by PAMSC.
# cat virtual_syscall | grep -E "^__x64_" | awk '{print $1}' > /root/hooked.list
2.3 Generate a list of PAMSC's hooking functions.
# cat virtual_syscall | grep -E "^__x64_" | awk '{print $4}' > /root/hooking.addr
# for a in `cat /root/hooking.addr`; do grep $a /proc/kallsyms | awk '{print $3}'; done > /root/hooking.list
2.4 Turn off the interface.
# echo 0 > virtual_syscall
3. Set Up ftrace to use the function tracer and to filter by a list function names.
# cd /sys/kernel/debug/tracing
or
# cd /sys/kernel/tracing
3.1 Reset and clean up.
# echo 0 > tracing_on
# echo > trace
# echo > set_ftrace_filter
# echo > set_ftrace_pid
# echo nop > current_tracer
3.2 Turn on function tracer.
# echo function > current_tracer
# cat current_tracer
function
3.3 Set functions, either hooked system calls or PAMSC hooking functions, to trace.
# cat /root/hooked > set_ftrace_filter
# cat /root/hooking >> set_ftrace_filter
# cat set_ftrace_filter
# cat enabled_functions
4. Optionally, set up ftrace to trace only a specific process and its child processes.
4.1 Add all PIDs to set_ftrace_pid.
# echo <your_PID> >> set_ftrace_pid
4.2 Enable to trace child processes.
# echo 1 > options/function-fork
# cat options/function-fork
1
5. Start tracing.
# echo 1 > /sys/kernel/debug/tracing/tracing_on
6. Capture trace records.
6.1 View live.
# cat trace_pipe
6.2 Capture trace data into a file at the end of or during the tests.
# cat trace > your_trace.log
7. Perform tests.
8. Stop tracing and clean up.
8.1 Stop tracing.
# echo 0 > tracing_on
8.2 Save collected records.
# cat trace > your_trace.log
8.3 Clean up if needed.
# echo > trace
# echo > set_ftrace_filter
# echo > set_ftrace_pid
# echo nop > current_tracer
# echo 1 > options/function-fork
Attachments
Feedback
Yes
No
Powered by
