full cwd in exec log lines
Posted: Wed Aug 06, 2008 11:52 am
Due to some silly (read stupid) limitations of the corporate auditing tool we use, I'm being asked to investigate if it would be possible to include the full current working directory in exec lines. IE On line two include that '/bin/ls' was exec'd in '/usr'.
I'm guessing it's a simple change to GR_EXEC_AUDIT_MSG or DEFAULTSECMSG , however my C-fu is weak.
Aug 6 10:37:22 machine1 kernel: grsec: From 10.129.54.70: chdir to /usr by /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100, parent /usr/sbin/sshd[sshd:27402] uid/euid:7772220/7772220 gid/egid:100/100
Aug 6 10:37:23 machine kernel: grsec: From 10.129.54.70: exec of /bin/ls (/bin/ls -N --color=tty -T 0 ) by /bin/bash[bash:11894] uid/euid:7772220/7772220 gid/egid:100/100, parent /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100
would become something like
Aug 6 10:37:22 machine1 kernel: grsec: From 10.129.54.70: chdir to /usr by /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100, parent /usr/sbin/sshd[sshd:27402] uid/euid:7772220/7772220 gid/egid:100/100
Aug 6 10:37:23 machine kernel: grsec: From 10.129.54.70: exec of /bin/ls (/bin/ls -N --color=tty -T 0 ) in /usr by /bin/bash[bash:11894] uid/euid:7772220/7772220 gid/egid:100/100, parent /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100
Any help you can provide would be greatly appreciated.
-Rocky
I'm guessing it's a simple change to GR_EXEC_AUDIT_MSG or DEFAULTSECMSG , however my C-fu is weak.
Aug 6 10:37:22 machine1 kernel: grsec: From 10.129.54.70: chdir to /usr by /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100, parent /usr/sbin/sshd[sshd:27402] uid/euid:7772220/7772220 gid/egid:100/100
Aug 6 10:37:23 machine kernel: grsec: From 10.129.54.70: exec of /bin/ls (/bin/ls -N --color=tty -T 0 ) by /bin/bash[bash:11894] uid/euid:7772220/7772220 gid/egid:100/100, parent /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100
would become something like
Aug 6 10:37:22 machine1 kernel: grsec: From 10.129.54.70: chdir to /usr by /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100, parent /usr/sbin/sshd[sshd:27402] uid/euid:7772220/7772220 gid/egid:100/100
Aug 6 10:37:23 machine kernel: grsec: From 10.129.54.70: exec of /bin/ls (/bin/ls -N --color=tty -T 0 ) in /usr by /bin/bash[bash:11894] uid/euid:7772220/7772220 gid/egid:100/100, parent /bin/bash[bash:23465] uid/euid:7772220/7772220 gid/egid:100/100
Any help you can provide would be greatly appreciated.
-Rocky