[PATCH] audit: add task history record

Sat Aug 26 06:38:49 UTC 2023

On 2023/08/25 12:36, Paul Moore wrote:
>> It is unfortunate that you continue ignoring the
>>
>>  How can auditd generate logs that are not triggered via syscalls?
>>
>> line. I know how to configure syscall rules using "-S" option. But I do
>> not know how to configure non syscall rules (such as process creation via
>> kthread_create(), process termination due to tty hangup or OOM killer).
> 
> At this point you've exhausted my goodwill so I would suggest simply reading
> the audit code, manages, and experimenting with a running system to understand
> how things work, especially for non-syscall records.

Are we on the same page that non-syscall records include process creation via
kthread_create() and process termination via send_sig() ?

I tried "make M=audit_test/" with below example.

audit_test/audit_test.c
----------------------------------------
#include <linux/module.h>
#include <linux/kthread.h>
#include <linux/sched/signal.h>

static int test_kthread(void *unused)
{
	char *argv[3] = { "/bin/sleep", "10", NULL };
	char *envp[1] = { NULL };
	struct task_struct *p;

	printk("test_kthread is running with PID=%d\n", current->pid);
	call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
	rcu_read_lock();
	for_each_process(p) {
		if (!(p->flags & PF_KTHREAD) && !strcmp(p->comm, "sleep")) {
			printk("Sending signal to PID=%d\n", p->pid);
			send_sig(SIGKILL, p, 1);
		}
	}
	rcu_read_unlock();
	return 0;
}

static int __init test_init(void)
{
	struct task_struct *task = kthread_create(test_kthread, NULL, "test_kthread");

	if (!IS_ERR(task)) {
		wake_up_process(task);
		schedule_timeout_uninterruptible(5 * HZ);
	}
	return -EINVAL;
}

module_init(test_init);
MODULE_LICENSE("GPL");
----------------------------------------

audit_test/Makefile
----------------------------------------
obj-m += audit_test.o
----------------------------------------

I tried below steps in order to generate all possible records using auditd.

----------------------------------------
# auditctl -D
No rules
# auditctl -a exit,always
# auditctl -a task,always
# insmod audit_test/audit_test.ko
insmod: ERROR: could not insert module audit_test/audit_test.ko: Invalid parameters
# auditctl -D
No rules
# dmesg
[  219.826840] test_kthread is running with PID=4044
[  219.832367] Sending signal to PID=4045
# ausearch -p 4044
<no matches>
# ausearch -p 4045 | sed -e 's/ /\n/g' | grep syscall= | sort -uV
syscall=0
syscall=2
syscall=3
syscall=5
syscall=9
syscall=10
syscall=11
syscall=12
syscall=21
syscall=35
syscall=158
----------------------------------------

Only records issued by system calls (read(),open(),close(),fstat(),mmap(),
mprotect(),munmap(),brk(),access(),nanosleep(),arch_prctl()) are generated.
Neither records issued by process creation via kthread_create() nor records
issued by process termination via send_sig() are generated.

Are you confident that auditd is already capable of generating records for e.g.
process creation via kthread_create() and process termination via send_sig() ?

> If you find a place in the code where you believe there should be an audit record,
> post a patch and we can discuss it.

I believe that auditd needs to be able to generate records for e.g. process creation
via kthread_create() and process termination via send_sig(), if you insist that we can
emulate process history information offered by this patch from user space using records
generated by auditd. (That sounds beyond CONFIG_AUDITSYSCALL=y though...)