UMAL is API limiter tool for non-root users such as web-hosting user.
Now UMAL can check open,exec API with real path name. In near future UMAL can check unlink,socket API and so on.
UMAL checks API.So UMAL can check all file access,network socket and so on. Of course UMAL check forked process too. But UMAL is only API limiter.So UMAL never can check SQL injection and so on.
Experimental release.(for Developers only support exec,open API)
It's only for FreeBSD/i386.Linux version will be avail far future. http://prdownloads.sourceforge.jp/umal/24939/umal1.tar.gz
|1st char:What API|
|W||open as Write|
|R||open as Read|
|S||exec SETUIDed file|
|2nd char:file path match pattern|
|f||fallowing argument is exact file path|
UMAL is very similar to truss(1).truss(1) dumps API usage log. UMAL checks API usage and kill the target process if the API is not listed in white list. Of course UMAL checks forked process in target process too. So you can check recursively. But UMAL just run in normal user permission,so you can not check SETUIDed programs.
daemon a_t_ rogiken.org Please contain "About UMAL:" to your e-mail subject.