From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Muhammad Adil Inam" <20100180@lums.edu.pk>,
"Ali Ahad" <20100284@lums.edu.pk>,
"Ondrej Mosnáček" <omosnacek@gmail.com>
Subject: Re: Linux Audit userspace query
Date: Wed, 31 Jul 2019 10:36:48 -0400 [thread overview]
Message-ID: <3098173.AB4Qcg4CNO@x2> (raw)
In-Reply-To: <CAAUqJDvcWcmaC5MTEEni6BDJfBN0HCR=K6wB7+kpPpuEuZWM6A@mail.gmail.com>
On Wednesday, July 31, 2019 7:06:53 AM EDT Ondrej Mosnáček wrote:
> > Basically, I am unable to figure out where an audit_event is being
> > populated with the relevant data such as the audit_args (a0,a1,a2) so
> > that I can change and play around with the arguments that are being
> > recorded and populated at the source.
>
> Again, to change the way values are being recorded into the record,
> you'd need to modify the kernel.
Right. Everything comes from the kernel. Audit userspace just stores it to
disk and that is why you don't see any code dealing with the args.
> > Kindly let me know if you can slightly guide me in this regard. I would
> > be really grateful. Also kindly let me know of the feasibility of the
> > problem.
You would need to learn to build, modify, and debug kernels.
> > So basically the argument a1 of the write syscall records the
> > pointer to a buffer. Is it possible to store the dereferenced complete
> > buffer as the argument instead?
Writes can be huge and could contain sequences designed to trick parsers.
That means it would need to be encoded which doubles the size of the write
data being collected. Also, I think there are file systems that are
journalling meaning that their metadata contains what the changes are in case
it has to recover. That might be another avenue to investigate.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2019-07-31 14:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <DB7PR07MB551327DB6DFB72921559C9839FC00@DB7PR07MB5513.eurprd07.prod.outlook.com>
2019-07-31 11:06 ` Linux Audit userspace query Ondrej Mosnáček
2019-07-31 14:36 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3098173.AB4Qcg4CNO@x2 \
--to=sgrubb@redhat.com \
--cc=20100180@lums.edu.pk \
--cc=20100284@lums.edu.pk \
--cc=linux-audit@redhat.com \
--cc=omosnacek@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox