[PATCH 1/2] Audit: break up execve arguments into multiple records

[PATCH 1/2] Audit: break up execve arguments into multiple records

[Eric Paris]

Break the auditing of execve arguments into smaller records if there are
a lot.  Currently the limit is 32k if audit is on (intended to fit in a
single netlink message) but userspace actually has trouble a little over
8k.  This patch takes long argument lists and just emits them in
sequential records.  We log all of them and userspace is happy!  It also
means we don't need as much kernel memory to hold the buffer while we
build that one huge record.

Signed-off-by: Eric Paris <eparis@redhat.com>
---
 kernel/auditsc.c |   39 +++++++++++++++++++++++++++++++++------
 1 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 04f3ffb..f9f61db 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -819,11 +819,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 	return rc;
 }
 
-static void audit_log_execve_info(struct audit_buffer *ab,
+static void audit_log_execve_info(struct audit_context *context,
+		struct audit_buffer **ab,
 		struct audit_aux_data_execve *axi)
 {
 	int i;
-	long len, ret;
+	long len, ret, len_sent = 0;
 	const char __user *p;
 	char *buf;
 
@@ -833,7 +834,11 @@ static void audit_log_execve_info(struct audit_buffer *ab,
 	p = (const char __user *)axi->mm->arg_start;
 
 	for (i = 0; i < axi->argc; i++, p += len) {
+		char tmp_buf[12];
+		/* how many digits are in i? */
+		int i_len = snprintf(tmp_buf, 12, "%d", i);
+
 		len = strnlen_user(p, MAX_ARG_STRLEN);
 		/*
 		 * We just created this mm, if we can't find the strings
 		 * we just copied into it something is _very_ wrong. Similar
@@ -862,9 +867,31 @@ static void audit_log_execve_info(struct audit_buffer *ab,
 			send_sig(SIGKILL, current, 0);
 		}
 
-		audit_log_format(ab, "a%d=", i);
-		audit_log_untrustedstring(ab, buf);
-		audit_log_format(ab, "\n");
+		/*
+		 * If there are a lot of args just break them into multiple
+		 * messages.  the last ab started will get closed by the
+		 * caller.
+		 *
+		 * 7500 bytes just seemed like an arbitrily large enough
+		 * number to minimize message and keep allocations in
+		 * in audit_expand nice and small. (some audit userspace
+		 * can't handle messages > ~8k)
+		 *
+		 * add +3 because we know at least a = and \n will be sent
+		 * as well as the number of digits in i (i_len).
+		 */
+		len_sent += (len + 3 + i_len);
+		if (len_sent > 7500) {
+			len_sent = len + 3 + i_len;
+			audit_log_end(*ab);
+			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
+			if (!*ab)
+				return;
+		}
+
+		audit_log_format(*ab, "a%d=", i);
+		audit_log_untrustedstring(*ab, buf);
+		audit_log_format(*ab, "\n");
 
 		kfree(buf);
 	}
@@ -1010,7 +1037,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 
 		case AUDIT_EXECVE: {
 			struct audit_aux_data_execve *axi = (void *)aux;
-			audit_log_execve_info(ab, axi);
+			audit_log_execve_info(context, &ab, axi);
 			break; }
 
 		case AUDIT_SOCKETCALL: {

Re: [PATCH 1/2] Audit: break up execve arguments into multiple records

[Steve Grubb]

On Tuesday 02 October 2007 17:25:34 Eric Paris wrote:
> Break the auditing of execve arguments into smaller records if there are
> a lot.

Do you have an example of what the event would look like with this patch 
applied?

Thanks,
-Steve

Re: [PATCH 1/2] Audit: break up execve arguments into multiple records

[Steve Grubb]

On Wednesday 03 October 2007 13:21:58 Eric Paris wrote:
> > Do you have an example of what the event would look like with this patch
> > applied?
>
> attached.  That is 100k or so of execve args, wow!

Looks good, thanks. I just wanted to make sure everyone could see how this 
would turn out.

-Steve

Re: [PATCH 1/2] Audit: break up execve arguments into multiple records

[Steve Grubb]

On Tuesday 02 October 2007 17:25:34 Eric Paris wrote:
> Break the auditing of execve arguments into smaller records if there are
> a lot.  Currently the limit is 32k if audit is on (intended to fit in a
> single netlink message) but userspace actually has trouble a little over
> 8k.  This patch takes long argument lists and just emits them in
> sequential records.  We log all of them and userspace is happy!  It also
> means we don't need as much kernel memory to hold the buffer while we
> build that one huge record.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>

Acked-by: Steve Grubb <sgrubb@redhat.com>

> ---
>  kernel/auditsc.c |   39 +++++++++++++++++++++++++++++++++------
>  1 files changed, 33 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 04f3ffb..f9f61db 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -819,11 +819,12 @@ static int audit_log_pid_context(struct audit_context
> *context, pid_t pid, return rc;
>  }
>
> -static void audit_log_execve_info(struct audit_buffer *ab,
> +static void audit_log_execve_info(struct audit_context *context,
> +		struct audit_buffer **ab,
>  		struct audit_aux_data_execve *axi)
>  {
>  	int i;
> -	long len, ret;
> +	long len, ret, len_sent = 0;
>  	const char __user *p;
>  	char *buf;
>
> @@ -833,7 +834,11 @@ static void audit_log_execve_info(struct audit_buffer
> *ab, p = (const char __user *)axi->mm->arg_start;
>
>  	for (i = 0; i < axi->argc; i++, p += len) {
> +		char tmp_buf[12];
> +		/* how many digits are in i? */
> +		int i_len = snprintf(tmp_buf, 12, "%d", i);
> +
>  		len = strnlen_user(p, MAX_ARG_STRLEN);
>  		/*
>  		 * We just created this mm, if we can't find the strings
>  		 * we just copied into it something is _very_ wrong. Similar
> @@ -862,9 +867,31 @@ static void audit_log_execve_info(struct audit_buffer
> *ab, send_sig(SIGKILL, current, 0);
>  		}
>
> -		audit_log_format(ab, "a%d=", i);
> -		audit_log_untrustedstring(ab, buf);
> -		audit_log_format(ab, "\n");
> +		/*
> +		 * If there are a lot of args just break them into multiple
> +		 * messages.  the last ab started will get closed by the
> +		 * caller.
> +		 *
> +		 * 7500 bytes just seemed like an arbitrily large enough
> +		 * number to minimize message and keep allocations in
> +		 * in audit_expand nice and small. (some audit userspace
> +		 * can't handle messages > ~8k)
> +		 *
> +		 * add +3 because we know at least a = and \n will be sent
> +		 * as well as the number of digits in i (i_len).
> +		 */
> +		len_sent += (len + 3 + i_len);
> +		if (len_sent > 7500) {
> +			len_sent = len + 3 + i_len;
> +			audit_log_end(*ab);
> +			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
> +			if (!*ab)
> +				return;
> +		}
> +
> +		audit_log_format(*ab, "a%d=", i);
> +		audit_log_untrustedstring(*ab, buf);
> +		audit_log_format(*ab, "\n");
>
>  		kfree(buf);
>  	}
> @@ -1010,7 +1037,7 @@ static void audit_log_exit(struct audit_context
> *context, struct task_struct *ts
>
>  		case AUDIT_EXECVE: {
>  			struct audit_aux_data_execve *axi = (void *)aux;
> -			audit_log_execve_info(ab, axi);
> +			audit_log_execve_info(context, &ab, axi);
>  			break; }
>
>  		case AUDIT_SOCKETCALL: {

Re: [PATCH 1/2] Audit: break up execve arguments into multiple records

[Eric Paris]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

On Wed, 2007-10-03 at 13:13 -0400, Steve Grubb wrote:
> On Tuesday 02 October 2007 17:25:34 Eric Paris wrote:
> > Break the auditing of execve arguments into smaller records if there are
> > a lot.
> 
> Do you have an example of what the event would look like with this patch 
> applied?
> 
> Thanks,
> -Steve

attached is a log with about 1200 arguments.  My first attachment was of
a single execve with about 800k worth of arguments!  But it was rather
large and list wouldn't have liked it.  Hopefully this attachment is
still big enough to amaze and small enough to download  *smile*

-Eric



[-- Attachment #2: audit.log --]
[-- Type: text/x-log, Size: 24559 bytes --]


