Linux Audit userspace query
Steve Grubb
sgrubb at redhat.com
Wed Jul 31 14:36:48 UTC 2019
On Wednesday, July 31, 2019 7:06:53 AM EDT Ondrej Mosnáček wrote:
> > Basically, I am unable to figure out where an audit_event is being
> > populated with the relevant data such as the audit_args (a0,a1,a2) so
> > that I can change and play around with the arguments that are being
> > recorded and populated at the source.
>
> Again, to change the way values are being recorded into the record,
> you'd need to modify the kernel.
Right. Everything comes from the kernel. Audit userspace just stores it to
disk and that is why you don't see any code dealing with the args.
> > Kindly let me know if you can slightly guide me in this regard. I would
> > be really grateful. Also kindly let me know of the feasibility of the
> > problem.
You would need to learn to build, modify, and debug kernels.
> > So basically the argument a1 of the write syscall records the
> > pointer to a buffer. Is it possible to store the dereferenced complete
> > buffer as the argument instead?
Writes can be huge and could contain sequences designed to trick parsers.
That means it would need to be encoded which doubles the size of the write
data being collected. Also, I think there are file systems that are
journalling meaning that their metadata contains what the changes are in case
it has to recover. That might be another avenue to investigate.
-Steve
More information about the Linux-audit
mailing list