6:01 p.m.
Hi,
I'm wondering if there's a good way of detecting the loading of
libraries by processes (I am specifically NOT talking about the uselib
syscall).
strace shows me apps do open(...)/mmap/mprotect
I'm currently intercepting mmap calls, however no additional context
records are given to provide the name of the library, and the file
descriptor is the 5th parameter, so I can't get that either to match it
to an open(...)
Is there a way to do this that I'm missing ?
Thanks,
Hassan
7:30 p.m.
Ok, I now see the file descriptor in a context record for mmap
*sometimes*
1300 - audit(1421886600.839:25623): arch=c000003e syscall=9 success=yes
exit=140564293636096 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1300 - audit(1421886600.839:25624): arch=c000003e syscall=9 success=yes
exit=140564293636096 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1300 - audit(1421886600.839:25625): arch=c000003e syscall=9 success=yes
exit=140564239544320 a0=0 a1=2020f0 a2=5 a3=802 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1323 - audit(1421886600.839:25625): fd=10 flags=0x802
1300 - audit(1421886600.839:25626): arch=c000003e syscall=9 success=yes
exit=140564241645568 a0=7fd7a9b10000 a1=2000 a2=3 a3=812 items=0
ppid=23505 pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo"
key=(null)
1323 - audit(1421886600.839:25626): fd=10 flags=0x812
1300 - audit(1421886600.839:25627): arch=c000003e syscall=9 success=yes
exit=140564293640192 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
Any idea why the 1323 shows up sometimes and not each time an mmap call
is made ? Is the record generated only on the 1st mmap call for a
library ?
Thanks,
Hassan
On 2015-01-21 16:01, hsultan(a)thefroid.net wrote:
Hi,
I'm wondering if there's a good way of detecting the loading of
libraries by processes (I am specifically NOT talking about the
uselib
syscall).
strace shows me apps do open(...)/mmap/mprotect
I'm currently intercepting mmap calls, however no additional context
records are given to provide the name of the library, and the file
descriptor is the 5th parameter, so I can't get that either to match
it to an open(...)
Is there a way to do this that I'm missing ?
Thanks,
Hassan
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
6:48 p.m.
On Wednesday, January 21, 2015 04:01:59 PM hsultan(a)thefroid.net wrote:
I'm wondering if there's a good way of detecting the loading
of
libraries by processes (I am specifically NOT talking about the uselib
syscall).
This has never been a problem people needed a solution for. Its always been
assumed that the runtime linker does the right thing.
strace shows me apps do open(...)/mmap/mprotect
I'm currently intercepting mmap calls, however no additional context
records are given to provide the name of the library, and the file
descriptor is the 5th parameter, so I can't get that either to match it
to an open(...)
Is there a way to do this that I'm missing ?
I'd almost thing you'd want to patch ld.so to provide this...but then its not
running as a privileged process. So, it can't do it. Ld is the thing that
knows the _intent_ behind the open and mmap and mprot. Nothing else does.
-Steve
3625
days inactive
3630
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
hsultan@thefroid.net -
Steve Grubb