Re: [PATCH] audit: Add cmdline to taskinfo output
On Tue, Oct 29, 2013 at 10:44 AM, William Roberts
<bill.c.roberts(a)gmail.com>wrote:
On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> On Monday, October 28, 2013 04:50:38 PM William Roberts wrote:
> > On some devices, the cmdline and task info vary. For instance, on
> > Android, the cmdline is set to the package name, and the task info
> > is the name of the VM, which is not very helpful.
> >
> > The additional cmdline output only runs if the audit feature
> > AUDIT_FEATURE_CMDLINE_OUTPUT is set high at runtime.
>
> I don't exactly like this. The audit event records are very normalized.
> When
> you have a specific kind of record, you can count on always having the
> certain
> fields even if its value is (NULL). So, having fields swinging in and out
> by
> configuration is not something I'd like to see start.
>
> Can you show me an event that has the problem and what it looks like when
> its
> fixed by this patch?
>
> Thanks,
> -Steve
>
I'm 100% ok with the dynamic option changing it from NULL to a real value
IMO a like
that better then what I currently have.
Old:
type=1300 msg=audit(1383022671.232:230): arch=40000028 syscall=54
per=840000 success=yes exit=0 a0=23 a1=fa05 a2=0 a3=74e1ee34 items=0
ppid=298 pid=1431 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027
fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295
comm=4173796E635461736B202331 exe="/system/bin/app_process" subj=u:r:nfc:s0
key=(null)
Issue:
comm field in task is only 16 chars, to small for most package names, and
already contains the VM command. I really have no information of what
Android App has created the issue.
Solution:
Get the proc cmdline info (not trust worthy, but can help debugging
Android)
type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5
per=840000 success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c
items=1 ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027
suid=1027 fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none)
ses=4294967295 comm=4173796E635461736B202331 exe="/system/bin/app_process"
cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null)
Now I know it was the NFC app
FYI, from this point I would get the application from a trustworthy source
and audit it, obviously this could be an app using setproctitle() and
spoofing something legitimate. Like malicious app A pretending to be angry
birds. I cant read this
cmdline value form userspace, as a denial from selinux may cause the app to
crash. So sometimes the apps proc entry is gone before I can record what
happened in userspace.
Attachments:
- attachment.html (text/html — 3.6 KB)