On 15/07/17, Richard Guy Briggs wrote:
On 15/07/16, Paul Moore wrote:
> On Tuesday, July 14, 2015 11:50:23 AM Richard Guy Briggs wrote:
> > From: Eric Paris <eparis(a)redhat.com>
> >
> > This patch implements the ability to filter on the executable. It is
> > clearly incomplete! This patch adds the inode/dev of the executable at
> > the moment the rule is loaded. It does not update if the executable is
> > updated/moved/whatever. That should be added. But at this moment, this
> > patch works.
<snip>
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 9fb9d1c..bf745c7 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -71,6 +72,7 @@
> > #include <linux/capability.h>
> > #include <linux/fs_struct.h>
> > #include <linux/compat.h>
> > +#include <linux/sched.h>
> > #include <linux/ctype.h>
> > #include <linux/string.h>
> > #include <uapi/linux/limits.h>
> > @@ -466,6 +468,20 @@ static int audit_filter_rules(struct task_struct *tsk,
> > result = audit_comparator(ctx->ppid, f->op, f->val);
> > }
> > break;
> > + case AUDIT_EXE:
> > + result = audit_exe_compare(tsk, rule->exe);
> > + break;
> > + case AUDIT_EXE_CHILDREN:
> > + {
> > + struct task_struct *ptsk;
> > + for (ptsk = tsk; ptsk->parent->pid > 0; ptsk =
> > find_task_by_vpid(ptsk->parent->pid)) {
> > + if (audit_exe_compare(ptsk, rule->exe)) {
> > + ++result;
> > + break;
> > + }
> > + }
> > + }
> > + break;
>
> I don't completely understand the point of AUDIT_EXE_CHILDREN filter, what
> problem are we trying to solve? It checks to see if there is an executable
> match starting with the current process and walking up the process' parents in
> the current pid namespace?
Say we want to monitor /usr/sbin/apache2 and all its spawned processes.
Set up a rule that uses AUDIT_EXE_CHILDREN with /usr/sbin/apache2, then
when it spawns a cgi running perl or php, those actions will be caught.
> Help me understand what this accomplishes, I'm a little tried right now and I
> just don't get it.
This was Peter Moody's idea and it made sense, so we kept it.
Peter, do you have anything to add to justify keeping
AUDIT_EXE_CHILDREN?
> paul moore
- RGB
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545