stramon - Strace based process behavior monitoring tool

I recently finally went ahead to wrap up an idea I’ve head for a while, and I hope other security people will find it useful. This largely stems from my previous attempt at writing sandboxing policies/profiles ( Sandboxing suite for desktop programs ).

Stramon runs a command under strace with the right parameters and named pipe setup on your behalf, then collects and compile some critical syscall parameters into a json file for easier analysis.


First release (contains static binary)


Some json snippets from a short run of firefox via stramon firefox:

The stats section (recorded syscall and the number of call observed):

  "stats": {
    "writev": 1,
    "write": 93145,
    "waitid": 19,
    "wait4": 3,
    "unlink": 200,
    "uname": 128,
    "umask": 18,
    "tgkill": 1,

The access section (path opened via open/openat, and the corresponding classification of the path):

  "access": {
    "r": {
      "/dev/dri": "DIR",
      "/dev/shm": "DIR",
      "/dev/urandom": "CHR",
      "/etc/ca-certificates/trust-source/anchors": "DIR",
      "/etc/ca-certificates/trust-source/blocklist": "DIR",
      "/etc/fonts/conf.d": "DIR",
      "/etc/fonts/fonts.conf": "REG",
      "/etc/host.conf": "REG",
      "/etc/hosts": "REG",
      "/etc/": "REG",
      "/etc/": "DIR",
      "/etc/localtime": "LNK",
      "/etc/nsswitch.conf": "REG",
      "/etc/passwd": "REG",
      "/etc/pipewire/jack.conf.d": "DIR",
      "/etc/resolv.conf": "REG",
      "/home/darren/.cache/mesa_shader_cache/01/7abe429a0d4f6969e93e86afe00e15d6461ecf": "REG",
    "rw": {
      "/dev/tty": "CHR"

Full file: GH gist (prettified using jq)

1 Like