<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 4/26/2018 7:37 PM, Wajih Ul Hassan wrote:<br>
<blockquote type="cite"
cite="mid:CAH5sRboPmzmdBs2=70f-d3+EuiPaMJQXBsU=no7aT=Y8j7hyAA@mail.gmail.com">
<div dir="ltr">Thanks for your replies. However, I am now thinking
of another solution. <br>
Let's say I can capture write() in the userspace by either
instrumenting the LibC or LD_PRELOAD wrapper and store the
string buffer passed to write(). <br>
Can I call/generate *some other non-instrusive* syscall which
can take that string buffer that I stored earlier and that
syscall with the buffer will be visible in the audit.log? I am
not worried about performance hit right now.<br>
</div>
</blockquote>
<pre>
I'm not 100% sure, but you might be able to do this with LandLock.
</pre>
<blockquote type="cite"
cite="mid:CAH5sRboPmzmdBs2=70f-d3+EuiPaMJQXBsU=no7aT=Y8j7hyAA@mail.gmail.com">
<div dir="ltr">
<div><br>
</div>
</div>
On Thu, Apr 26, 2018 at 7:46 PM Casey Schaufler <<a
href="mailto:casey@schaufler-ca.com" moz-do-not-send="true">casey@schaufler-ca.com</a>>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On 4/26/2018
5:08 PM, Sargun Dhillon wrote:<br>
> On Thu, Apr 26, 2018 at 4:40 PM, Casey Schaufler <<a
href="mailto:casey@schaufler-ca.com" target="_blank"
moz-do-not-send="true">casey@schaufler-ca.com</a>> wrote:<br>
>> On 4/26/2018 3:57 PM, Steve Grubb wrote:<br>
>>> On Thu, 26 Apr 2018 20:34:57 +0000<br>
>>> Wajih Ul Hassan <<a
href="mailto:wajih.lums@gmail.com" target="_blank"
moz-do-not-send="true">wajih.lums@gmail.com</a>> wrote:<br>
>>><br>
>>>> Hi all,<br>
>>>> .....<br>
>> You could write a Linux Security Module (LSM) to
monitor the<br>
>> content of writes. The performance impact would be
rather<br>
>> amazing.<br>
>><br>
> I would recommend using BPF + kprobes + perf_event
buffers for this<br>
> purpose. There are enough places you can probe to grab
these strings<br>
> in the kernel, and if you do your filtering in BPF, you
can then push<br>
> it into kernel space based on filtering. Although, AFAIK,
the BPF JITs<br>
> don't do vectorization of instructions, but it's still
not too bad. If<br>
> you put your kprobe on the syscall itself, and probe the
userspace<br>
> addr, remember you're going to be open to a time-of-use,
time-of-check<br>
> style attack.<br>
<br>
That looks like a whole lot of mechanism to perform a simple
task.<br>
<br>
<br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>