Re: [PATCH] audit: add task history record
On 2023/08/25 12:36, Paul Moore wrote:
> It is unfortunate that you continue ignoring the
>
> How can auditd generate logs that are not triggered via syscalls?
>
> line. I know how to configure syscall rules using "-S" option. But I do
> not know how to configure non syscall rules (such as process creation via
> kthread_create(), process termination due to tty hangup or OOM killer).
At this point you've exhausted my goodwill so I would suggest simply reading
the audit code, manages, and experimenting with a running system to understand
how things work, especially for non-syscall records.
Are we on the same page that non-syscall records include process creation via
kthread_create() and process termination via send_sig() ?
I tried "make M=audit_test/" with below example.
audit_test/audit_test.c
----------------------------------------
#include <linux/module.h>
#include <linux/kthread.h>
#include <linux/sched/signal.h>
static int test_kthread(void *unused)
{
char *argv[3] = { "/bin/sleep", "10", NULL };
char *envp[1] = { NULL };
struct task_struct *p;
printk("test_kthread is running with PID=%d\n", current->pid);
call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
rcu_read_lock();
for_each_process(p) {
if (!(p->flags & PF_KTHREAD) && !strcmp(p->comm, "sleep"))
{
printk("Sending signal to PID=%d\n", p->pid);
send_sig(SIGKILL, p, 1);
}
}
rcu_read_unlock();
return 0;
}
static int __init test_init(void)
{
struct task_struct *task = kthread_create(test_kthread, NULL, "test_kthread");
if (!IS_ERR(task)) {
wake_up_process(task);
schedule_timeout_uninterruptible(5 * HZ);
}
return -EINVAL;
}
module_init(test_init);
MODULE_LICENSE("GPL");
----------------------------------------
audit_test/Makefile
----------------------------------------
obj-m += audit_test.o
----------------------------------------
I tried below steps in order to generate all possible records using auditd.
----------------------------------------
# auditctl -D
No rules
# auditctl -a exit,always
# auditctl -a task,always
# insmod audit_test/audit_test.ko
insmod: ERROR: could not insert module audit_test/audit_test.ko: Invalid parameters
# auditctl -D
No rules
# dmesg
[ 219.826840] test_kthread is running with PID=4044
[ 219.832367] Sending signal to PID=4045
# ausearch -p 4044
<no matches>
# ausearch -p 4045 | sed -e 's/ /\n/g' | grep syscall= | sort -uV
syscall=0
syscall=2
syscall=3
syscall=5
syscall=9
syscall=10
syscall=11
syscall=12
syscall=21
syscall=35
syscall=158
----------------------------------------
Only records issued by system calls (read(),open(),close(),fstat(),mmap(),
mprotect(),munmap(),brk(),access(),nanosleep(),arch_prctl()) are generated.
Neither records issued by process creation via kthread_create() nor records
issued by process termination via send_sig() are generated.
Are you confident that auditd is already capable of generating records for e.g.
process creation via kthread_create() and process termination via send_sig() ?
If you find a place in the code where you believe there should be an
audit record,
post a patch and we can discuss it.
I believe that auditd needs to be able to generate records for e.g. process creation
via kthread_create() and process termination via send_sig(), if you insist that we can
emulate process history information offered by this patch from user space using records
generated by auditd. (That sounds beyond CONFIG_AUDITSYSCALL=y though...)