Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 29 Oct 2006 21:26:26 -0800
From:      Julian Elischer <julian@elischer.org>
To:        Dave Clausen <dave@endlessdream.org>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Process arguments
Message-ID:  <45458D02.7040008@elischer.org>
In-Reply-To: <45458BBE.6030103@endlessdream.org>
References:  <45458BBE.6030103@endlessdream.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Dave Clausen wrote:
> Hello list,
> 
> I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run 
> on the command line from within the kernel for security purposes by 
> loading a kernel module which redefines execve().  I've successfully 
> created the KLD and have it working, but am having problems saving the 
> command's arguments.
> Could anyone point me to where in the kernel I should be looking for the 
> arguments sent to the process?  p->p_args gives me the parent process's 
> cmdname only (sh, in this case), and uap->argv is just the relative 
> pathname of uap->fname.  Ideally, I'd like the user, full command line, 
> and cwd logged for each command entered.
> 
> Here's an example of what I've been working away on:
> 
> int
> new_execve (struct thread *td, struct execve_args *uap)
> {
>       char *user;
>       struct proc *p = td->td_proc;
> 
>       user = p->p_pgrp->pg_session->s_login;
>       if (p->p_ucred->cr_ruid == 1001) {
>               printf("%s %d %s\n", user, p->p_pid, uap->fname);
>       }
>       return (execve(td,uap));
> }
> 
> Running 'ls -al' with the above, I get the username, pid, and absolute 
> filename printed such as, but can't find the actual arguments:
> dave 6689 /bin/ls
> 
> Any help would be appreciated.
> 

there have been patches around for years that do this..

I know I used them for Bank of America in their security auditing.

I can not remember the name of them however..

> 
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45458D02.7040008>