From owner-freebsd-hackers@FreeBSD.ORG Mon Oct 30 14:33:07 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C130416A511 for ; Mon, 30 Oct 2006 14:33:07 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70A8C43D49 for ; Mon, 30 Oct 2006 14:33:07 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 0468846CA7; Mon, 30 Oct 2006 09:33:07 -0500 (EST) Date: Mon, 30 Oct 2006 14:33:06 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Dave Clausen In-Reply-To: <45458BBE.6030103@endlessdream.org> Message-ID: <20061030142920.X76777@fledge.watson.org> References: <45458BBE.6030103@endlessdream.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-hackers@freebsd.org Subject: Re: Process arguments X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Oct 2006 14:33:07 -0000 On Mon, 30 Oct 2006, Dave Clausen wrote: > I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run on > the command line from within the kernel for security purposes by loading a > kernel module which redefines execve(). I've successfully created the KLD > and have it working, but am having problems saving the command's arguments. > Could anyone point me to where in the kernel I should be looking for the > arguments sent to the process? p->p_args gives me the parent process's > cmdname only (sh, in this case), and uap->argv is just the relative pathname > of uap->fname. Ideally, I'd like the user, full command line, and cwd > logged for each command entered. As of FreeBSD 6.2, you can use our security audit subsystem to do this. There's a FreeBSD handbook chapter with the details, but the short version is: - Enable options AUDIT in your kernel. This enables kernel audit support. - Add auditd_enable="YES" to /etc/rc.conf. This turns on the audit daemon. - Modify the flags and naflags entries in /etc/security/audit_control to be lo,+ex -- the +ex means "log successful executions". - Add ,argv to the policy line in /etc/security/audit_control. This causes auditing of the full command line, not just the program run. - Reboot. You can then extract complete command lines (among other things) from trails in /var/audit, or watch them live by running praudit on /dev/auditpipe. FYI: Audit support is considered experimental in 6.2, as there are some areas that need testing and/or are not complete. However, it works quite well in practice, and any feedback would be most welcome. Robert N M Watson Computer Laboratory University of Cambridge > > Here's an example of what I've been working away on: > > int > new_execve (struct thread *td, struct execve_args *uap) > { > char *user; > struct proc *p = td->td_proc; > > user = p->p_pgrp->pg_session->s_login; > if (p->p_ucred->cr_ruid == 1001) { > printf("%s %d %s\n", user, p->p_pid, uap->fname); > } > return (execve(td,uap)); > } > > Running 'ls -al' with the above, I get the username, pid, and absolute > filename printed such as, but can't find the actual arguments: > dave 6689 /bin/ls > > Any help would be appreciated. > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >