Date: Tue, 17 Jan 2017 14:39:40 +0200 From: Lev Stipakov <lstipakov@gmail.com> To: trustedbsd-audit@freebsd.org Subject: posix_spawn and pid Message-ID: <CAGyAFMXddeoZbtF3GKof7OK5bk5_%2B0GhzNf3ia3MdjcFjEHiLg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello,
I have an issue with bsmaudit on macOS. Sorry if this is wrong place for
this question - Apple asked me to file a bug, which I did month ago, but
nothing has happened so far.
So, I use bsmaudit for obtaining information about launched processed. I
noticed that in _some_ cases "posix_spawn" record contains wrong pid -
parent pid - instead of process pid.
Problem is easy to reproduce, here are steps (assuming you have macOS):
1) Add "ex,pc" to flags and naflags in audit_control
2) sudo audit -s and logout to apply changes
3) sudo praudit /dev/auditpipe | grep -A7 'posix_spawn\|exec'
4) open fish shell (does not reproduce with bash/zsh, probably fish uses
some special posix_spawn flags)
5) check shell''s pid:
> echo %self
> 74763
6) run "ls" in subshell
> echo (/bin/ls)
7) check praudit's output:
header,150,11,posix_spawn(2),0,Tue Jan 17 14:29:56 2017, + 70 msec
argument,0,0x1249b,child PID
exec arg,/bin/ls
path,/bin/ls
path,/bin/ls
attribute,100755,root,wheel,16777220,7281523,0
subject,admin,admin,staff,admin,staff,74763,100098,50331650,0.0.0.0
return,success,0
trailer,150
Note that subject has pid "74763", which is shell's pid, not ls!
My questions are:
1) Is it a bug in audit functionality? all fields seems to be correct
except pid.
2) Anything I could do to mitigate it? I maintain a dictionary of {pid,
process info}, and when I get, say, file event from audit, I could
attribute that event to certain process info. Current behavior makes my
dictionary unusable.
--
-Lev
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGyAFMXddeoZbtF3GKof7OK5bk5_%2B0GhzNf3ia3MdjcFjEHiLg>