Re: [PATCH] TaskTracker : Simplified thread information tracker.

May I continue proposing this functionality?

From the audit perspective, sure. I think we were expecting a revised

I want to identify where bash is executed from in the RHEL servers in order to assess possibility of damage caused by CVE-2014-6271. Tetsuo Handa wrote: > Thank you for your comment, Steve. > > Steve Grubb wrote: > > On Monday, June 23, 2014 09:14:35 PM Tetsuo Handa wrote: > >> Any comments on this proposal? > > > > subj= is the wrong way to record this. The subj field name is for > > process labels. When field names get re-used for different > > purposes, it causes lots of problems in being able to assign > > meaning and correctly use it in analysis. I would suggest using > > phist= for process history or something like that. Please don't > > re-use subj for this. > > This was just a sample implementation. If this proposal is > acceptable as a patch to auditing subsystem, I'm happy to update > not to re-use subj= field and not to occupy LSM. An updated version > is attached. > > > Also, the comm file is under control of the user. What if they > > create a program "sshd=>crond"? Would that throw off the > > analysis? How do you ensure user supplied names do not contain > > symbols that you are using to denote parentage? > > OK. I added '=' in comm name to the list of need-to-escape bytes. > > By the way, audit_string_contains_control() treats *p == '"' || *p > < 0x21 || *p > 0x7e as need-to-escape bytes. Thus, 0x20 from > audit_log_untrustedstring() is a need-to-escape byte. However, I > can see that 0x20 from userspace programs is emitted without > escaping. > > type=USER_START msg=audit(1403741835.270:16): user pid=1870 uid=0 > auid=0 ses=1 msg='op=login id=0 exe="/usr/sbin/sshd" > hostname=192.168.0.1 addr=192.168.0.1 terminal=/dev/pts/0 > res=success' > > Where can I find which bytes in $value need to be escaped when > emitting a record like name='$value' ? Is 0x20 in $value permitted? > > > Also, would you consider adding this information as a auxiliary > > record rather than as part of a syscall record? The advantage is > > it can be filtered or searched for. We recently did this for > > PROCTITLE information. Perhaps this fits better as a PROCHIST > > auxiliary record? > > I changed to use auxiliary record and noticed a difference. > The previous version emitted the history for type=USER_LOGIN case > > type=USER_LOGIN msg=audit(1400879947.084:24): pid=4308 uid=0 > auid=0 ses=2 > subj="swapper/0(2014/05/23-21:17:30)=>init(2014/05/23-21:17:33)=> > switch_root(2014/05/23-21:17:34)=>init(2014/05/23-21:17:34)=> > sh(2014/05/23-21:17:56)=>mingetty(2014/05/23-21:17:56)=> > login(2014/05/23-21:19:05)" msg='op=login id=0 exe="/bin/login" > hostname=? addr=? terminal=tty1 res=success' > > but current version does not emit it for type=USER_LOGIN case. > Does auxiliary record work with only type=SYSCALL case (and > therefore I should use CONFIG_AUDITSYSCALL rather than CONFIG_AUDIT > in the patch below) ? > > Regards. > ---------- > >From d015533ce544feb8922fcbf023017c82bd79a9ac Mon Sep 17 00:00:00 > >2001 > From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp&gt; > Date: Thu, 26 Jun 2014 09:39:14 +0900 > Subject: [PATCH] audit: Emit history of thread's comm name. > > When an unexpected system event (e.g. reboot) occurs, the > administrator may want to identify which application triggered the > event. System call auditing could be used for recording such event. > However, the audit log may not be able to provide sufficient > information for identifying the application because the audit log > does not reflect how the program was executed. > > This patch adds ability to trace how the program was executed and > emit it as an auxiliary record in the form of comm name and time > stamp pairs as of execve(). > > type=UNKNOWN[1329] msg=audit(1403741314.019:22): history=' > swapper/0(2014/06/26-09:06:04)=>init(2014/06/26-09:06:10)=> > switch_root(2014/06/26-09:06:13)=>init(2014/06/26-09:06:13)=> > sh(2014/06/26-00:06:27)=>rc(2014/06/26-00:06:27)=> > S55sshd(2014/06/26-00:06:35)=>sshd(2014/06/26-00:06:35)=> > sshd(2014/06/26-00:06:40)=>bash(2014/06/26-00:06:43)=> > tail(2014/06/26-00:08:34)' > > Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp&gt; > --- > fs/exec.c | 1 + > include/linux/audit.h | 23 +++++++++++- > include/linux/init_task.h | 9 ++++ > include/linux/sched.h | 5 ++ > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 90 > ++++++++++++++++++++++++++++++++++++++++++++ > kernel/auditsc.c | 19 +++++++++ 7 files changed, 147 > insertions(+), 1 deletions(-) >