On 15/07/17, Richard Guy Briggs wrote:
> On 15/07/16, Paul Moore wrote:
> > On Tuesday, July 14, 2015 11:50:23 AM Richard Guy Briggs wrote:
> > > From: Eric Paris <epa...@redhat.com>
> > >
> > > This patch implements the ability to filter on the executable. It is
> > > clearly incomplete! This patch adds the inode/dev of the executable at
> > > the moment the rule is loaded. It does not update if the executable is
> > > updated/moved/whatever. That should be added. But at this moment, this
> > > patch works.
<snip>
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 9fb9d1c..bf745c7 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -71,6 +72,7 @@
> > > #include <linux/capability.h>
> > > #include <linux/fs_struct.h>
> > > #include <linux/compat.h>
> > > +#include <linux/sched.h>
> > > #include <linux/ctype.h>
> > > #include <linux/string.h>
> > > #include <uapi/linux/limits.h>
> > > @@ -466,6 +468,20 @@ static int audit_filter_rules(struct task_struct
> > > *tsk,
> > > result = audit_comparator(ctx->ppid, f->op,
> > > f->val);
> > > }
> > > break;
> > > + case AUDIT_EXE:
> > > + result = audit_exe_compare(tsk, rule->exe);
> > > + break;
> > > + case AUDIT_EXE_CHILDREN:
> > > + {
> > > + struct task_struct *ptsk;
> > > + for (ptsk = tsk; ptsk->parent->pid > 0; ptsk =
> > > find_task_by_vpid(ptsk->parent->pid)) {
> > > + if (audit_exe_compare(ptsk, rule->exe)) {
> > > + ++result;
> > > + break;
> > > + }
> > > + }
> > > + }
> > > + break;
> >
> > I don't completely understand the point of AUDIT_EXE_CHILDREN filter, what
> > problem are we trying to solve? It checks to see if there is an executable
> > match starting with the current process and walking up the process' parents
> > in
> > the current pid namespace?
>
> Say we want to monitor /usr/sbin/apache2 and all its spawned processes.
> Set up a rule that uses AUDIT_EXE_CHILDREN with /usr/sbin/apache2, then
> when it spawns a cgi running perl or php, those actions will be caught.
>
> > Help me understand what this accomplishes, I'm a little tried right now and
> > I
> > just don't get it.
>
> This was Peter Moody's idea and it made sense, so we kept it.
Peter, do you have anything to add to justify keeping
AUDIT_EXE_CHILDREN?
> > paul moore
>
> - RGB
- RGB
--
Richard Guy Briggs <rbri...@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
