From: James Antill <jantill@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: Abnormal End of Processes
Date: Wed, 18 Apr 2007 12:47:23 -0400 [thread overview]
Message-ID: <1176914844.19144.34.camel@code.and.org> (raw)
In-Reply-To: <200704181209.50302.sgrubb@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 1834 bytes --]
On Wed, 2007-04-18 at 12:09 -0400, Steve Grubb wrote:
> Hi,
>
> I have been working on some code that detects abnormal events based on
> audit system events. One kind of event that we currently have no visibility for is
> when a program terminates due to segfault - which should never happen on a
> production machine. And if it did, you'd want to investigate it. Attached is a
> patch that collects these events and sends them into the audit system.
>
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
>
>
> diff -urp linux-2.6.18.x86_64.orig/fs/exec.c linux-2.6.18.x86_64/fs/exec.c
> --- linux-2.6.18.x86_64.orig/fs/exec.c 2007-04-13 17:26:19.000000000 -0400
> +++ linux-2.6.18.x86_64/fs/exec.c 2007-04-13 17:25:34.000000000 -0400
> @@ -49,6 +49,7 @@
> #include <linux/acct.h>
> #include <linux/cn_proc.h>
> #include <linux/audit.h>
> +#include <linux/selinux.h>
>
> #include <asm/uaccess.h>
> #include <asm/mmu_context.h>
> @@ -1462,6 +1463,32 @@ int do_coredump(long signr, int exit_cod
> int fsuid = current->fsuid;
> int flag = 0;
> int ispipe = 0;
> + extern int audit_enabled;
> +
> + if (unlikely(audit_enabled) && signr != SIGQUIT && signr != SIGABRT) {
Does this deal with the case where the application catches SIGSEGV, and
then calls abort() (or just raises SIGABRT).
Also in a more general way, I'm pretty sure you'd also want to know
whenever abort()/raise(SIGABORT) is done, at least all the times I've
seen those calls it's the same thing as a SIGSEGV situation from the
applications POV.
The only thing I can think against this is that _very rarely_ a
sysadmin will do a "kill -ABRT" to stop a problem application ... which
I assume is why you've filtered it? But even then is a "spurious" audit
event that bad?
--
James Antill <jantill@redhat.com>
[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2007-04-18 16:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-18 16:09 Abnormal End of Processes Steve Grubb
2007-04-18 16:47 ` James Antill [this message]
2007-04-18 17:27 ` Steve Grubb
2007-04-18 20:06 ` Alexander Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1176914844.19144.34.camel@code.and.org \
--to=jantill@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.