Date: Mon, 30 Oct 2006 14:33:06 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Dave Clausen <dave@endlessdream.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Process arguments Message-ID: <20061030142920.X76777@fledge.watson.org> In-Reply-To: <45458BBE.6030103@endlessdream.org> References: <45458BBE.6030103@endlessdream.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 30 Oct 2006, Dave Clausen wrote:
> I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run on
> the command line from within the kernel for security purposes by loading a
> kernel module which redefines execve(). I've successfully created the KLD
> and have it working, but am having problems saving the command's arguments.
> Could anyone point me to where in the kernel I should be looking for the
> arguments sent to the process? p->p_args gives me the parent process's
> cmdname only (sh, in this case), and uap->argv is just the relative pathname
> of uap->fname. Ideally, I'd like the user, full command line, and cwd
> logged for each command entered.
As of FreeBSD 6.2, you can use our security audit subsystem to do this.
There's a FreeBSD handbook chapter with the details, but the short version is:
- Enable options AUDIT in your kernel. This enables kernel audit support.
- Add auditd_enable="YES" to /etc/rc.conf. This turns on the audit daemon.
- Modify the flags and naflags entries in /etc/security/audit_control to be
lo,+ex -- the +ex means "log successful executions".
- Add ,argv to the policy line in /etc/security/audit_control. This causes
auditing of the full command line, not just the program run.
- Reboot.
You can then extract complete command lines (among other things) from trails
in /var/audit, or watch them live by running praudit on /dev/auditpipe.
FYI: Audit support is considered experimental in 6.2, as there are some areas
that need testing and/or are not complete. However, it works quite well in
practice, and any feedback would be most welcome.
Robert N M Watson
Computer Laboratory
University of Cambridge
>
> Here's an example of what I've been working away on:
>
> int
> new_execve (struct thread *td, struct execve_args *uap)
> {
> char *user;
> struct proc *p = td->td_proc;
>
> user = p->p_pgrp->pg_session->s_login;
> if (p->p_ucred->cr_ruid == 1001) {
> printf("%s %d %s\n", user, p->p_pid, uap->fname);
> }
> return (execve(td,uap));
> }
>
> Running 'ls -al' with the above, I get the username, pid, and absolute
> filename printed such as, but can't find the actual arguments:
> dave 6689 /bin/ls
>
> Any help would be appreciated.
>
>
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061030142920.X76777>