[PATCH] execve argument logging
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Apr 21 21:22:43 UTC 2006
On Fri, 21 Apr 2006 16:22:35 EDT, Alexander Viro said:
> On Fri, Apr 21, 2006 at 04:19:09PM -0400, Valdis.Kletnieks at vt.edu wrote:
> > Maybe a "first 32/64 bytes of each argument" limit is needed? Or is there one
> > there and I missed it?
>
> You do realize that it makes e.g. any pathname arguments in effect not
> logged at all - just slap 64 '/' in front of absolute pathname and you
> are done.
On the other hand, the 2.6.17-rc1-mm3 kernel I'm on now has:
include/linux/limits.h:#define ARG_MAX 131072 /* # bytes of args + environ for exec() */
which implies to me that I can blat a bit over 128K to the audit log per syscall.
With the default Fedora-rawhide auditd.conf config of:
num_logs = 4
max_log_file = 5
max_log_file_action = ROTATE
I can roll through all the logs and *effectively* make the arguments of whatever
I wanted to hide not visible with only 160 syscalls. 'man auditd.conf' says:
Space_left should be set to a number that gives the admin enough time
to react to any alert message and perform some maintenance to free up
disk space. This would typically involve running the aureport -t report
and moving the oldest logs to an archive area. The value of space_left
is site dependant since the rate at which events are generated varies
with each deployment. The space_left_action is recommended to be set to
email.
(And yes, I know if you're *serious* about this, you have action set to 'single'
or 'halt' or similar "die rather than lose records" setting. The problem is that
when you can blow through a megabyte of logspace with only 8 syscalls, finding a
good setting for "gives enough time" becomes a lot more challenging...)
How would everybody feel about wrapping this in a CONFIG_AUDIT_ARGV, and some
Kconfig wording warning about this burning through your audit space?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060421/02838102/attachment.sig>
More information about the Linux-audit
mailing list