Re: [PATCH v2 0/2] RFC, aiding pid/network correlation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Samir Bellabes <sam@synack.fr>
To: Peter Moody <pmoody@google.com>
Cc: linux-security-module@vger.kernel.org,
	brandon.carpenter@pnnl.gov, casey@schaufler-ca.com,
	netdev@vger.kernel.org
Subject: Re: [PATCH v2 0/2] RFC, aiding pid/network correlation
Date: Fri, 01 Aug 2014 14:16:55 +0200	[thread overview]
Message-ID: <87y4v876bs.fsf@synack.fr> (raw)
In-Reply-To: <1406856100-21674-1-git-send-email-pmoody@google.com> (Peter Moody's message of "Thu, 31 Jul 2014 18:21:38 -0700")

Peter Moody <pmoody@google.com> writes:

> I'm interested in having a host-based monitoring mechanism in
> place in the linux kernel. At this point I'm specifically looking
> to tie any given packet seen on the network back to the process
> that sent or received it. This is the sort of information our
> incident responders are constantly asking for.
>
> This is round 2 of the patchset. It's essentially taking HONE [1],
> a kernel module originally written by Brandon Carpenter and switches
> the hooks to use the standard (plus a new one, task_post_create) LSM
> hooks + a run through cleanfile/checkpatch.
>
> At a high level, Hone hooks process/socket creations/terminations
> and inet/inet6 packets that are sent or received. A userspace
> application can then correlate packet to process by reading the
> events from the kernel.
>
> (Note, there doesn't appear to be outbound version of the callback
> socket_sock_rcv_skb and the socket_sendmsg/socket_recvmsg
> are called too early in the process to be used so this uses netfilter
> hooks.)
>
> This patchset makes the events available as text via securityfs
> in /sys/kernel/security/hone/text and /sys/kernel/security/hone/pcapng.
> The text output looks like
>
> 3.350826817 EXEC 718 1 0 0 "/usr/sbin/cupsd" /usr/sbin/cupsd -f
> 3.350826817 SOCK O 718 1 0 0 b14e0000
> ...
> 5301.871561546 EXEC 2652 2586 1000 1000 "/bin/less" less
> 5303.104510870 EXEC 2653 2651 0 0 "/bin/cat" cat /sys/kernel/security/hone/text
> 5303.110322648 PAKT O 382d0700 2524 TCPv4 169.254.0.11:22 -> 169.254.0.2:49387 120
>
> and the pcapng format is described in hone_pcapng.h.
>
> There are some drawbacks with this method. Notably, it doesn't
> accurately track the owning pid of sockets passed via dup(), dup2()
> etc.
>
> This particular approach is all very experimental. We had a need
> for this level of monitoring on some of our machines (did I mention
> the incident responders?) and HONE had the best features/efficiency.
>
> I've CC'd the netdev folks at James' suggestion. I CC'd you, Casey
> as you were the one who suggested this be a proper LSM.
>
> So I'm humbly requesting comments.
>
>  * Is there a better (more efficient/extensible) way to do this?
>  * Is there already an existing mechanism to do this?

Hi Peter,
I have built a such subsystem, for years now.
Please, you can access latest public patchset here :

https://lkml.org/lkml/2011/5/5/132

monitoring events is possible with snet.

thanks,

(resending, first mail didn't hit lists)

>  * Is there any interest in something like this living in the
>    kernel? Or is the dkms distributed path the way to go?
>
> And if this is all reasonable, is it possible to add a
> socket_sock_send_skb callback and where might that go?
>
> Finally, the linux-sensor project was released under the GPL but
> I'm not sure if there are any copyright issues ... ? I've just
> kept the copyright comments in any event.
>
> This has been tested against security-next
>
> [1] https://github.com/HoneProject/Linux-Sensor
>
> Peter Moody (2):
>   security: create task_post_create callback.
>   security: Hone LSM
>
>  include/linux/hone.h               |  50 +++
>  include/linux/security.h           |   8 +
>  kernel/fork.c                      |   1 +
>  security/Kconfig                   |   1 +
>  security/Makefile                  |   2 +
>  security/capability.c              |   5 +
>  security/hone/Kconfig              |   8 +
>  security/hone/Makefile             |   3 +
>  security/hone/hone.h               | 164 ++++++++++
>  security/hone/hone_event.c         | 625 +++++++++++++++++++++++++++++++++++++
>  security/hone/hone_lsm.c           | 183 +++++++++++
>  security/hone/hone_mmutil.c        | 106 +++++++
>  security/hone/hone_mmutil.h        |  20 ++
>  security/hone/hone_notify.c        | 450 ++++++++++++++++++++++++++
>  security/hone/hone_pcapng.c        | 596 +++++++++++++++++++++++++++++++++++
>  security/hone/hone_pcapng.h        |  30 ++
>  security/hone/hone_ringbuf.c       |  51 +++
>  security/hone/hone_ringbuf.h       |  34 ++
>  security/hone/hone_socket_lookup.c | 264 ++++++++++++++++
>  security/security.c                |   5 +
>  20 files changed, 2606 insertions(+)
>  create mode 100644 include/linux/hone.h
>  create mode 100644 security/hone/Kconfig
>  create mode 100644 security/hone/Makefile
>  create mode 100644 security/hone/hone.h
>  create mode 100644 security/hone/hone_event.c
>  create mode 100644 security/hone/hone_lsm.c
>  create mode 100644 security/hone/hone_mmutil.c
>  create mode 100644 security/hone/hone_mmutil.h
>  create mode 100644 security/hone/hone_notify.c
>  create mode 100644 security/hone/hone_pcapng.c
>  create mode 100644 security/hone/hone_pcapng.h
>  create mode 100644 security/hone/hone_ringbuf.c
>  create mode 100644 security/hone/hone_ringbuf.h
>  create mode 100644 security/hone/hone_socket_lookup.c
>
> -- 
> 2.0.0.526.g5318336
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2014-08-01 12:16 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-01  1:21 [PATCH v2 0/2] RFC, aiding pid/network correlation Peter Moody
2014-08-01  1:21 ` [PATCH 1/2] security: create task_post_create callback Peter Moody
2014-08-01  1:21 ` [PATCH 2/2] security: Hone LSM Peter Moody
2014-08-01 12:16 ` Samir Bellabes [this message]
2014-08-01 17:22   ` [PATCH v2 0/2] RFC, aiding pid/network correlation Peter Moody
2014-08-02  0:30     ` Samir Bellabes
2014-08-02 15:05       ` Peter Moody
2014-08-02  4:55     ` Alex Elsayed
2014-08-03  1:34       ` Peter Moody
2014-08-03  1:49         ` Alex Elsayed
2014-08-03  2:19           ` Peter Moody
2014-08-03  2:28             ` Alex Elsayed
2014-08-03  2:38               ` Peter Moody
2014-08-03  2:41                 ` Alex Elsayed
2014-08-03  2:47                   ` Alex Elsayed
2014-08-03  3:14                     ` Peter Moody
2014-08-03  3:41                       ` Alex Elsayed
2014-08-03 21:57                         ` Peter Moody
2014-08-03 22:18                           ` Alex Elsayed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87y4v876bs.fsf@synack.fr \
    --to=sam@synack.fr \
    --cc=brandon.carpenter@pnnl.gov \
    --cc=casey@schaufler-ca.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pmoody@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.