* Exec call auditing
@ 2010-05-06 18:04 Wahaj Ali
2010-05-10 15:28 ` Eric Paris
0 siblings, 1 reply; 2+ messages in thread
From: Wahaj Ali @ 2010-05-06 18:04 UTC (permalink / raw)
To: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 508 bytes --]
Hello,
As part of my course I am required to look at the auditing code in the linux
kernel, more specifically the part where the exec() calls are being logged.
I would really appreciate any help, especially regarding where exactly that
code in the whole database can be found, i.e. the part of the code that is
logging the environment variables. My guess so far is that
audit_log_single_execve_arg in auditsc.c is doing most part of the work.
I would be really grateful for your help.
Regards,
Wahaj Ali
[-- Attachment #1.2: Type: text/html, Size: 660 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Exec call auditing
2010-05-06 18:04 Exec call auditing Wahaj Ali
@ 2010-05-10 15:28 ` Eric Paris
0 siblings, 0 replies; 2+ messages in thread
From: Eric Paris @ 2010-05-10 15:28 UTC (permalink / raw)
To: Wahaj Ali; +Cc: Linux-audit
On Thu, 2010-05-06 at 23:04 +0500, Wahaj Ali wrote:
> Hello,
>
> As part of my course I am required to look at the auditing code in the
> linux kernel, more specifically the part where the exec() calls are
> being logged. I would really appreciate any help, especially regarding
> where exactly that code in the whole database can be found, i.e. the
> part of the code that is logging the environment variables. My guess
> so far is that audit_log_single_execve_arg in auditsc.c is doing most
> part of the work.
a) I didn't think we logged the environment I thought we only logged the
execve arguments. Maybe I'm wrong, it's been quite a while since I
rewrote a bunch of that stuff.
b) I feel like I'm doing your homework for you, but...
Actual logging is done in audit_log_exit(). This is run near syscall
exit and we print information that was collected during the syscall. In
this case audit_log_exit() is going to call audit_execve_info() which
will call audit_log_single_execve_arg() for each argument in the list.
audit_log_single_execve_arg() takes care of making sure there is space
in the ab, creating new audit buffers if not and stuff like that.
The collection of that information is done back at the beginning of the
execve syscall entry in audit_bprm() [it is actually called from
fs/exec.c::search_binary_handler(). I'll let you use grep to go farther
up in the tree to see how to get back to sys_execve()] In audit_bprm()
you will see that we create and auxilary audit data struct to hold the
execve argument information pointer and attach it to the audit_context
so that we can find that information in audit_log_exit() later.
-Eric
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-05-10 15:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-06 18:04 Exec call auditing Wahaj Ali
2010-05-10 15:28 ` Eric Paris
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox