From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] audit: log on the future execution of a path Date: Mon, 5 May 2014 17:10:07 -0400 Message-ID: <20140505171007.3d9d15f8@ivy-bridge> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, 5 May 2014 16:41:53 -0400 Richard Guy Briggs wrote: > Only problem is, it doesn't work. What assumptions am I making that > aren't valid about the approach in this kernel code? > > I also considered adding the path string pointer to the struct > audit_field. > > Any suggestions? What I was thinking about is that it should work a lot like a watch for execution except when the watch triggers, it actually fills in a pid field for a syscall rule and loads it instead of emitting an event. For example, suppose you had this rule: -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1 It could be started as this: -a exit,always -F path=/bin/bash -F perm=x Then when it triggers, it loads this: -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F success=1 -F pid=## Where ## is the pid known to the kernel. Then when the program exits for any reason, the rules it created for that pid are all removed. It would also need to handle execve/clone/fork/vfork sanely once a rule was created. auditctl -l should only show the rule that was loaded from user space and not any helpers that might be created dynamically. Deleting the rule should get rid of any helpers. -Steve