From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] audit: log on the future execution of a path
Date: Mon, 5 May 2014 17:10:07 -0400 [thread overview]
Message-ID: <20140505171007.3d9d15f8@ivy-bridge> (raw)
In-Reply-To: <cover.1399319317.git.rgb@redhat.com>
On Mon, 5 May 2014 16:41:53 -0400
Richard Guy Briggs <rgb@redhat.com> wrote:
> Only problem is, it doesn't work. What assumptions am I making that
> aren't valid about the approach in this kernel code?
>
> I also considered adding the path string pointer to the struct
> audit_field.
>
> Any suggestions?
What I was thinking about is that it should work a lot like a watch for
execution except when the watch triggers, it actually fills in a pid
field for a syscall rule and loads it instead of emitting an event.
For example, suppose you had this rule:
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F
success=1
It could be started as this:
-a exit,always -F path=/bin/bash -F perm=x
Then when it triggers, it loads this:
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F success=1 -F pid=##
Where ## is the pid known to the kernel. Then when the program exits for
any reason, the rules it created for that pid are all removed.
It would also need to handle execve/clone/fork/vfork sanely once a
rule was created.
auditctl -l should only show the rule that was loaded from user space
and not any helpers that might be created dynamically. Deleting the
rule should get rid of any helpers.
-Steve
next prev parent reply other threads:[~2014-05-05 21:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-05 20:41 [PATCH] audit: log on the future execution of a path Richard Guy Briggs
2014-05-05 20:41 ` [PATCH] audit: audit on the future execution of a binary Richard Guy Briggs
2014-05-05 21:10 ` Steve Grubb [this message]
2014-05-06 14:57 ` [PATCH] audit: log on the future execution of a path Eric Paris
2014-05-06 15:10 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140505171007.3d9d15f8@ivy-bridge \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox