* [PATCH] Support for auditing on the actions of a not-yet-executed process.
@ 2012-08-23 19:25 Peter Moody
2012-08-27 12:54 ` Steve Grubb
2014-05-02 14:49 ` Richard Guy Briggs
0 siblings, 2 replies; 4+ messages in thread
From: Peter Moody @ 2012-08-23 19:25 UTC (permalink / raw)
To: linux-audit
eg:
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1
to see instances of /bin/bash opening a non-local socket. Or
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F success=1
to instances of /bin/bash, and any descendant processes, opening a non local socket.
proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
and it seemed like there was interest.
Signed-off-by: Peter Moody <pmoody@google.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 11 +++++++++++
trunk/lib/libaudit.h | 7 ++++++-
4 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 4d996d5..cd595ec 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
{ -15, 2, "-F unknown errno -"},
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
- { -18, 1, "" }, // Unused
+ { -18, 1, "only takes = operator" },
{ -19, 0, "Key field needs a watch or syscall given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index c0432cc..245b541 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" )
_S(AUDIT_FILTERKEY, "key" )
_S(AUDIT_FIELD_COMPARE, "field_compare" )
+_S(AUDIT_EXE, "exe" )
+_S(AUDIT_EXE_CHILDREN, "exe_children" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 20eaf5f..06eed86 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
else
return -21;
break;
+ case AUDIT_EXE_CHILDREN:
+ case AUDIT_EXE:
+ {
+ struct stat buf;
+ if ((stat(v, &buf)) < 0)
+ return -2;
+ if (op != AUDIT_EQUAL)
+ return -18;
+ rule->values[rule->field_count] = (unsigned long)buf.st_ino;
+ }
+ break;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 89dd588..2c8a802 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -243,6 +243,12 @@ extern "C" {
#ifndef AUDIT_FIELD_COMPARE
#define AUDIT_FIELD_COMPARE 111
#endif
+#ifndef AUDIT_EXE
+#define AUDIT_EXE 112
+#endif
+#ifndef AUDIT_EXE_CHILDREN
+#define AUDIT_EXE_CHILDREN 113
+#endif
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
@@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
#endif
#endif
-
--
1.7.7.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] Support for auditing on the actions of a not-yet-executed process.
2012-08-23 19:25 [PATCH] Support for auditing on the actions of a not-yet-executed process Peter Moody
@ 2012-08-27 12:54 ` Steve Grubb
2014-05-02 14:49 ` Richard Guy Briggs
1 sibling, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2012-08-27 12:54 UTC (permalink / raw)
To: Peter Moody; +Cc: linux-audit
On Thursday, August 23, 2012 12:25:54 PM Peter Moody wrote:
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F
> success=1
>
> to see instances of /bin/bash opening a non-local socket. Or
>
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F
> success=1
>
> to instances of /bin/bash, and any descendant processes, opening a non local
> socket.
>
> proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
> and it seemed like there was interest.
Yeah, another use case might be:
-a always,exit -F dir=/watched-dir -F perms=r -F exe=/usr/bin/scp
So that you can see files being transferred away from a directory that you care
about. Of course you wouldn't have the address unless you also catch the
connect or maybe execve.
I'll merge the user space code when this is accepted into the kernel.
Thanks,
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Support for auditing on the actions of a not-yet-executed process.
2012-08-23 19:25 [PATCH] Support for auditing on the actions of a not-yet-executed process Peter Moody
2012-08-27 12:54 ` Steve Grubb
@ 2014-05-02 14:49 ` Richard Guy Briggs
2014-05-02 15:25 ` Steve Grubb
1 sibling, 1 reply; 4+ messages in thread
From: Richard Guy Briggs @ 2014-05-02 14:49 UTC (permalink / raw)
To: Peter Moody; +Cc: linux-audit
On 12/08/23, Peter Moody wrote:
> eg:
>
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1
>
> to see instances of /bin/bash opening a non-local socket. Or
>
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F success=1
>
> to instances of /bin/bash, and any descendant processes, opening a non local socket.
In addition to these sample rules, do you have a command or script to
trigger it?
> proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
> and it seemed like there was interest.
>
> Signed-off-by: Peter Moody <pmoody@google.com>
> ---
> trunk/lib/errormsg.h | 2 +-
> trunk/lib/fieldtab.h | 2 ++
> trunk/lib/libaudit.c | 11 +++++++++++
> trunk/lib/libaudit.h | 7 ++++++-
> 4 files changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
> index 4d996d5..cd595ec 100644
> --- a/trunk/lib/errormsg.h
> +++ b/trunk/lib/errormsg.h
> @@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
> { -15, 2, "-F unknown errno -"},
> { -16, 2, "-F unknown file type - " },
> { -17, 1, "can only be used with exit and entry filter list" },
> - { -18, 1, "" }, // Unused
> + { -18, 1, "only takes = operator" },
> { -19, 0, "Key field needs a watch or syscall given prior to it" },
> { -20, 2, "-F missing value after operation for" },
> { -21, 2, "-F value should be number for" },
> diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
> index c0432cc..245b541 100644
> --- a/trunk/lib/fieldtab.h
> +++ b/trunk/lib/fieldtab.h
> @@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" )
> _S(AUDIT_FILTERKEY, "key" )
>
> _S(AUDIT_FIELD_COMPARE, "field_compare" )
> +_S(AUDIT_EXE, "exe" )
> +_S(AUDIT_EXE_CHILDREN, "exe_children" )
> diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
> index 20eaf5f..06eed86 100644
> --- a/trunk/lib/libaudit.c
> +++ b/trunk/lib/libaudit.c
> @@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
> else
> return -21;
> break;
> + case AUDIT_EXE_CHILDREN:
> + case AUDIT_EXE:
> + {
> + struct stat buf;
> + if ((stat(v, &buf)) < 0)
> + return -2;
> + if (op != AUDIT_EQUAL)
> + return -18;
> + rule->values[rule->field_count] = (unsigned long)buf.st_ino;
> + }
> + break;
> case AUDIT_DEVMAJOR...AUDIT_INODE:
> case AUDIT_SUCCESS:
> if (flags != AUDIT_FILTER_EXIT)
> diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
> index 89dd588..2c8a802 100644
> --- a/trunk/lib/libaudit.h
> +++ b/trunk/lib/libaudit.h
> @@ -243,6 +243,12 @@ extern "C" {
> #ifndef AUDIT_FIELD_COMPARE
> #define AUDIT_FIELD_COMPARE 111
> #endif
> +#ifndef AUDIT_EXE
> +#define AUDIT_EXE 112
> +#endif
> +#ifndef AUDIT_EXE_CHILDREN
> +#define AUDIT_EXE_CHILDREN 113
> +#endif
>
> #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
> #define AUDIT_COMPARE_UID_TO_OBJ_UID 1
> @@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
> #endif
>
> #endif
> -
> --
> 1.7.7.3
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Support for auditing on the actions of a not-yet-executed process.
2014-05-02 14:49 ` Richard Guy Briggs
@ 2014-05-02 15:25 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2014-05-02 15:25 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit
On Fri, 2 May 2014 10:49:56 -0400
Richard Guy Briggs <rgb@redhat.com> wrote:
> > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F
> > success=1
> >
> > to see instances of /bin/bash opening a non-local socket. Or
> >
> > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F
> > exe_children=/bin/bash -F success=1
> >
> > to instances of /bin/bash, and any descendant processes, opening a
> > non local socket.
>
> In addition to these sample rules, do you have a command or script to
> trigger it?
You should be able to load a rule like this:
-a always,exit -F dir=/tmp -F exe=/usr/sbin/touch -F key=test
Then run
touch /tmp/test
then ausearch --start recent -k test
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-05-02 15:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-23 19:25 [PATCH] Support for auditing on the actions of a not-yet-executed process Peter Moody
2012-08-27 12:54 ` Steve Grubb
2014-05-02 14:49 ` Richard Guy Briggs
2014-05-02 15:25 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox