Hi,
I have been working on some code that detects abnormal events based on audit
system events. One kind of event that we currently have no visibility for is
when a program terminates due to segfault - which should never happen on a
production machine. And if it did, you'd want to investigate it. Attached is a
patch that collects these events and sends them into the audit system.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.20.i686.orig/fs/exec.c linux-2.6.20.i686/fs/exec.c
--- linux-2.6.20.i686.orig/fs/exec.c 2007-04-19 09:34:51.000000000 -0400
+++ linux-2.6.20.i686/fs/exec.c 2007-04-19 09:27:26.000000000 -0400
@@ -1458,6 +1458,10 @@ int do_coredump(long signr, int exit_cod
int fsuid = current->fsuid;
int flag = 0;
int ispipe = 0;
+ extern int audit_enabled;
+
+ if (unlikely(audit_enabled) && signr != SIGQUIT && signr != SIGABRT)
+ audit_core_dumps(signr);
binfmt = current->binfmt;
if (!binfmt || !binfmt->core_dump)
diff -urp linux-2.6.20.i686.orig/include/linux/audit.h
linux-2.6.20.i686/include/linux/audit.h
--- linux-2.6.20.i686.orig/include/linux/audit.h 2007-04-19 09:35:13.000000000 -0400
+++ linux-2.6.20.i686/include/linux/audit.h 2007-04-19 09:33:12.000000000 -0400
@@ -111,6 +111,7 @@
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
@@ -376,6 +377,7 @@ static inline void audit_inode_update(co
if (unlikely(!audit_dummy_context()))
__audit_inode_update(inode);
}
+void audit_core_dumps(long signr);
/* Private API (for audit.c only) */
extern unsigned int audit_serial(void);
@@ -461,6 +463,7 @@ extern int audit_n_rules;
#define audit_inode(n,i) do { ; } while (0)
#define audit_inode_child(d,i,p) do { ; } while (0)
#define audit_inode_update(i) do { ; } while (0)
+#define audit_core_dumps(i) do { ; } while (0)
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
#define audit_get_loginuid(c) ({ -1; })
#define audit_log_task_context(b) do { ; } while (0)
diff -urp linux-2.6.20.i686.orig/kernel/auditsc.c linux-2.6.20.i686/kernel/auditsc.c
--- linux-2.6.20.i686.orig/kernel/auditsc.c 2007-04-19 09:35:27.000000000 -0400
+++ linux-2.6.20.i686/kernel/auditsc.c 2007-04-19 09:30:42.000000000 -0400
@@ -1935,3 +1935,36 @@ void __audit_signal_info(int sig, struct
selinux_get_task_sid(tsk, &audit_sig_sid);
}
}
+
+/**
+ * audit_core_dumps - record information about processes that end abnormally
+ * @sig: signal value
+ *
+ * If a process ends with a core dump, something fishy is going on and we
+ * should record the event for investigation.
+ */
+void audit_core_dumps(long signr)
+{
+ struct audit_buffer *ab;
+ u32 sid;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+ audit_log_format(ab, "auid=%u uid=%u gid=%u",
+ audit_get_loginuid(current->audit_context),
+ current->uid, current->gid);
+ selinux_get_task_sid(current, &sid);
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+
+ if (selinux_sid_to_string(sid, &ctx, &len))
+ audit_log_format(ab, " ssid=%u", sid);
+ else
+ audit_log_format(ab, " subj=%s", ctx);
+ kfree(ctx);
+ }
+ audit_log_format(ab, " pid=%d comm=", current->pid);
+ audit_log_untrustedstring(ab, current->comm);
+ audit_log_format(ab, " sig=%ld", signr);
+ audit_log_end(ab);
+}
Show replies by date