Page 1 of 1

full cwd in exec log lines

PostPosted: Wed Aug 06, 2008 11:52 am
by rocky
Due to some silly (read stupid) limitations of the corporate auditing tool we use, I'm being asked to investigate if it would be possible to include the full current working directory in exec lines. IE On line two include that '/bin/ls' was exec'd in '/usr'.

I'm guessing it's a simple change to GR_EXEC_AUDIT_MSG or DEFAULTSECMSG , however my C-fu is weak.

Aug 6 10:37:22 machine1 kernel: grsec: From 10.129.54.70: chdir to /usr by /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100, parent /usr/sbin/sshd[sshd:27402] uid/euid:7772220/7772220 gid/egid:100/100
Aug 6 10:37:23 machine kernel: grsec: From 10.129.54.70: exec of /bin/ls (/bin/ls -N --color=tty -T 0 ) by /bin/bash[bash:11894] uid/euid:7772220/7772220 gid/egid:100/100, parent /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100

would become something like
Aug 6 10:37:22 machine1 kernel: grsec: From 10.129.54.70: chdir to /usr by /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100, parent /usr/sbin/sshd[sshd:27402] uid/euid:7772220/7772220 gid/egid:100/100
Aug 6 10:37:23 machine kernel: grsec: From 10.129.54.70: exec of /bin/ls (/bin/ls -N --color=tty -T 0 ) in /usr by /bin/bash[bash:11894] uid/euid:7772220/7772220 gid/egid:100/100, parent /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100

Any help you can provide would be greatly appreciated.

-Rocky

Re: full cwd in exec log lines

PostPosted: Wed Aug 13, 2008 9:29 am
by rocky
Anyone? ={

Re: full cwd in exec log lines

PostPosted: Wed Aug 13, 2008 11:51 am
by cormander
In addition to altering the message string GR_EXEC_AUDIT_MSG in include/linux/grmsg.h (adding another %s reference) you'll also have to edit the line that references it in ./grsecurity/grsec_exec.c to pass it the pointer to the string of the current working directory.

You might also have to edit the gr_log_fs_str definition inside ./include/linux/grinternal.h to fix compile errors.

I'm not at all aware of how to get the current working directory of a userspace process from within the kernel like this, so that much you'll have to figure out on your own.

If you do happen to get this working, post back a patch. Sounds like a useful little addition.

Re: full cwd in exec log lines

PostPosted: Thu Aug 14, 2008 10:48 am
by rocky
Thanks!

Sadly, while I think I understood everything you said, I'm pretty sure the skill level to implement it is above me. Any bored ninjas willing to take a crack?

-Rocky

Re: full cwd in exec log lines

PostPosted: Sat Aug 23, 2008 1:32 pm
by Kp
The cwd link in the proc pseudo-directory for a process is able to return the active directory of the process. Look in fs/proc/base.c for proc_pid_follow_link and proc_cwd_link for how this is done. Take care to rewrite unprintable characters so that users cannot foul your logs by making directories with newlines in the name.

What kernel version do you need patched for your feature?

Re: full cwd in exec log lines

PostPosted: Mon Aug 25, 2008 11:05 am
by rocky
2.6.14.6 is what we are running on the machines.