From mboxrd@z Thu Jan  1 00:00:00 1970
From: James Antill <jantill@redhat.com>
Subject: Re: Abnormal End of Processes
Date: Wed, 18 Apr 2007 12:47:23 -0400
Message-ID: <1176914844.19144.34.camel@code.and.org>
References: <200704181209.50302.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1879537596=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200704181209.50302.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


--===============1879537596==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-FKjWkKqWrerTa8SrVr7B"


--=-FKjWkKqWrerTa8SrVr7B
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, 2007-04-18 at 12:09 -0400, Steve Grubb wrote:
> Hi,
>=20
> I have been working on some code that detects abnormal events based on=20
> audit system events. One kind of event that we currently have no visibili=
ty for is
> when a program terminates due to segfault - which should never happen on =
a
> production machine. And if it did, you'd want to investigate it. Attached=
 is a
> patch that collects these events and sends them into the audit system.
>=20
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
>=20
>=20
> diff -urp linux-2.6.18.x86_64.orig/fs/exec.c linux-2.6.18.x86_64/fs/exec.=
c
> --- linux-2.6.18.x86_64.orig/fs/exec.c	2007-04-13 17:26:19.000000000 -040=
0
> +++ linux-2.6.18.x86_64/fs/exec.c	2007-04-13 17:25:34.000000000 -0400
> @@ -49,6 +49,7 @@
>  #include <linux/acct.h>
>  #include <linux/cn_proc.h>
>  #include <linux/audit.h>
> +#include <linux/selinux.h>
> =20
>  #include <asm/uaccess.h>
>  #include <asm/mmu_context.h>
> @@ -1462,6 +1463,32 @@ int do_coredump(long signr, int exit_cod
>  	int fsuid =3D current->fsuid;
>  	int flag =3D 0;
>  	int ispipe =3D 0;
> +	extern int audit_enabled;
> +
> +	if (unlikely(audit_enabled) && signr !=3D SIGQUIT && signr !=3D SIGABRT=
) {

 Does this deal with the case where the application catches SIGSEGV, and
then calls abort() (or just raises SIGABRT).
 Also in a more general way, I'm pretty sure you'd also want to know
whenever abort()/raise(SIGABORT) is done, at least all the times I've
seen those calls it's the same thing as a SIGSEGV situation from the
applications POV.
 The only thing I can think against this is that _very rarely_ a
sysadmin will do a "kill -ABRT" to stop a problem application ... which
I assume is why you've filtered it? But even then is a "spurious" audit
event that bad?

--=20
James Antill <jantill@redhat.com>

--=-FKjWkKqWrerTa8SrVr7B
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBGJkub11eXTEMrxtQRAvdiAJ902bBCh0oS39jlRu+vfWDR4rmHPQCeM43B
dtyK5D+qa9FsWzloFVF98rs=
=ZhkH
-----END PGP SIGNATURE-----

--=-FKjWkKqWrerTa8SrVr7B--


--===============1879537596==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1879537596==--