full cwd in exec log lines

Discuss and suggest new grsecurity features

full cwd in exec log lines

Postby rocky » Wed Aug 06, 2008 11:52 am

Due to some silly (read stupid) limitations of the corporate auditing tool we use, I'm being asked to investigate if it would be possible to include the full current working directory in exec lines. IE On line two include that '/bin/ls' was exec'd in '/usr'.

I'm guessing it's a simple change to GR_EXEC_AUDIT_MSG or DEFAULTSECMSG , however my C-fu is weak.

Aug 6 10:37:22 machine1 kernel: grsec: From 10.129.54.70: chdir to /usr by /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100, parent /usr/sbin/sshd[sshd:27402] uid/euid:7772220/7772220 gid/egid:100/100
Aug 6 10:37:23 machine kernel: grsec: From 10.129.54.70: exec of /bin/ls (/bin/ls -N --color=tty -T 0 ) by /bin/bash[bash:11894] uid/euid:7772220/7772220 gid/egid:100/100, parent /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100

would become something like
Aug 6 10:37:22 machine1 kernel: grsec: From 10.129.54.70: chdir to /usr by /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100, parent /usr/sbin/sshd[sshd:27402] uid/euid:7772220/7772220 gid/egid:100/100
Aug 6 10:37:23 machine kernel: grsec: From 10.129.54.70: exec of /bin/ls (/bin/ls -N --color=tty -T 0 ) in /usr by /bin/bash[bash:11894] uid/euid:7772220/7772220 gid/egid:100/100, parent /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100

Any help you can provide would be greatly appreciated.

-Rocky
rocky
 
Posts: 19
Joined: Tue Dec 09, 2003 4:54 am

Re: full cwd in exec log lines

Postby rocky » Wed Aug 13, 2008 9:29 am

Anyone? ={
rocky
 
Posts: 19
Joined: Tue Dec 09, 2003 4:54 am

Re: full cwd in exec log lines

Postby cormander » Wed Aug 13, 2008 11:51 am

In addition to altering the message string GR_EXEC_AUDIT_MSG in include/linux/grmsg.h (adding another %s reference) you'll also have to edit the line that references it in ./grsecurity/grsec_exec.c to pass it the pointer to the string of the current working directory.

You might also have to edit the gr_log_fs_str definition inside ./include/linux/grinternal.h to fix compile errors.

I'm not at all aware of how to get the current working directory of a userspace process from within the kernel like this, so that much you'll have to figure out on your own.

If you do happen to get this working, post back a patch. Sounds like a useful little addition.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: full cwd in exec log lines

Postby rocky » Thu Aug 14, 2008 10:48 am

Thanks!

Sadly, while I think I understood everything you said, I'm pretty sure the skill level to implement it is above me. Any bored ninjas willing to take a crack?

-Rocky
rocky
 
Posts: 19
Joined: Tue Dec 09, 2003 4:54 am

Re: full cwd in exec log lines

Postby Kp » Sat Aug 23, 2008 1:32 pm

The cwd link in the proc pseudo-directory for a process is able to return the active directory of the process. Look in fs/proc/base.c for proc_pid_follow_link and proc_cwd_link for how this is done. Take care to rewrite unprintable characters so that users cannot foul your logs by making directories with newlines in the name.

What kernel version do you need patched for your feature?
Kp
 
Posts: 46
Joined: Tue Sep 20, 2005 12:56 am

Re: full cwd in exec log lines

Postby rocky » Mon Aug 25, 2008 11:05 am

2.6.14.6 is what we are running on the machines.
rocky
 
Posts: 19
Joined: Tue Dec 09, 2003 4:54 am


Return to grsecurity development

cron