Re: [PATCH] audit: log on the future execution of a path
On Mon, 5 May 2014 16:41:53 -0400
Richard Guy Briggs <rgb(a)redhat.com> wrote:
Only problem is, it doesn't work. What assumptions am I making
that
aren't valid about the approach in this kernel code?
I also considered adding the path string pointer to the struct
audit_field.
Any suggestions?
What I was thinking about is that it should work a lot like a watch for
execution except when the watch triggers, it actually fills in a pid
field for a syscall rule and loads it instead of emitting an event.
For example, suppose you had this rule:
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F
success=1
It could be started as this:
-a exit,always -F path=/bin/bash -F perm=x
Then when it triggers, it loads this:
-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F success=1 -F pid=##
Where ## is the pid known to the kernel. Then when the program exits for
any reason, the rules it created for that pid are all removed.
It would also need to handle execve/clone/fork/vfork sanely once a
rule was created.
auditctl -l should only show the rule that was loaded from user space
and not any helpers that might be created dynamically. Deleting the
rule should get rid of any helpers.
-Steve