Re: auditing syscalls made 'by' an inode?
On Thursday, June 07, 2012 06:31:47 PM Peter Moody wrote:
Is there anyway to audit syscalls made by a particular, not yet
running, application?
No...its one of the things I've been interested in for a long time. About as
close as you get is using the selinux process context. But if its
bin_t...there's a couple thousand processes with the same label.
For example, if I'm interested in seeing all
exec's by google-chrome, can I do something like the following?
auditctl -a exit,always -F arch=b64 -S execve -F success=1 -F
inode=inode-of-chrome
experimenting seems to indicate that will only tell me when
inode-of-chrome is exec'd, basically a watch rule.
The sort of inverse of this rule that got me thinking about this
initially was auditing a syscall and seeing if it was/wasn't called by
a particular program. For example, audting all bind() calls which
*aren't* made by chrome (a silly rule to be sure, but just thrown out
as a hypothetical)
If it's not possible to do this now, is there interest in adding this
feature?
Yes. I'd be interested in seeing this available. But if you do implement it, its
more natural to express the rule by process name. But the kernel does not do
string comparisons. So, what you would likely need to do is lookup the path to
get the inode, then when it executes a new kind of pid rule gets created
probably off the list like watches do. There are some apps like apache which fork
multiple copies and that adds a wrinkle because you would want to audit all of
them. And then there are threads...
-Steve