From owner-freebsd-hackers@FreeBSD.ORG Mon Oct 30 05:26:30 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54AE116A415 for ; Mon, 30 Oct 2006 05:26:30 +0000 (UTC) (envelope-from prvs=julian=45182861c@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EC4C43D5A for ; Mon, 30 Oct 2006 05:26:30 +0000 (GMT) (envelope-from prvs=julian=45182861c@elischer.org) Received: from unknown (HELO [192.168.2.4]) ([10.251.60.124]) by a50.ironport.com with ESMTP; 29 Oct 2006 21:26:29 -0800 Message-ID: <45458D02.7040008@elischer.org> Date: Sun, 29 Oct 2006 21:26:26 -0800 From: Julian Elischer User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Dave Clausen References: <45458BBE.6030103@endlessdream.org> In-Reply-To: <45458BBE.6030103@endlessdream.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org Subject: Re: Process arguments X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Oct 2006 05:26:30 -0000 Dave Clausen wrote: > Hello list, > > I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run > on the command line from within the kernel for security purposes by > loading a kernel module which redefines execve(). I've successfully > created the KLD and have it working, but am having problems saving the > command's arguments. > Could anyone point me to where in the kernel I should be looking for the > arguments sent to the process? p->p_args gives me the parent process's > cmdname only (sh, in this case), and uap->argv is just the relative > pathname of uap->fname. Ideally, I'd like the user, full command line, > and cwd logged for each command entered. > > Here's an example of what I've been working away on: > > int > new_execve (struct thread *td, struct execve_args *uap) > { > char *user; > struct proc *p = td->td_proc; > > user = p->p_pgrp->pg_session->s_login; > if (p->p_ucred->cr_ruid == 1001) { > printf("%s %d %s\n", user, p->p_pid, uap->fname); > } > return (execve(td,uap)); > } > > Running 'ls -al' with the above, I get the username, pid, and absolute > filename printed such as, but can't find the actual arguments: > dave 6689 /bin/ls > > Any help would be appreciated. > there have been patches around for years that do this.. I know I used them for Bank of America in their security auditing. I can not remember the name of them however.. > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"