Re: [PATCH] TaskTracker : Simplified thread information tracker.

Thank you for your comment, Steve. Steve Grubb wrote: > On Monday, June 23, 2014 09:14:35 PM Tetsuo Handa wrote: >> Any comments on this proposal? > > subj= is the wrong way to record this. The subj field name is for process > labels. When field names get re-used for different purposes, it causes lots of > problems in being able to assign meaning and correctly use it in analysis. I > would suggest using phist= for process history or something like that. Please > don't re-use subj for this. This was just a sample implementation. If this proposal is acceptable as a patch to auditing subsystem, I'm happy to update not to re-use subj= field and not to occupy LSM. An updated version is attached. > Also, the comm file is under control of the user. What if they create a program > "sshd=>crond"? Would that throw off the analysis? How do you ensure user > supplied names do not contain symbols that you are using to denote parentage? OK. I added '=' in comm name to the list of need-to-escape bytes. By the way, audit_string_contains_control() treats *p == '"' || *p < 0x21 || *p > 0x7e as need-to-escape bytes. Thus, 0x20 from audit_log_untrustedstring() is a need-to-escape byte. However, I can see that 0x20 from userspace programs is emitted without escaping. type=USER_START msg=audit(1403741835.270:16): user pid=1870 uid=0 auid=0 ses=1 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.0.1 addr=192.168.0.1 terminal=/dev/pts/0 res=success' Where can I find which bytes in $value need to be escaped when emitting a record like name='$value' ? Is 0x20 in $value permitted? > Also, would you consider adding this information as a auxiliary record rather > than as part of a syscall record? The advantage is it can be filtered or > searched for. We recently did this for PROCTITLE information. Perhaps this fits > better as a PROCHIST auxiliary record? I changed to use auxiliary record and noticed a difference. The previous version emitted the history for type=USER_LOGIN case type=USER_LOGIN msg=audit(1400879947.084:24): pid=4308 uid=0 auid=0 ses=2 subj="swapper/0(2014/05/23-21:17:30)=>init(2014/05/23-21:17:33)=> switch_root(2014/05/23-21:17:34)=>init(2014/05/23-21:17:34)=> sh(2014/05/23-21:17:56)=>mingetty(2014/05/23-21:17:56)=> login(2014/05/23-21:19:05)" msg='op=login id=0 exe="/bin/login" hostname=? addr=? terminal=tty1 res=success' but current version does not emit it for type=USER_LOGIN case. Does auxiliary record work with only type=SYSCALL case (and therefore I should use CONFIG_AUDITSYSCALL rather than CONFIG_AUDIT in the patch below) ? Regards. ---------- >From d015533ce544feb8922fcbf023017c82bd79a9ac Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp&gt; Date: Thu, 26 Jun 2014 09:39:14 +0900 Subject: [PATCH] audit: Emit history of thread's comm name. When an unexpected system event (e.g. reboot) occurs, the administrator may want to identify which application triggered the event. System call auditing could be used for recording such event. However, the audit log may not be able to provide sufficient information for identifying the application because the audit log does not reflect how the program was executed. This patch adds ability to trace how the program was executed and emit it as an auxiliary record in the form of comm name and time stamp pairs as of execve(). type=UNKNOWN[1329] msg=audit(1403741314.019:22): history=' swapper/0(2014/06/26-09:06:04)=>init(2014/06/26-09:06:10)=> switch_root(2014/06/26-09:06:13)=>init(2014/06/26-09:06:13)=> sh(2014/06/26-00:06:27)=>rc(2014/06/26-00:06:27)=> S55sshd(2014/06/26-00:06:35)=>sshd(2014/06/26-00:06:35)=> sshd(2014/06/26-00:06:40)=>bash(2014/06/26-00:06:43)=> tail(2014/06/26-00:08:34)' Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp&gt; --- fs/exec.c | 1 + include/linux/audit.h | 23 +++++++++++- include/linux/init_task.h | 9 ++++ include/linux/sched.h | 5 ++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 90 ++++++++++++++++++++++++++++++++++++++++++++ kernel/auditsc.c | 19 +++++++++ 7 files changed, 147 insertions(+), 1 deletions(-)