On Monday, August 7, 2023 10:24:51 AM EDT Tetsuo Handa wrote:
On 2023/08/07 7:01, Steve Grubb wrote:
> This is where the problem begins. We like to have normalized audit
> records. Meaning that a type of event defines the fields it contains. In
> this case subject would be a process label. and there is already a
> precedent for what fields belong in a syscall record.
What is the definition of "a process label"? SELinux / Smack / AppArmor are
using security_secid_to_secctx() hook for providing string data for the
subj= field. I don't think that they are restricting characters that can
be included. Then, what is wrong with returning subset of ASCII printable
characters from tt_secid_to_secctx() ?
Typically the label is used for access control decisions. But processes have
other attributes such as a list of open files. I think adding this information
will be useful - I'm not opposed to the idea. I am just thinking about how to
present the information where it is more useful.
<snip>
> What I would suggest is to make a separate record:
AUDIT_PROC_TREE that
> describes process tree from the one killed up to the last known parent.
> This way you can define your own format and SYSCALL can stay as everyone
> expects it to look. In the EXECVE audit record, there is a precedent of
> using agv[0]=xx argv[1]=xx argv[2]=yy and so on. If you want to make
> these generally parsable without special knowledge of the record format,
> I'd suggest something like it.
Yes,
https://lkml.kernel.org/r/201501202220.DJJ34834.OLJOHFMQOFtSVF@I-love.SAKU
RA.ne.jp used AUDIT_PROCHISTORY instead of LSM hooks, but that thread died
there.
I do not read that mail list. AUDIT_PROC_HIST or AUDIT_PROC_CHAIN or some
thing like that would be the better way to go. If someone wanted to see if
they have process history for a segfault, how would they do it with the
proposed record?
ausearch --subject sshd
That just doesn't seem right. If you had a record dedicated to this
information, then you can do:
ausearch -m PROC_HIST
and it would give you that information. And if you had the data split up
like: p[0]=xx p[1]=xx p[2]=yy
Then someone could do this to make a report specific to this:
import auparser as aup
au = aup.AuParser(aup.AUSOURCE_FILE, "audit.log")
au.search_add_expression("type r= PROC_HIST", aup.AUSEARCH_RULE_CLEAR)
au.search_set_stop(aup.AUSEARCH_STOP_RECORD)
while au.search_next_event():
print("Call chain: ", end="")
while True:
print(au.interpret_field(), end = "")
if au.next_field() == False:
break
print("->", end="")
au = None
sys.exit(0)
This would be more programmer friendly.
-Steve