[PATCH] audit: log on the future execution of a path
Steve Grubb
sgrubb at redhat.com
Mon May 5 21:10:07 UTC 2014
On Mon, 5 May 2014 16:41:53 -0400
Richard Guy Briggs <rgb at redhat.com> wrote:
> Only problem is, it doesn't work. What assumptions am I making that
> aren't valid about the approach in this kernel code?
>
> I also considered adding the path string pointer to the struct
> audit_field.
>
> Any suggestions?
What I was thinking about is that it should work a lot like a watch for
execution except when the watch triggers, it actually fills in a pid
field for a syscall rule and loads it instead of emitting an event.
For example, suppose you had this rule:
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F
success=1
It could be started as this:
-a exit,always -F path=/bin/bash -F perm=x
Then when it triggers, it loads this:
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F success=1 -F pid=##
Where ## is the pid known to the kernel. Then when the program exits for
any reason, the rules it created for that pid are all removed.
It would also need to handle execve/clone/fork/vfork sanely once a
rule was created.
auditctl -l should only show the rule that was loaded from user space
and not any helpers that might be created dynamically. Deleting the
rule should get rid of any helpers.
-Steve
More information about the Linux-audit
mailing list