type=CONFIG_CHANGE msg=audit(1191433486.837:3358): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key=(null) list=4 res=1
type=CONFIG_CHANGE msg=audit(1191433509.993:3359): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key=(null) list=4 res=1
type=SYSCALL msg=audit(1191433516.461:3360): arch=c000003e syscall=59 success=yes exit=0 a0=702b70 a1=71ec10 a2=7028f0 a3=0 items=2 ppid=5958 pid=17956 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ls" exe="/bin/ls" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=EXECVE msg=audit(1191433516.461:3360): a0="ls" a1="--color=tty" a2="dir10/file1" a3="dir10/file10" a4="dir10/file11" a5="dir10/file12" a6="dir10/file13" a7="dir10/file14" a8="dir10/file15" a9="dir10/file16" a10="dir10/file17" a11="dir10/file18" a12="dir10/file19" a13="dir10/file2" a14="dir10/file20" a15="dir10/file21" a16="dir10/file22" a17="dir10/file23" a18="dir10/file24" a19="dir10/file25" a20="dir10/file26" a21="dir10/file27" a22="dir10/file28" a23="dir10/file29" a24="dir10/file3" a25="dir10/file30" a26="dir10/file31" a27="dir10/file32" a28="dir10/file33" a29="dir10/file34" a30="dir10/file35" a31="dir10/file36" a32="dir10/file37" a33="dir10/file38" a34="dir10/file39" a35="dir10/file4" a36="dir10/file40" a37="dir10/file41" a38="dir10/file42" a39="dir10/file43" a40="dir10/file44" a41="dir10/file45" a42="dir10/file46" a43="dir10/file47" a44="dir10/file48" a45="dir10/file49" a46="dir10/file5" a47="dir10/file50" a48="dir10/file6" a49="dir10/file7" a50="dir10/file8" a51="dir10/file9" a52="dir11/file1" a53="dir11/file10" a54="dir11/file11" a55="dir11/file12" a56="dir11/file13" a57="dir11/file14" a58="dir11/file15" a59="dir11/file16" a60="dir11/file17" a61="dir11/file18" a62="dir11/file19" a63="dir11/file2" a64="dir11/file20" a65="dir11/file21" a66="dir11/file22" a67="dir11/file23" a68="dir11/file24" a69="dir11/file25" a70="dir11/file26" a71="dir11/file27" a72="dir11/file28" a73="dir11/file29" a74="dir11/file3" a75="dir11/file30" a76="dir11/file31" a77="dir11/file32" a78="dir11/file33" a79="dir11/file34" a80="dir11/file35" a81="dir11/file36" a82="dir11/file37" a83="dir11/file38" a84="dir11/file39" a85="dir11/file4" a86="dir11/file40" a87="dir11/file41" a88="dir11/file42" a89="dir11/file43" a90="dir11/file44" a91="dir11/file45" a92="dir11/file46" a93="dir11/file47" a94="dir11/file48" a95="dir11/file49" a96="dir11/file5" a97="dir11/file50" a98="dir11/file6" a99="dir11/file7" a100="dir11/file8" a101="dir11/file9" a102="dir12/file1" a103="dir12/file10" a104="dir12/file11" a105="dir12/file12" a106="dir12/file13" a107="dir12/file14" a108="dir12/file15" a109="dir12/file16" a110="dir12/file17" a111="dir12/file18" a112="dir12/file19" a113="dir12/file2" a114="dir12/file20" a115="dir12/file21" a116="dir12/file22" a117="dir12/file23" a118="dir12/file24" a119="dir12/file25" a120="dir12/file26" a121="dir12/file27" a122="dir12/file28" a123="dir12/file29" a124="dir12/file3" a125="dir12/file30" a126="dir12/file31" a127="dir12/file32" a128="dir12/file33" a129="dir12/file34" a130="dir12/file35" a131="dir12/file36" a132="dir12/file37" a133="dir12/file38" a134="dir12/file39" a135="dir12/file4" a136="dir12/file40" a137="dir12/file41" a138="dir12/file42" a139="dir12/file43" a140="dir12/file44" a141="dir12/file45" a142="dir12/file46" a143="dir12/file47" a144="dir12/file48" a145="dir12/file49" a146="dir12/file5" a147="dir12/file50" a148="dir12/file6" a149="dir12/file7" a150="dir12/file8" a151="dir12/file9" a152="dir13/file1" a153="dir13/file10" a154="dir13/file11" a155="dir13/file12" a156="dir13/file13" a157="dir13/file14" a158="dir13/file15" a159="dir13/file16" a160="dir13/file17" a161="dir13/file18" a162="dir13/file19" a163="dir13/file2" a164="dir13/file20" a165="dir13/file21" a166="dir13/file22" a167="dir13/file23" a168="dir13/file24" a169="dir13/file25" a170="dir13/file26" a171="dir13/file27" a172="dir13/file28" a173="dir13/file29" a174="dir13/file3" a175="dir13/file30" a176="dir13/file31" a177="dir13/file32" a178="dir13/file33" a179="dir13/file34" a180="dir13/file35" a181="dir13/file36" a182="dir13/file37" a183="dir13/file38" a184="dir13/file39" a185="dir13/file4" a186="dir13/file40" a187="dir13/file41" a188="dir