I recently finally went ahead to wrap up an idea I’ve head for a while, and I hope other security people will find it useful. This largely stems from my previous attempt at writing sandboxing policies/profiles ( Sandboxing suite for desktop programs ).
Stramon runs a command under strace with the right parameters and named pipe setup on your behalf, then collects and compile some critical syscall parameters into a json file for easier analysis.
Links
Repo
First release (contains static binary)
Example
Some json snippets from a short run of firefox via stramon firefox:
The stats section (recorded syscall and the number of call observed):
"stats": {
"writev": 1,
"write": 93145,
"waitid": 19,
"wait4": 3,
"unlink": 200,
"uname": 128,
"umask": 18,
"tgkill": 1,
...
The access section (path opened via open/openat, and the corresponding classification of the path):
"access": {
"r": {
"/dev/dri": "DIR",
"/dev/shm": "DIR",
"/dev/urandom": "CHR",
"/etc/ca-certificates/trust-source/anchors": "DIR",
"/etc/ca-certificates/trust-source/blocklist": "DIR",
"/etc/fonts/conf.d": "DIR",
"/etc/fonts/fonts.conf": "REG",
"/etc/host.conf": "REG",
"/etc/hosts": "REG",
"/etc/ld.so.cache": "REG",
"/etc/ld.so.conf.d": "DIR",
"/etc/localtime": "LNK",
"/etc/nsswitch.conf": "REG",
"/etc/passwd": "REG",
"/etc/pipewire/jack.conf.d": "DIR",
"/etc/resolv.conf": "REG",
"/home/darren/.cache/mesa_shader_cache/01/7abe429a0d4f6969e93e86afe00e15d6461ecf": "REG",
...
},
"rw": {
"/dev/tty": "CHR"
}
}
Full file: GH gist (prettified using jq)