lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150717202723.GA28281@madcap2.tricolour.ca>
Date:	Fri, 17 Jul 2015 16:27:23 -0400
From:	Richard Guy Briggs <rgb@...hat.com>
To:	Paul Moore <pmoore@...hat.com>
Cc:	peter@...3.com, linux-audit@...hat.com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH V6 1/4] audit: implement audit by executable

On 15/07/17, Richard Guy Briggs wrote:
> On 15/07/16, Paul Moore wrote:
> > On Tuesday, July 14, 2015 11:50:23 AM Richard Guy Briggs wrote:
> > > From: Eric Paris <eparis@...hat.com>
> > > 
> > > This patch implements the ability to filter on the executable.  It is
> > > clearly incomplete!  This patch adds the inode/dev of the executable at
> > > the moment the rule is loaded.  It does not update if the executable is
> > > updated/moved/whatever.  That should be added.  But at this moment, this
> > > patch works.

<snip>

> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 9fb9d1c..bf745c7 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -71,6 +72,7 @@
> > >  #include <linux/capability.h>
> > >  #include <linux/fs_struct.h>
> > >  #include <linux/compat.h>
> > > +#include <linux/sched.h>
> > >  #include <linux/ctype.h>
> > >  #include <linux/string.h>
> > >  #include <uapi/linux/limits.h>
> > > @@ -466,6 +468,20 @@ static int audit_filter_rules(struct task_struct *tsk,
> > >  				result = audit_comparator(ctx->ppid, f->op, f->val);
> > >  			}
> > >  			break;
> > > +		case AUDIT_EXE:
> > > +			result = audit_exe_compare(tsk, rule->exe);
> > > +			break;
> > > +		case AUDIT_EXE_CHILDREN:
> > > +		{
> > > +			struct task_struct *ptsk;
> > > +			for (ptsk = tsk; ptsk->parent->pid > 0; ptsk =
> > >              find_task_by_vpid(ptsk->parent->pid)) {
> > > +				if (audit_exe_compare(ptsk, rule->exe)) {
> > > +					++result;
> > > +					break;
> > > +				}
> > > +			}
> > > +		}
> > > +			break;
> > 
> > I don't completely understand the point of AUDIT_EXE_CHILDREN filter, what 
> > problem are we trying to solve?  It checks to see if there is an executable 
> > match starting with the current process and walking up the process' parents in 
> > the current pid namespace?
> 
> Say we want to monitor /usr/sbin/apache2 and all its spawned processes.
> Set up a rule that uses AUDIT_EXE_CHILDREN with /usr/sbin/apache2, then
> when it spawns a cgi running perl or php, those actions will be caught.
> 
> > Help me understand what this accomplishes, I'm a little tried right now and I 
> > just don't get it.
> 
> This was Peter Moody's idea and it made sense, so we kept it.

Peter, do you have anything to add to justify keeping
AUDIT_EXE_CHILDREN?

> > paul moore
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs@...hat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