From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: [PATCH] audit: audit on the future execution of a binary.
Date: Mon, 08 Jul 2013 15:57:02 -0400 [thread overview]
Message-ID: <1983744.efnQVMhNqu@x2> (raw)
In-Reply-To: <20130704024856.GA17316@madcap2.tricolour.ca>
On Wednesday, July 03, 2013 10:48:56 PM Richard Guy Briggs wrote:
> I've gone back over the discussion of this feature and some of the
> background in the past couple of years on this list...
>
> We've got a kernel deadline coming up in the next month if we want to
> get something included in RHEL7 if you have the interest and time to
> evolve this patch (the userspace patch can follow...).
>
> As has been discussed, passing in an inode reference is incomplete,
> since it would need to be qualified by a device reference at minimum.
> And even then, it isn't atomic and could change by the time the kernel
> even sees this rule request.
>
> So, the next step is to convert the path to a device/inode in the kernel.
> If this is done at the time of registering the filter rule, if/when the
> rule is invalidated then the rule would be dropped, logged. It also means
> that anything else also hardlinked to it would be acted upon.
>
> Going one step further, if instead we can arrange an fsnotify() hook on
> rule registration, we could act on that path when it is executed,
> renamed, unlinked (and destroyed if the refcount goes to zero), etc.
>
> So, it should be passed as a path, logging the rule addition with path
> only at first. When the rule is triggered then log the requested path,
> effective path, device/inode along with the user context.
>
> The user, carefully crafting other rules can give other information.
This sounds like how I would expect it to be. You pass a path and the kernel
converts is very much like filesystem watches to device/inode. But the next
step is when the execve syscall matches with the path, then the rule is
further converted to have the pid instead of the inode/device. This is
basically following the established pattern we already have for watching files.
> A watch on the containing directory (/usr/bin) could help in case that
> executable pathname disappears and re-appears since the containing
> directory is less likely to go away, but it will be noisy.
Not sure this is necessary. If this is done for file system watches, then its
an established pattern and we should continue to follow it.
-Steve
next prev parent reply other threads:[~2013-07-08 19:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-23 19:24 [PATCH] audit: audit on the future execution of a binary Peter Moody
2012-09-06 21:34 ` Peter Moody
2013-04-11 18:08 ` Eric Paris
2013-04-11 18:13 ` Peter Moody
2013-07-04 2:48 ` Richard Guy Briggs
2013-07-07 22:41 ` Peter Moody
2013-07-08 19:35 ` Richard Guy Briggs
2013-07-08 19:57 ` Steve Grubb [this message]
2013-07-09 19:03 ` Steve Grubb
2013-09-20 16:18 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2014-05-05 20:41 [PATCH] audit: log on the future execution of a path Richard Guy Briggs
2014-05-05 20:41 ` [PATCH] audit: audit on the future execution of a binary Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1983744.efnQVMhNqu@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox