Date: Mon, 30 Oct 2006 14:31:01 +0800 From: Ganbold <ganbold@micom.mng.net> To: Dave Clausen <dave@endlessdream.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Process arguments Message-ID: <45459C25.1060909@micom.mng.net> In-Reply-To: <45458BBE.6030103@endlessdream.org> References: <45458BBE.6030103@endlessdream.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dave Clausen wrote:
> Hello list,
>
> I'm a n00b to the FreeBSD kernel and I'm trying to log all commands
> run on the command line from within the kernel for security purposes
> by loading a kernel module which redefines execve(). I've
> successfully created the KLD and have it working, but am having
> problems saving the command's arguments.
> Could anyone point me to where in the kernel I should be looking for
> the arguments sent to the process? p->p_args gives me the parent
> process's cmdname only (sh, in this case), and uap->argv is just the
> relative pathname of uap->fname. Ideally, I'd like the user, full
> command line, and cwd logged for each command entered.
>
> Here's an example of what I've been working away on:
>
> int
> new_execve (struct thread *td, struct execve_args *uap)
> {
> char *user;
> struct proc *p = td->td_proc;
>
> user = p->p_pgrp->pg_session->s_login;
> if (p->p_ucred->cr_ruid == 1001) {
> printf("%s %d %s\n", user, p->p_pid, uap->fname);
> }
> return (execve(td,uap));
> }
>
> Running 'ls -al' with the above, I get the username, pid, and absolute
> filename printed such as, but can't find the actual arguments:
> dave 6689 /bin/ls
If I'm not mistaken pjd@ has written similar module which is called
lrexec for RELENG_4 and RELENG_5. See his web site.
Also recently rwatson@ enabled audit support in RELENG_6 and CURRENT,
though I don't know yet whether it can log arguments.
hth,
Ganbold
>
> Any help would be appreciated.
>
>
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to
> "freebsd-hackers-unsubscribe@freebsd.org"
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45459C25.1060909>