From owner-freebsd-questions@FreeBSD.ORG Mon Oct 30 03:38:24 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4585D16A407 for ; Mon, 30 Oct 2006 03:38:24 +0000 (UTC) (envelope-from dave@endlessdream.org) Received: from endlessdream.org (mail.dammcomputers.com [63.246.134.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC7D143D45 for ; Mon, 30 Oct 2006 03:38:21 +0000 (GMT) (envelope-from dave@endlessdream.org) Received: from [192.168.1.106] [70.126.42.209] by endlessdream.org with ESMTP (SMTPD32-8.15) id A404D170166; Sun, 29 Oct 2006 22:39:48 -0500 Message-ID: <4545746F.1040805@endlessdream.org> Date: Sun, 29 Oct 2006 22:41:35 -0500 From: Dave Clausen User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Process arguments X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Oct 2006 03:38:24 -0000 Hello list, I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run on the command line from within the kernel for security purposes by loading a kernel module which redefines execve(). I've successfully created the KLD and have it working, but am having problems saving the command's arguments. Could anyone point me to where in the kernel I should be looking for the arguments sent to the process? p->p_args gives me the parent process's cmdname only (sh, in this case), and uap->argv is just the relative pathname of uap->fname. Ideally, I'd like the user, full command line, and cwd logged for each command entered. Here's an example of what I've been hacking away on: int new_execve (struct thread *td, struct execve_args *uap) { char *user; struct proc *p = td->td_proc; user = p->p_pgrp->pg_session->s_login; if (p->p_ucred->cr_ruid == 1001) { printf("%s %d %s\n", user, p->p_pid, uap->fname); } return (execve(td,uap)); } Running 'ls -al' with the above, I get the username, pid, and absolute filename printed such as, but can't find the actual arguments: dave 6689 /bin/ls Any help would be appreciated.