From: James Antill <jantill@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: Abnormal End of Processes
Date: Wed, 18 Apr 2007 12:47:23 -0400 [thread overview]
Message-ID: <1176914844.19144.34.camel@code.and.org> (raw)
In-Reply-To: <200704181209.50302.sgrubb@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 1834 bytes --]
On Wed, 2007-04-18 at 12:09 -0400, Steve Grubb wrote:
> Hi,
>
> I have been working on some code that detects abnormal events based on
> audit system events. One kind of event that we currently have no visibility for is
> when a program terminates due to segfault - which should never happen on a
> production machine. And if it did, you'd want to investigate it. Attached is a
> patch that collects these events and sends them into the audit system.
>
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
>
>
> diff -urp linux-2.6.18.x86_64.orig/fs/exec.c linux-2.6.18.x86_64/fs/exec.c
> --- linux-2.6.18.x86_64.orig/fs/exec.c 2007-04-13 17:26:19.000000000 -0400
> +++ linux-2.6.18.x86_64/fs/exec.c 2007-04-13 17:25:34.000000000 -0400
> @@ -49,6 +49,7 @@
> #include <linux/acct.h>
> #include <linux/cn_proc.h>
> #include <linux/audit.h>
> +#include <linux/selinux.h>
>
> #include <asm/uaccess.h>
> #include <asm/mmu_context.h>
> @@ -1462,6 +1463,32 @@ int do_coredump(long signr, int exit_cod
> int fsuid = current->fsuid;
> int flag = 0;
> int ispipe = 0;
> + extern int audit_enabled;
> +
> + if (unlikely(audit_enabled) && signr != SIGQUIT && signr != SIGABRT) {
Does this deal with the case where the application catches SIGSEGV, and
then calls abort() (or just raises SIGABRT).
Also in a more general way, I'm pretty sure you'd also want to know
whenever abort()/raise(SIGABORT) is done, at least all the times I've
seen those calls it's the same thing as a SIGSEGV situation from the
applications POV.
The only thing I can think against this is that _very rarely_ a
sysadmin will do a "kill -ABRT" to stop a problem application ... which
I assume is why you've filtered it? But even then is a "spurious" audit
event that bad?
--
James Antill <jantill@redhat.com>
[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2007-04-18 16:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-18 16:09 Abnormal End of Processes Steve Grubb
2007-04-18 16:47 ` James Antill [this message]
2007-04-18 17:27 ` Steve Grubb
2007-04-18 20:06 ` Alexander Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1176914844.19144.34.camel@code.and.org \
--to=jantill@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox