Extracting written string from the write syscall
Casey Schaufler
casey at schaufler-ca.com
Fri Apr 27 15:35:15 UTC 2018
On 4/26/2018 7:37 PM, Wajih Ul Hassan wrote:
> Thanks for your replies. However, I am now thinking of another solution.
> Let's say I can capture write() in the userspace by either instrumenting the LibC or LD_PRELOAD wrapper and store the string buffer passed to write().
> Can I call/generate *some other non-instrusive* syscall which can take that string buffer that I stored earlier and that syscall with the buffer will be visible in the audit.log? I am not worried about performance hit right now.
I'm not 100% sure, but you might be able to do this with LandLock.
>
> On Thu, Apr 26, 2018 at 7:46 PM Casey Schaufler <casey at schaufler-ca.com <mailto:casey at schaufler-ca.com>> wrote:
>
> On 4/26/2018 5:08 PM, Sargun Dhillon wrote:
> > On Thu, Apr 26, 2018 at 4:40 PM, Casey Schaufler <casey at schaufler-ca.com <mailto:casey at schaufler-ca.com>> wrote:
> >> On 4/26/2018 3:57 PM, Steve Grubb wrote:
> >>> On Thu, 26 Apr 2018 20:34:57 +0000
> >>> Wajih Ul Hassan <wajih.lums at gmail.com <mailto:wajih.lums at gmail.com>> wrote:
> >>>
> >>>> Hi all,
> >>>> .....
> >> You could write a Linux Security Module (LSM) to monitor the
> >> content of writes. The performance impact would be rather
> >> amazing.
> >>
> > I would recommend using BPF + kprobes + perf_event buffers for this
> > purpose. There are enough places you can probe to grab these strings
> > in the kernel, and if you do your filtering in BPF, you can then push
> > it into kernel space based on filtering. Although, AFAIK, the BPF JITs
> > don't do vectorization of instructions, but it's still not too bad. If
> > you put your kprobe on the syscall itself, and probe the userspace
> > addr, remember you're going to be open to a time-of-use, time-of-check
> > style attack.
>
> That looks like a whole lot of mechanism to perform a simple task.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180427/fd5b4d25/attachment.htm>
More information about the Linux-audit
mailing list