13/file42" a189="dir13/file43" a190="dir13/file44" a191="dir13/file45" a192="dir13/file46" a193="dir13/file47" a194="dir13/file48" a195="dir13/file49" a196="dir13/file5" a197="dir13/file50" a198="dir13/file6" a199="dir13/file7" a200="dir13/file8" a201="dir13/file9" a202="dir14/file1" a203="dir14/file10" a204="dir14/file11" a205="dir14/file12" a206="dir14/file13" a207="dir14/file14" a208="dir14/file15" a209="dir14/file16" a210="dir14/file17" a211="dir14/file18" a212="dir14/file19" a213="dir14/file2" a214="dir14/file20" a215="dir14/file21" a216="dir14/file22" a217="dir14/file23" a218="dir14/file24" a219="dir14/file25" a220="dir14/file26" a221="dir14/file27" a222="dir14/file28" a223="dir14/file29" a224="dir14/file3" a225="dir14/file30" a226="dir14/file31" a227="dir14/file32" a228="dir14/file33" a229="dir14/file34" a230="dir14/file35" a231="dir14/file36" a232="dir14/file37" a233="dir14/file38" a234="dir14/file39" a235="dir14/file4" a236="dir14/file40" a237="dir14/file41" a238="dir14/file42" a239="dir14/file43" a240="dir14/file44" a241="dir14/file45" a242="dir14/file46" a243="dir14/file47" a244="dir14/file48" a245="dir14/file49" a246="dir14/file5" a247="dir14/file50" a248="dir14/file6" a249="dir14/file7" a250="dir14/file8" a251="dir14/file9" a252="dir15/file1" a253="dir15/file10" a254="dir15/file11" a255="dir15/file12" a256="dir15/file13" a257="dir15/file14" a258="dir15/file15" a259="dir15/file16" a260="dir15/file17" a261="dir15/file18" a262="dir15/file19" a263="dir15/file2" a264="dir15/file20" a265="dir15/file21" a266="dir15/file22" a267="dir15/file23" a268="dir15/file24" a269="dir15/file25" a270="dir15/file26" a271="dir15/file27" a272="dir15/file28" a273="dir15/file29" a274="dir15/file3" a275="dir15/file30" a276="dir15/file31" a277="dir15/file32" a278="dir15/file33" a279="dir15/file34" a280="dir15/file35" a281="dir15/file36" a282="dir15/file37" a283="dir15/file38" a284="dir15/file39" a285="dir15/file4" a286="dir15/file40" a287="dir15/file41" a288="dir15/file42" a289="dir15/file43" a290="dir15/file44" a291="dir15/file45" a292="dir15/file46" a293="dir15/file47" a294="dir15/file48" a295="dir15/file49" a296="dir15/file5" a297="dir15/file50" a298="dir15/file6" a299="dir15/file7" a300="dir15/file8" a301="dir15/file9" a302="dir16/file1" a303="dir16/file10" a304="dir16/file11" a305="dir16/file12" a306="dir16/file13" a307="dir16/file14" a308="dir16/file15" a309="dir16/file16" a310="dir16/file17" a311="dir16/file18" a312="dir16/file19" a313="dir16/file2" a314="dir16/file20" a315="dir16/file21" a316="dir16/file22" a317="dir16/file23" a318="dir16/file24" a319="dir16/file25" a320="dir16/file26" a321="dir16/file27" a322="dir16/file28" a323="dir16/file29" a324="dir16/file3" a325="dir16/file30" a326="dir16/file31" a327="dir16/file32" a328="dir16/file33" a329="dir16/file34" a330="dir16/file35" a331="dir16/file36" a332="dir16/file37" a333="dir16/file38" a334="dir16/file39" a335="dir16/file4" a336="dir16/file40" a337="dir16/file41" a338="dir16/file42" a339="dir16/file43" a340="dir16/file44" a341="dir16/file45" a342="dir16/file46" a343="dir16/file47" a344="dir16/file48" a345="dir16/file49" a346="dir16/file5" a347="dir16/file50" a348="dir16/file6" a349="dir16/file7" a350="dir16/file8" a351="dir16/file9" a352="dir17/file1" a353="dir17/file10" a354="dir17/file11" a355="dir17/file12" a356="dir17/file13" a357="dir17/file14" a358="dir17/file15" a359="dir17/file16" a360="dir17/file17" a361="dir17/file18" a362="dir17/file19" a363="dir17/file2" a364="dir17/file20" a365="dir17/file21" a366="dir17/file22" a367="dir17/file23" a368="dir17/file24" a369="dir17/file25" a370="dir17/file26" a371="dir17/file27" a372="dir17/file28" a373="dir17/file29" a374="dir17/file3" a375="dir17/file30" a376="dir17/file31" a377="dir17/file32" a378="dir17/file33" a379="dir17/file34" a380="dir17/file35" a381="dir17/file36" a382="dir17/file37" a383="dir17/file38" a384="dir17/file39" a385="dir17/file4" a386="dir17/file40" a387="dir17/file41" a388="dir17/file42" a389="dir17/file43" a390="dir17/file44" a391="dir17/file45" a392="dir17/file46" a393="dir17/file47" a394="dir17/file48" a395="dir17/file49" a396="dir17/file5" a397="dir17/file50" a398="dir17/file6" a399="dir17/file7" a400="dir17/file8" a401="dir17/file9" a402="dir18/file1" a403="dir18/file10" 
