[PATCH] audit: Add cmdline to taskinfo output
William Roberts
bill.c.roberts at gmail.com
Tue Oct 29 17:55:12 UTC 2013
On Tue, Oct 29, 2013 at 10:44 AM, William Roberts
<bill.c.roberts at gmail.com>wrote:
>
>
>
> On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>
>> On Monday, October 28, 2013 04:50:38 PM William Roberts wrote:
>> > On some devices, the cmdline and task info vary. For instance, on
>> > Android, the cmdline is set to the package name, and the task info
>> > is the name of the VM, which is not very helpful.
>> >
>> > The additional cmdline output only runs if the audit feature
>> > AUDIT_FEATURE_CMDLINE_OUTPUT is set high at runtime.
>>
>> I don't exactly like this. The audit event records are very normalized.
>> When
>> you have a specific kind of record, you can count on always having the
>> certain
>> fields even if its value is (NULL). So, having fields swinging in and out
>> by
>> configuration is not something I'd like to see start.
>>
>> Can you show me an event that has the problem and what it looks like when
>> its
>> fixed by this patch?
>>
>> Thanks,
>> -Steve
>>
>
>
> I'm 100% ok with the dynamic option changing it from NULL to a real value
> IMO a like
> that better then what I currently have.
>
> Old:
> type=1300 msg=audit(1383022671.232:230): arch=40000028 syscall=54
> per=840000 success=yes exit=0 a0=23 a1=fa05 a2=0 a3=74e1ee34 items=0
> ppid=298 pid=1431 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027
> fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295
> comm=4173796E635461736B202331 exe="/system/bin/app_process" subj=u:r:nfc:s0
> key=(null)
>
> Issue:
> comm field in task is only 16 chars, to small for most package names, and
> already contains the VM command. I really have no information of what
> Android App has created the issue.
>
> Solution:
> Get the proc cmdline info (not trust worthy, but can help debugging
> Android)
>
> type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5
> per=840000 success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c
> items=1 ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027
> suid=1027 fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none)
> ses=4294967295 comm=4173796E635461736B202331 exe="/system/bin/app_process"
> cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null)
>
> Now I know it was the NFC app
>
>
FYI, from this point I would get the application from a trustworthy source
and audit it, obviously this could be an app using setproctitle() and
spoofing something legitimate. Like malicious app A pretending to be angry
birds. I cant read this
cmdline value form userspace, as a denial from selinux may cause the app to
crash. So sometimes the apps proc entry is gone before I can record what
happened in userspace.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131029/9e6e1c26/attachment.htm>
More information about the Linux-audit
mailing list