* Abnormal End of Processes
@ 2007-04-18 16:09 Steve Grubb
2007-04-18 16:47 ` James Antill
2007-04-18 20:06 ` Alexander Viro
0 siblings, 2 replies; 4+ messages in thread
From: Steve Grubb @ 2007-04-18 16:09 UTC (permalink / raw)
To: Linux Audit
Hi,
I have been working on some code that detects abnormal events based on
audit system events. One kind of event that we currently have no visibility for is
when a program terminates due to segfault - which should never happen on a
production machine. And if it did, you'd want to investigate it. Attached is a
patch that collects these events and sends them into the audit system.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
diff -urp linux-2.6.18.x86_64.orig/fs/exec.c linux-2.6.18.x86_64/fs/exec.c
--- linux-2.6.18.x86_64.orig/fs/exec.c 2007-04-13 17:26:19.000000000 -0400
+++ linux-2.6.18.x86_64/fs/exec.c 2007-04-13 17:25:34.000000000 -0400
@@ -49,6 +49,7 @@
#include <linux/acct.h>
#include <linux/cn_proc.h>
#include <linux/audit.h>
+#include <linux/selinux.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -1462,6 +1463,32 @@ int do_coredump(long signr, int exit_cod
int fsuid = current->fsuid;
int flag = 0;
int ispipe = 0;
+ extern int audit_enabled;
+
+ if (unlikely(audit_enabled) && signr != SIGQUIT && signr != SIGABRT) {
+ struct audit_buffer *ab;
+ u32 sid;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+ audit_log_format(ab, "auid=%u uid=%u gid=%u",
+ audit_get_loginuid(current->audit_context),
+ current->uid, current->gid);
+ selinux_get_task_sid(current, &sid);
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+
+ if (selinux_ctxid_to_string(sid, &ctx, &len))
+ audit_log_format(ab, " ssid=%u", sid);
+ else
+ audit_log_format(ab, " subj=%s", ctx);
+ kfree(ctx);
+ }
+ audit_log_format(ab, " pid=%d comm=", current->pid);
+ audit_log_untrustedstring(ab, current->comm);
+ audit_log_format(ab, " sig=%ld", signr);
+ audit_log_end(ab);
+ }
binfmt = current->binfmt;
if (!binfmt || !binfmt->core_dump)
diff -urp linux-2.6.18.x86_64.orig/include/linux/audit.h linux-2.6.18.x86_64/include/linux/audit.h
--- linux-2.6.18.x86_64.orig/include/linux/audit.h 2007-04-13 17:26:21.000000000 -0400
+++ linux-2.6.18.x86_64/include/linux/audit.h 2007-04-13 17:20:37.000000000 -0400
@@ -111,6 +111,7 @@
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Abnormal End of Processes
2007-04-18 16:09 Abnormal End of Processes Steve Grubb
@ 2007-04-18 16:47 ` James Antill
2007-04-18 17:27 ` Steve Grubb
2007-04-18 20:06 ` Alexander Viro
1 sibling, 1 reply; 4+ messages in thread
From: James Antill @ 2007-04-18 16:47 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux Audit
[-- Attachment #1.1: Type: text/plain, Size: 1834 bytes --]
On Wed, 2007-04-18 at 12:09 -0400, Steve Grubb wrote:
> Hi,
>
> I have been working on some code that detects abnormal events based on
> audit system events. One kind of event that we currently have no visibility for is
> when a program terminates due to segfault - which should never happen on a
> production machine. And if it did, you'd want to investigate it. Attached is a
> patch that collects these events and sends them into the audit system.
>
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
>
>
> diff -urp linux-2.6.18.x86_64.orig/fs/exec.c linux-2.6.18.x86_64/fs/exec.c
> --- linux-2.6.18.x86_64.orig/fs/exec.c 2007-04-13 17:26:19.000000000 -0400
> +++ linux-2.6.18.x86_64/fs/exec.c 2007-04-13 17:25:34.000000000 -0400
> @@ -49,6 +49,7 @@
> #include <linux/acct.h>
> #include <linux/cn_proc.h>
> #include <linux/audit.h>
> +#include <linux/selinux.h>
>
> #include <asm/uaccess.h>
> #include <asm/mmu_context.h>
> @@ -1462,6 +1463,32 @@ int do_coredump(long signr, int exit_cod
> int fsuid = current->fsuid;
> int flag = 0;
> int ispipe = 0;
> + extern int audit_enabled;
> +
> + if (unlikely(audit_enabled) && signr != SIGQUIT && signr != SIGABRT) {
Does this deal with the case where the application catches SIGSEGV, and
then calls abort() (or just raises SIGABRT).
Also in a more general way, I'm pretty sure you'd also want to know
whenever abort()/raise(SIGABORT) is done, at least all the times I've
seen those calls it's the same thing as a SIGSEGV situation from the
applications POV.
The only thing I can think against this is that _very rarely_ a
sysadmin will do a "kill -ABRT" to stop a problem application ... which
I assume is why you've filtered it? But even then is a "spurious" audit
event that bad?
--
James Antill <jantill@redhat.com>
[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Abnormal End of Processes
2007-04-18 16:47 ` James Antill
@ 2007-04-18 17:27 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2007-04-18 17:27 UTC (permalink / raw)
To: James Antill; +Cc: Linux Audit
On Wednesday 18 April 2007 12:47, James Antill wrote:
> Does this deal with the case where the application catches SIGSEGV, and
> then calls abort() (or just raises SIGABRT).
>From this hook, no. It just doesn't have the visibility for that.
> Also in a more general way, I'm pretty sure you'd also want to know
> whenever abort()/raise(SIGABORT) is done, at least all the times I've
> seen those calls it's the same thing as a SIGSEGV situation from the
> applications POV.
Not really, there are a surprising number of apps that consider abort() to be
a normal way of exiting when there's a minor problem. I've never seen any app
catch SIGSEGV and then raise(sigabort).
> The only thing I can think against this is that _very rarely_ a
> sysadmin will do a "kill -ABRT" to stop a problem application ... which
> I assume is why you've filtered it?
No, its because you get a lot of programs ending with abort - hald-addon-acpi
and dhcdbd to name a couple.
> But even then is a "spurious" audit event that bad?
It was frequent enough I didn't want that noise in the logs at this point. If
those applications get cleaned up, I think we could allow abort() to go
through.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Abnormal End of Processes
2007-04-18 16:09 Abnormal End of Processes Steve Grubb
2007-04-18 16:47 ` James Antill
@ 2007-04-18 20:06 ` Alexander Viro
1 sibling, 0 replies; 4+ messages in thread
From: Alexander Viro @ 2007-04-18 20:06 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux Audit
On Wed, Apr 18, 2007 at 12:09:50PM -0400, Steve Grubb wrote:
> Hi,
>
> I have been working on some code that detects abnormal events based on
> audit system events. One kind of event that we currently have no visibility for is
> when a program terminates due to segfault - which should never happen on a
> production machine. And if it did, you'd want to investigate it. Attached is a
> patch that collects these events and sends them into the audit system.
>
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
I'd suggest taking that into a separate function somewhere in kernel/audit*.c;
no need to clutter fs/exec.c with it. Leave if (unlikely(audit_enabled)) in
inlined wrapper as usual, pass signr as argument...
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-04-18 20:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-18 16:09 Abnormal End of Processes Steve Grubb
2007-04-18 16:47 ` James Antill
2007-04-18 17:27 ` Steve Grubb
2007-04-18 20:06 ` Alexander Viro
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox