From: Steve Grubb <sgrubb@redhat.com>
To: Vishnu Srinivasa Ramaprasad <srvishnu123@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: What value gets stored in a3 when -S execve?
Date: Wed, 27 May 2020 16:22:45 -0400 [thread overview]
Message-ID: <4000710.EZmUHuUpmd@x2> (raw)
In-Reply-To: <CAKLd27D7ts_1Orymr50D-qZHhmxs7Jkbb4uh660nCoH4n4WG_w@mail.gmail.com>
Hello,
On Wednesday, May 27, 2020 3:44:13 PM EDT Vishnu Srinivasa Ramaprasad wrote:
> I'm Vish and I am a newbie to auditd. My requirement is to log only
> shell/bash commands and custom commands executed by administrator users.
> I have created these rules in /etc/audit/rules.d/audit.rules, to ensure
> SYSCALL, EXECVE are being added to audit.log for administrator users with
> auid greater than 1000:
> -a exit,always -F arch=b64 -S execve -F auid>=1000 -F auid!=-1 -k log_cmd
> -a exit,always -F arch=b32 -S execve -F auid>=1000 -F auid!=-1 -k log_cmd
>
> After restarting auditd service, I had executed strace on a simple command
> which will display version of my project's toolkit:
>
> ~# strace -e trace=execve toolkit-version-show
> execve("/var/tmp/toolkit-version-show", ["toolkit-version-show"],
> 0x7ffef1fa38b0 /* 30 vars */) = 0
> Toolkit Version: 1.01
> +++ exited with 0 +++
>
> Later, I executed the ausearch command to check the log entry:
> ~# ausearch -i --start recent
> ----
> type=EXECVE msg=audit(05/27/2020 19:01:26.605:12725) : argc=2
> a0=/usr/bin/perl a1=/var/tmp/toolkit-version-show
> type=SYSCALL msg=audit(05/27/2020 19:01:26.605:12725) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x7ffef1fa2450 a1=0x7ffef1fa38a0
> a2=0x7ffef1fa38b0 a3=0x7f47f8669740 items=3 ppid=3641 pid=3643
> auid=administrator uid=root gid=root euid=root suid=root fsuid=root
> egid=root sgid=root fsgid=root tty=pts0 ses=8936 comm=toolkit-version-sho
> exe=/usr/bin/perl key=log_cmd
> ----
> type=EXECVE msg=audit(05/27/2020 19:01:26.601:12724) : argc=4 a0=strace
> a1=-e a2=trace=execve a3=toolkit-version-show
> type=SYSCALL msg=audit(05/27/2020 19:01:26.601:12724) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x55a2d44c9010 a1=0x55a2d449fe80
> a2=0x55a2d4389490 a3=0x8 items=2 ppid=3099 pid=3641 auid=administrator
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=pts0 ses=8936 comm=strace exe=/usr/bin/strace key=log_cmd
> ----
>
> My understanding of a0 - a2: Please refer the syntax of execve() :
>
> int execve(const char*filename, char *const argv[], char *const envp[]);
>
> Based on syntax of execve() and output from strace, I could understand that
> in audit.log event entry:
> a0=0x7ffef1fa2450 represents filename argument of execve
It a pointer to the string.
> a1=0x7ffef1fa38a0 represents argv[] argument of execve
> a2=0x7ffef1fa38b0 represents envp[] argument of execve
>
> Question 1: What does the a3=0x7f47f8669740 value represent?
whatever is on the stack in that position.
> As execve() has only 3 arguments (represented by a0,a1,a2), what value gets
> stored in a3?
> I have noticed a3 values to be varying from:
> a3=0x0
> a3=0x7
> a3=0x55a2d4389490
> a3=0x56a2d44adc00
> a3=0x8
>
> Question 2: a3=0x8 seems to be the value assigned for a majority of
> execve() syscalls.
> Is this a standard value set in case of main/primary system call, such as
> toolkit-version-show?
Nope. It depends entirely on what the previous syscalls or system activity
were and where on the stack it currently is.
> Could I use this in a rule filter *-F a3=8* to log only primary (custom
> script) command executed by user and not internal commands executed by
> custom script like ls, cat, grep.. etc.:
> -a exit,always -F arch=b64 -S execve *-F a3=8* -F auid>=1000 -F auid!=-1 -k
> log_cmd
> -a exit,always -F arch=b32 -S execve *-F a3=8* -F auid>=1000 -F auid!=-1 -k
> log_cmd
>
> Would I miss logging a few primary syscalls, if a3 is not 0x80 in some
> cases?
Nope. you can't count on anything in a3 since it is not valid for that
syscall.
> Question 3: If a3=0x8 is not a standard value, Is it possible to identify
> primary custom command and log only that command, and not internal commands
> with a3=0x0 or a3=0x55a2d4389490?
You can always place a watch on the custom commands.
-a exit,always -F path=/path-to/custom-command -F perm=x -F key=command
> Question 4: Is it possible to filter out and not log syscalls with
> tty=(none)?
No. But there is a loose correlation with auid or sessionid being -1. That
means it is a daemon. And if you only want commands run by people, then you
want -F auid>=1000 -F auid!=-1.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-05-27 20:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-27 19:44 What value gets stored in a3 when -S execve? Vishnu Srinivasa Ramaprasad
2020-05-27 20:22 ` Steve Grubb [this message]
2020-05-28 15:34 ` Vishnu Srinivasa Ramaprasad
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4000710.EZmUHuUpmd@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=srvishnu123@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.