type=EXECVE msg=audit(1191433516.461:3360): a404="dir18/file11" a405="dir18/file12" a406="dir18/file13" a407="dir18/file14" a408="dir18/file15" a409="dir18/file16" a410="dir18/file17" a411="dir18/file18" a412="dir18/file19" a413="dir18/file2" a414="dir18/file20" a415="dir18/file21" a416="dir18/file22" a417="dir18/file23" a418="dir18/file24" a419="dir18/file25" a420="dir18/file26" a421="dir18/file27" a422="dir18/file28" a423="dir18/file29" a424="dir18/file3" a425="dir18/file30" a426="dir18/file31" a427="dir18/file32" a428="dir18/file33" a429="dir18/file34" a430="dir18/file35" a431="dir18/file36" a432="dir18/file37" a433="dir18/file38" a434="dir18/file39" a435="dir18/file4" a436="dir18/file40" a437="dir18/file41" a438="dir18/file42" a439="dir18/file43" a440="dir18/file44" a441="dir18/file45" a442="dir18/file46" a443="dir18/file47" a444="dir18/file48" a445="dir18/file49" a446="dir18/file5" a447="dir18/file50" a448="dir18/file6" a449="dir18/file7" a450="dir18/file8" a451="dir18/file9" a452="dir19/file1" a453="dir19/file10" a454="dir19/file11" a455="dir19/file12" a456="dir19/file13" a457="dir19/file14" a458="dir19/file15" a459="dir19/file16" a460="dir19/file17" a461="dir19/file18" a462="dir19/file19" a463="dir19/file2" a464="dir19/file20" a465="dir19/file21" a466="dir19/file22" a467="dir19/file23" a468="dir19/file24" a469="dir19/file25" a470="dir19/file26" a471="dir19/file27" a472="dir19/file28" a473="dir19/file29" a474="dir19/file3" a475="dir19/file30" a476="dir19/file31" a477="dir19/file32" a478="dir19/file33" a479="dir19/file34" a480="dir19/file35" a481="dir19/file36" a482="dir19/file37" a483="dir19/file38" a484="dir19/file39" a485="dir19/file4" a486="dir19/file40" a487="dir19/file41" a488="dir19/file42" a489="dir19/file43" a490="dir19/file44" a491="dir19/file45" a492="dir19/file46" a493="dir19/file47" a494="dir19/file48" a495="dir19/file49" a496="dir19/file5" a497="dir19/file50" a498="dir19/file6" a499="dir19/file7" a500="dir19/file8" a501="dir19/file9" a502="dir1/file1" a503="dir1/file10" a504="dir1/file11" a505="dir1/file12" a506="dir1/file13" a507="dir1/file14" a508="dir1/file15" a509="dir1/file16" a510="dir1/file17" a511="dir1/file18" a512="dir1/file19" a513="dir1/file2" a514="dir1/file20" a515="dir1/file21" a516="dir1/file22" a517="dir1/file23" a518="dir1/file24" a519="dir1/file25" a520="dir1/file26" a521="dir1/file27" a522="dir1/file28" a523="dir1/file29" a524="dir1/file3" a525="dir1/file30" a526="dir1/file31" a527="dir1/file32" a528="dir1/file33" a529="dir1/file34" a530="dir1/file35" a531="dir1/file36" a532="dir1/file37" a533="dir1/file38" a534="dir1/file39" a535="dir1/file4" a536="dir1/file40" a537="dir1/file41" a538="dir1/file42" a539="dir1/file43" a540="dir1/file44" a541="dir1/file45" a542="dir1/file46" a543="dir1/file47" a544="dir1/file48" a545="dir1/file49" a546="dir1/file5" a547="dir1/file50" a548="dir1/file6" a549="dir1/file7" a550="dir1/file8" a551="dir1/file9" a552="dir20/file1" a553="dir20/file10" a554="dir20/file11" a555="dir20/file12" a556="dir20/file13" a557="dir20/file14" a558="dir20/file15" a559="dir20/file16" a560="dir20/file17" a561="dir20/file18" a562="dir20/file19" a563="dir20/file2" a564="dir20/file20" a565="dir20/file21" a566="dir20/file22" a567="dir20/file23" a568="dir20/file24" a569="dir20/file25" a570="dir20/file26" a571="dir20/file27" a572="dir20/file28" a573="dir20/file29" a574="dir20/file3" a575="dir20/file30" a576="dir20/file31" a577="dir20/file32" a578="dir20/file33" a579="dir20/file34" a580="dir20/file35" a581="dir20/file36" a582="dir20/file37" a583="dir20/file38" a584="dir20/file39" a585="dir20/file4" a586="dir20/file40" a587="dir20/file41" a588="dir20/file42" a589="dir20/file43" a590="dir20/file44" a591="dir20/file45" a592="dir20/file46" a593="dir20/file47" a594="dir20/file48" a595="dir20/file49" a596="dir20/file5" a597="dir20/file50" a598="dir20/file6" a599="dir20/file7" a600="dir20/file8" a601="dir20/file9" a602="dir21/file1" a603="dir21/file10" a604="dir21/file11" a605="dir21/file12" a606="dir21/file13" a607="dir21/file14" a608="dir21/file15" a609="dir21/file16" a610="dir21/file17" a611