128 Character limit on proctitle field?
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Mon Sep 18 02:38:55 UTC 2023
On 2023/09/16 1:15, Wieprecht, Karen M. wrote:
> All,
>
> We're working with Docker and podman, and I'm working on parsing the audit data
> we get to flag prohibited and missing command options based on STIG guidelines.
> I normally extract the proctitle from the raw auditd data , but these commands
> are very long with sometimes 23 or more command line parameters , and I noticed
> that all of the auditd proctitle data for the lengthier commands is being cut off
> at 128 characters.
This limitation is intentional
( https://elixir.bootlin.com/linux/v6.6-rc2/source/kernel/auditsc.c#L81 ).
Since each argv[]/envp[] value passed to execve() can go up to 128KB
( https://elixir.bootlin.com/linux/v6.6-rc2/source/include/uapi/linux/binfmts.h#L15 )
and number of arguments is effectively unlimited
( https://elixir.bootlin.com/linux/v6.6-rc2/source/include/uapi/linux/binfmts.h#L16 ),
trying to audit full command line can exhaust storage.
>
> I'm bringing this up for two reasons:
>
> One, not everyone working with this data may realize that there seems to be
> a character limit,
> and second, if this is by chance a bug as opposed to intentional, then I'm
> hoping we can get a fix cooking for it?
>
> In the meantime, I may be able to work around this by piecing together the full
> command from the "a#= " fields, but it would be much easier if proctitle wasn't
> cut off after 128 chars.
If you can use an out-of-tree LSM, you can use execute_handler feature available in
TOMOYO and CaitSith, which replaces any execve() request with a specific execve()
request in order to allow userspace to examine and audit (and optionally sanitize)
full command line before executing the originally requested program.
https://tomoyo.osdn.jp/1.8/policy-specification/domain-policy-syntax.html.en#task_auto_execute_handler
https://en.osdn.net/projects/tomoyo/scm/svn/blobs/head/trunk/1.8.x/ccs-tools/examples/env_chk.c
If you think execute_handler feature is helpful for you, I can make a dedicated LSM
which implements only execute_handler feature.
>
> Thanks, any info you can share would be much appreciated,
>
> Karen Wieprecht
More information about the Linux-audit
mailing list