Date: Tue, 17 Jan 2017 14:39:40 +0200 From: Lev Stipakov <lstipakov@gmail.com> To: trustedbsd-audit@freebsd.org Subject: posix_spawn and pid Message-ID: <CAGyAFMXddeoZbtF3GKof7OK5bk5_%2B0GhzNf3ia3MdjcFjEHiLg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I have an issue with bsmaudit on macOS. Sorry if this is wrong place for this question - Apple asked me to file a bug, which I did month ago, but nothing has happened so far. So, I use bsmaudit for obtaining information about launched processed. I noticed that in _some_ cases "posix_spawn" record contains wrong pid - parent pid - instead of process pid. Problem is easy to reproduce, here are steps (assuming you have macOS): 1) Add "ex,pc" to flags and naflags in audit_control 2) sudo audit -s and logout to apply changes 3) sudo praudit /dev/auditpipe | grep -A7 'posix_spawn\|exec' 4) open fish shell (does not reproduce with bash/zsh, probably fish uses some special posix_spawn flags) 5) check shell''s pid: > echo %self > 74763 6) run "ls" in subshell > echo (/bin/ls) 7) check praudit's output: header,150,11,posix_spawn(2),0,Tue Jan 17 14:29:56 2017, + 70 msec argument,0,0x1249b,child PID exec arg,/bin/ls path,/bin/ls path,/bin/ls attribute,100755,root,wheel,16777220,7281523,0 subject,admin,admin,staff,admin,staff,74763,100098,50331650,0.0.0.0 return,success,0 trailer,150 Note that subject has pid "74763", which is shell's pid, not ls! My questions are: 1) Is it a bug in audit functionality? all fields seems to be correct except pid. 2) Anything I could do to mitigate it? I maintain a dictionary of {pid, process info}, and when I get, say, file event from audit, I could attribute that event to certain process info. Current behavior makes my dictionary unusable. -- -Lev
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGyAFMXddeoZbtF3GKof7OK5bk5_%2B0GhzNf3ia3MdjcFjEHiLg>