="dir21/file18" a612="dir21/file19" a613="dir21/file2" a614="dir21/file20" a615="dir21/file21" a616="dir21/file22" a617="dir21/file23" a618="dir21/file24" a619="dir21/file25" a620="dir21/file26" a621="dir21/file27" a622="dir21/file28" a623="dir21/file29" a624="dir21/file3" a625="dir21/file30" a626="dir21/file31" a627="dir21/file32" a628="dir21/file33" a629="dir21/file34" a630="dir21/file35" a631="dir21/file36" a632="dir21/file37" a633="dir21/file38" a634="dir21/file39" a635="dir21/file4" a636="dir21/file40" a637="dir21/file41" a638="dir21/file42" a639="dir21/file43" a640="dir21/file44" a641="dir21/file45" a642="dir21/file46" a643="dir21/file47" a644="dir21/file48" a645="dir21/file49" a646="dir21/file5" a647="dir21/file50" a648="dir21/file6" a649="dir21/file7" a650="dir21/file8" a651="dir21/file9" a652="dir22/file1" a653="dir22/file10" a654="dir22/file11" a655="dir22/file12" a656="dir22/file13" a657="dir22/file14" a658="dir22/file15" a659="dir22/file16" a660="dir22/file17" a661="dir22/file18" a662="dir22/file19" a663="dir22/file2" a664="dir22/file20" a665="dir22/file21" a666="dir22/file22" a667="dir22/file23" a668="dir22/file24" a669="dir22/file25" a670="dir22/file26" a671="dir22/file27" a672="dir22/file28" a673="dir22/file29" a674="dir22/file3" a675="dir22/file30" a676="dir22/file31" a677="dir22/file32" a678="dir22/file33" a679="dir22/file34" a680="dir22/file35" a681="dir22/file36" a682="dir22/file37" a683="dir22/file38" a684="dir22/file39" a685="dir22/file4" a686="dir22/file40" a687="dir22/file41" a688="dir22/file42" a689="dir22/file43" a690="dir22/file44" a691="dir22/file45" a692="dir22/file46" a693="dir22/file47" a694="dir22/file48" a695="dir22/file49" a696="dir22/file5" a697="dir22/file50" a698="dir22/file6" a699="dir22/file7" a700="dir22/file8" a701="dir22/file9" a702="dir23/file1" a703="dir23/file10" a704="dir23/file11" a705="dir23/file12" a706="dir23/file13" a707="dir23/file14" a708="dir23/file15" a709="dir23/file16" a710="dir23/file17" a711="dir23/file18" a712="dir23/file19" a713="dir23/file2" a714="dir23/file20" a715="dir23/file21" a716="dir23/file22" a717="dir23/file23" a718="dir23/file24" a719="dir23/file25" a720="dir23/file26" a721="dir23/file27" a722="dir23/file28" a723="dir23/file29" a724="dir23/file3" a725="dir23/file30" a726="dir23/file31" a727="dir23/file32" a728="dir23/file33" a729="dir23/file34" a730="dir23/file35" a731="dir23/file36" a732="dir23/file37" a733="dir23/file38" a734="dir23/file39" a735="dir23/file4" a736="dir23/file40" a737="dir23/file41" a738="dir23/file42" a739="dir23/file43" a740="dir23/file44" a741="dir23/file45" a742="dir23/file46" a743="dir23/file47" a744="dir23/file48" a745="dir23/file49" a746="dir23/file5" a747="dir23/file50" a748="dir23/file6" a749="dir23/file7" a750="dir23/file8" a751="dir23/file9" a752="dir24/file1" a753="dir24/file10" a754="dir24/file11" a755="dir24/file12" a756="dir24/file13" a757="dir24/file14" a758="dir24/file15" a759="dir24/file16" a760="dir24/file17" a761="dir24/file18" a762="dir24/file19" a763="dir24/file2" a764="dir24/file20" a765="dir24/file21" a766="dir24/file22" a767="dir24/file23" a768="dir24/file24" a769="dir24/file25" a770="dir24/file26" a771="dir24/file27" a772="dir24/file28" a773="dir24/file29" a774="dir24/file3" a775="dir24/file30" a776="dir24/file31" a777="dir24/file32" a778="dir24/file33" a779="dir24/file34" a780="dir24/file35" a781="dir24/file36" a782="dir24/file37" a783="dir24/file38" a784="dir24/file39" a785="dir24/file4" a786="dir24/file40" a787="dir24/file41" a788="dir24/file42" a789="dir24/file43" a790="dir24/file44" a791="dir24/file45" a792="dir24/file46" a793="dir24/file47" a794="dir24/file48" a795="dir24/file49" a796="dir24/file5" a797="dir24/file50" a798="dir24/file6" a799="dir24/file7" a800="dir24/file8" a801="dir24/file9" a802="dir2/file1" a803="dir2/file10" a804="dir2/file11" 
