I wrote a kernel module to replace the Linux kernel service routines (e.g. system calls) with security-enforcing code, similar to SELinux or AppArmor, with the main exceptions of ruleset control on-the-fly and big data integration.
From security perspective, The only way to use the OS services from an application is via my supervision code, which is protected by the kernel's native ASLR (Address Space Layout Randomization) and is read-only.
Since the code and the system calls are marked read-only, they can only be bypassed by another kernel module, which cannot be loaded without approval under most exploit scenarios.
The kernel module communicates MongoDB, sends logs and receives rules on-the-fly.
The result is that every OS service such as disk/file access is logged and can be stopped if a block rule applies.
Is there any way to achieve this result in a scalable and controlled way described above?
{
"process": "cat",
"pid": 14975,
"accessed file": "/etc/passwd",
"user id": 1000
}
