[PATCH] execve argument logging

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Apr 21 21:22:43 UTC 2006 

On Fri, 21 Apr 2006 16:22:35 EDT, Alexander Viro said:
> On Fri, Apr 21, 2006 at 04:19:09PM -0400, Valdis.Kletnieks at vt.edu wrote:
> > Maybe a "first 32/64 bytes of each argument" limit is needed?  Or is there one
> > there and I missed it?
> 
> You do realize that it makes e.g. any pathname arguments in effect not
> logged at all - just slap 64 '/' in front of absolute pathname and you
> are done.

On the other hand, the 2.6.17-rc1-mm3 kernel I'm on now has:

include/linux/limits.h:#define ARG_MAX       131072     /* # bytes of args + environ for exec() */

which implies to me that I can blat a bit over 128K to the audit log per syscall.

With the default Fedora-rawhide auditd.conf config of:

num_logs = 4
max_log_file = 5 
max_log_file_action = ROTATE

I can roll through all the logs and *effectively* make the arguments of whatever
I wanted to hide not visible with only 160 syscalls.  'man auditd.conf' says:

       Space_left should be set to a number that gives the admin  enough  time
       to  react  to any alert message and perform some maintenance to free up
       disk space. This would typically involve running the aureport -t report
       and  moving the oldest logs to an archive area. The value of space_left
       is site dependant since the rate at which events are  generated  varies
       with each deployment. The space_left_action is recommended to be set to
       email.

(And yes, I know if you're *serious* about this, you have action set to 'single'
or 'halt' or similar "die rather than lose records" setting.  The problem is that
when you can blow through a megabyte of logspace with only 8 syscalls, finding a
good setting for "gives enough time" becomes a lot more challenging...)

How would everybody feel about wrapping this in a CONFIG_AUDIT_ARGV, and some
Kconfig wording warning about this burning through your audit space?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060421/02838102/attachment.sig>

More information about the Linux-audit mailing list