type=EXECVE msg=audit(1191433516.461:3360): a805="dir2/file12" a806="dir2/file13" a807="dir2/file14" a808="dir2/file15" a809="dir2/file16" a810="dir2/file17" a811="dir2/file18" a812="dir2/file19" a813="dir2/file2" a814="dir2/file20" a815="dir2/file21" a816="dir2/file22" a817="dir2/file23" a818="dir2/file24" a819="dir2/file25" a820="dir2/file26" a821="dir2/file27" a822="dir2/file28" a823="dir2/file29" a824="dir2/file3" a825="dir2/file30" a826="dir2/file31" a827="dir2/file32" a828="dir2/file33" a829="dir2/file34" a830="dir2/file35" a831="dir2/file36" a832="dir2/file37" a833="dir2/file38" a834="dir2/file39" a835="dir2/file4" a836="dir2/file40" a837="dir2/file41" a838="dir2/file42" a839="dir2/file43" a840="dir2/file44" a841="dir2/file45" a842="dir2/file46" a843="dir2/file47" a844="dir2/file48" a845="dir2/file49" a846="dir2/file5" a847="dir2/file50" a848="dir2/file6" a849="dir2/file7" a850="dir2/file8" a851="dir2/file9" a852="dir3/file1" a853="dir3/file10" a854="dir3/file11" a855="dir3/file12" a856="dir3/file13" a857="dir3/file14" a858="dir3/file15" a859="dir3/file16" a860="dir3/file17" a861="dir3/file18" a862="dir3/file19" a863="dir3/file2" a864="dir3/file20" a865="dir3/file21" a866="dir3/file22" a867="dir3/file23" a868="dir3/file24" a869="dir3/file25" a870="dir3/file26" a871="dir3/file27" a872="dir3/file28" a873="dir3/file29" a874="dir3/file3" a875="dir3/file30" a876="dir3/file31" a877="dir3/file32" a878="dir3/file33" a879="dir3/file34" a880="dir3/file35" a881="dir3/file36" a882="dir3/file37" a883="dir3/file38" a884="dir3/file39" a885="dir3/file4" a886="dir3/file40" a887="dir3/file41" a888="dir3/file42" a889="dir3/file43" a890="dir3/file44" a891="dir3/file45" a892="dir3/file46" a893="dir3/file47" a894="dir3/file48" a895="dir3/file49" a896="dir3/file5" a897="dir3/file50" a898="dir3/file6" a899="dir3/file7" a900="dir3/file8" a901="dir3/file9" a902="dir4/file1" a903="dir4/file10" a904="dir4/file11" a905="dir4/file12" a906="dir4/file13" a907="dir4/file14" a908="dir4/file15" a909="dir4/file16" a910="dir4/file17" a911="dir4/file18" a912="dir4/file19" a913="dir4/file2" a914="dir4/file20" a915="dir4/file21" a916="dir4/file22" a917="dir4/file23" a918="dir4/file24" a919="dir4/file25" a920="dir4/file26" a921="dir4/file27" a922="dir4/file28" a923="dir4/file29" a924="dir4/file3" a925="dir4/file30" a926="dir4/file31" a927="dir4/file32" a928="dir4/file33" a929="dir4/file34" a930="dir4/file35" a931="dir4/file36" a932="dir4/file37" a933="dir4/file38" a934="dir4/file39" a935="dir4/file4" a936="dir4/file40" a937="dir4/file41" a938="dir4/file42" a939="dir4/file43" a940="dir4/file44" a941="dir4/file45" a942="dir4/file46" a943="dir4/file47" a944="dir4/file48" a945="dir4/file49" a946="dir4/file5" a947="dir4/file50" a948="dir4/file6" a949="dir4/file7" a950="dir4/file8" a951="dir4/file9" a952="dir5/file1" a953="dir5/file10" a954="dir5/file11" a955="dir5/file12" a956="dir5/file13" a957="dir5/file14" a958="dir5/file15" a959="dir5/file16" a960="dir5/file17" a961="dir5/file18" a962="dir5/file19" a963="dir5/file2" a964="dir5/file20" a965="dir5/file21" a966="dir5/file22" a967="dir5/file23" a968="dir5/file24" a969="dir5/file25" a970="dir5/file26" a971="dir5/file27" a972="dir5/file28" a973="dir5/file29" a974="dir5/file3" a975="dir5/file30" a976="dir5/file31" a977="dir5/file32" a978="dir5/file33" a979="dir5/file34" a980="dir5/file35" a981="dir5/file36" a982="dir5/file37" a983="dir5/file38" a984="dir5/file39" a985="dir5/file4" a986="dir5/file40" a987="dir5/file41" a988="dir5/file42" a989="dir5/file43" a990="dir5/file44" a991="dir5/file45" a992="dir5/file46" a993="dir5/file47" a994="dir5/file48" a995="dir5/file49" a996="dir5/file5" a997="dir5/file50" a998="dir5/file6" a999="dir5/file7" a1000="dir5/file8" a1001="dir5/file9" a1002="dir6/file1" a1003="dir6/file10" a1004="dir6/file11" a1005="dir6/file12" a1006="dir6/file13" a1007="dir6/file14" a1008="dir6/file15" a1009="dir6/file16" a1010="dir6/file17" a1011="dir6/file18" a1012="dir6/file19" a1013="dir6/file2" a1014="dir6/file20" a1015="dir6/file21" a1016="dir6/file22" a1017="dir6/file23" a1018="dir6/file24" a1019="dir6/file25" a1020="dir6/file26" a1021="dir6/file27" a1022="dir6/file28" a1023="dir6/file29" a1024="dir6/file3" a1025="dir6/file30" a1026="dir6/file31" a1027="dir6/file32" a1028="dir6/file33" a1029="dir6/file34" a1030="dir6/file35" a1031="dir6/file36" a1032="dir6/file37" a1033="dir6/file38" a1034="dir6/file39" a1035="dir6/file4" a1036="dir6/file40" a1037="dir6/file41" a1038="dir6/file42" a1039="dir6/file43" a1040="dir6/file44" a1041="dir6/file45" a1042="dir6/file46" a1043="dir6/file47" a1044="dir6/file48" a1045="dir6/file49" a1046="dir6/file5" a1047="dir6/file50" a1048="dir6/file6" a1049="dir6/file7" a1050="dir6/file8" a1051="dir6/file9" a1052="dir7/file1" a1053="dir7/file10" a1054="dir7/file11" a1055="dir7/file12" a1056="dir7/file13" a1057="dir7/file14" a1058="dir7/file15" a1059="dir7/file16" a1060="dir7/file17" a1061="dir7/file18" a1062="dir7/file19" a1063="dir7/file2" a1064="dir7/file20" a1065="dir7/file21" a1066="dir7/file22" a1067="dir7/file23" a1068="dir7/file24" a1069="dir7/file25" a1070="dir7/file26" a1071="dir7/file27" a1072="dir7/file28" a1073="dir7/file29" a1074="dir7/file3" a1075="dir7/file30" a1076="dir7/file31" a1077="dir7/file32" a1078="dir7/file33" a1079="dir7/file34" a1080="dir7/file35" a1081="dir7/file36" a1082="dir7/file37" a1083="dir7/file38" a1084="dir7/file39" a1085="dir7/file4" a1086="dir7/file40" a1087="dir7/file41" a1088="dir7/file42" a1089="dir7/file43" a1090="dir7/file44" a1091="dir7/file45" a1092="dir7/file46" a1093="dir7/file47" a1094="dir7/file48" a1095="dir7/file49" a1096="dir7/file5" a1097="dir7/file50" a1098="dir7/file6" a1099="dir7/file7" a1100="dir7/file8" a1101="dir7/file9" a1102="dir8/file1" a1103="dir8/file10" a1104="dir8/file11" a1105="dir8/file12" a1106="dir8/file13" a1107="dir8/file14" a1108="dir8/file15" a1109="dir8/file16" a1110="dir8/file17" a1111="dir8/file18" a1112="dir8/file19" a1113="dir8/file2" a1114="dir8/file20" a1115="dir8/file21" a1116="dir8/file22" a1117="dir8/file23" a1118="dir8/file24" a1119="dir8/file25" a1120="dir8/file26" a1121="dir8/file27" a1122="dir8/file28" a1123="dir8/file29" a1124="dir8/file3" a1125="dir8/file30" a1126="dir8/file31" a1127="dir8/file32" a1128="dir8/file33" a1129="dir8/file34" a1130="dir8/file35" a1131="dir8/file36" a1132="dir8/file37" a1133="dir8/file38" a1134="dir8/file39" a1135="dir8/file4" a1136="dir8/file40" a1137="dir8/file41" a1138="dir8/file42" a1139="dir8/file43" a1140="dir8/file44" a1141="dir8/file45" a1142="dir8/file46" a1143="dir8/file47" a1144="dir8/file48" a1145="dir8/file49" a1146="dir8/file5" a1147="dir8/file50" a1148="dir8/file6" a1149="dir8/file7" a1150="dir8/file8" a1151="dir8/file9" a1152="dir9/file1" a1153="dir9/file10" a1154="dir9/file11" a1155="dir9/file12" a1156="dir9/file13" a1157="dir9/file14" a1158="dir9/file15" a1159="dir9/file16" a1160="dir9/file17" a1161="dir9/file18" a1162="dir9/file19" a1163="dir9/file2" a1164="dir9/file20" a1165="dir9/file21" a1166="dir9/file22" a1167="dir9/file23" a1168="dir9/file24" a1169="dir9/file25" a1170="dir9/file26" a1171="dir9/file27" a1172="dir9/file28" a1173="dir9/file29" a1174="dir9/file3" a1175="dir9/file30" a1176="dir9/file31" a1177="dir9/file32" a1178="dir9/file33" a1179="dir9/file34" a1180="dir9/file35" a1181="dir9/file36" a1182="dir9/file37" a1183="dir9/file38" a1184="dir9/file39" a1185="dir9/file4" a1186="dir9/file40" a1187="dir9/file41" a1188="dir9/file42" a1189="dir9/file43" a1190="dir9/file44" a1191="dir9/file45" a1192="dir9/file46" a1193="dir9/file47" a1194="dir9/file48" a1195="dir9/file49" a1196="dir9/file5" a1197="dir9/file50" a1198="dir9/file6" a1199="dir9/file7" a1200="dir9/file8" a1201="dir9/file9" 
type=CWD msg=audit(1191433516.461:3360):  cwd="/tmp/files"
type=PATH msg=audit(1191433516.461:3360): item=0 name="/bin/ls" inode=359898 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0
type=PATH msg=audit(1191433516.461:3360): item=1 name=(null) inode=1436230 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: [PATCH 1/2] Audit: break up execve arguments into multiple records

[Valdis.Kletnieks]

[-- Attachment #1.1: Type: text/plain, Size: 473 bytes --]

On Wed, 03 Oct 2007 13:44:34 EDT, Eric Paris said:

> attached is a log with about 1200 arguments.  My first attachment was of
> a single execve with about 800k worth of arguments!  But it was rather
> large and list wouldn't have liked it.  Hopefully this attachment is
> still big enough to amaze and small enough to download  *smile*

I feel a great disturbance in the Force, as if millions of programs had
declared 'char inbuf[1024];' and then suddenly SIGSEGV'ed.

:)

[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]