[PATCH] TaskTracker : Simplified thread information tracker.
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Sat Sep 27 01:02:44 UTC 2014
May I continue proposing this functionality? I want to identify where bash is
executed from in the RHEL servers in order to assess possibility of damage
caused by CVE-2014-6271.
Tetsuo Handa wrote:
> Thank you for your comment, Steve.
>
> Steve Grubb wrote:
> > On Monday, June 23, 2014 09:14:35 PM Tetsuo Handa wrote:
> >> Any comments on this proposal?
> >
> > subj= is the wrong way to record this. The subj field name is for process
> > labels. When field names get re-used for different purposes, it causes lots of
> > problems in being able to assign meaning and correctly use it in analysis. I
> > would suggest using phist= for process history or something like that. Please
> > don't re-use subj for this.
>
> This was just a sample implementation. If this proposal is acceptable as a
> patch to auditing subsystem, I'm happy to update not to re-use subj= field
> and not to occupy LSM. An updated version is attached.
>
> > Also, the comm file is under control of the user. What if they create a program
> > "sshd=>crond"? Would that throw off the analysis? How do you ensure user
> > supplied names do not contain symbols that you are using to denote parentage?
>
> OK. I added '=' in comm name to the list of need-to-escape bytes.
>
> By the way, audit_string_contains_control() treats *p == '"' || *p < 0x21 ||
> *p > 0x7e as need-to-escape bytes. Thus, 0x20 from audit_log_untrustedstring()
> is a need-to-escape byte. However, I can see that 0x20 from userspace programs
> is emitted without escaping.
>
> type=USER_START msg=audit(1403741835.270:16): user pid=1870 uid=0 auid=0 ses=1
> msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.0.1 addr=192.168.0.1
> terminal=/dev/pts/0 res=success'
>
> Where can I find which bytes in $value need to be escaped when emitting
> a record like name='$value' ? Is 0x20 in $value permitted?
>
> > Also, would you consider adding this information as a auxiliary record rather
> > than as part of a syscall record? The advantage is it can be filtered or
> > searched for. We recently did this for PROCTITLE information. Perhaps this fits
> > better as a PROCHIST auxiliary record?
>
> I changed to use auxiliary record and noticed a difference.
> The previous version emitted the history for type=USER_LOGIN case
>
> type=USER_LOGIN msg=audit(1400879947.084:24): pid=4308 uid=0 auid=0 ses=2
> subj="swapper/0(2014/05/23-21:17:30)=>init(2014/05/23-21:17:33)=>
> switch_root(2014/05/23-21:17:34)=>init(2014/05/23-21:17:34)=>
> sh(2014/05/23-21:17:56)=>mingetty(2014/05/23-21:17:56)=>
> login(2014/05/23-21:19:05)" msg='op=login id=0 exe="/bin/login" hostname=?
> addr=? terminal=tty1 res=success'
>
> but current version does not emit it for type=USER_LOGIN case.
> Does auxiliary record work with only type=SYSCALL case (and therefore
> I should use CONFIG_AUDITSYSCALL rather than CONFIG_AUDIT in the patch
> below) ?
>
> Regards.
> ----------
> >From d015533ce544feb8922fcbf023017c82bd79a9ac Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
> Date: Thu, 26 Jun 2014 09:39:14 +0900
> Subject: [PATCH] audit: Emit history of thread's comm name.
>
> When an unexpected system event (e.g. reboot) occurs, the administrator may
> want to identify which application triggered the event. System call auditing
> could be used for recording such event. However, the audit log may not be
> able to provide sufficient information for identifying the application
> because the audit log does not reflect how the program was executed.
>
> This patch adds ability to trace how the program was executed and emit it
> as an auxiliary record in the form of comm name and time stamp pairs as of
> execve().
>
> type=UNKNOWN[1329] msg=audit(1403741314.019:22): history='
> swapper/0(2014/06/26-09:06:04)=>init(2014/06/26-09:06:10)=>
> switch_root(2014/06/26-09:06:13)=>init(2014/06/26-09:06:13)=>
> sh(2014/06/26-00:06:27)=>rc(2014/06/26-00:06:27)=>
> S55sshd(2014/06/26-00:06:35)=>sshd(2014/06/26-00:06:35)=>
> sshd(2014/06/26-00:06:40)=>bash(2014/06/26-00:06:43)=>
> tail(2014/06/26-00:08:34)'
>
> Signed-off-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
> ---
> fs/exec.c | 1 +
> include/linux/audit.h | 23 +++++++++++-
> include/linux/init_task.h | 9 ++++
> include/linux/sched.h | 5 ++
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 90 ++++++++++++++++++++++++++++++++++++++++++++
> kernel/auditsc.c | 19 +++++++++
> 7 files changed, 147 insertions(+), 1 deletions(-)
>
More information about the Linux-audit
mailing list