would it be possible (perhaps only when "extra logging" flag is added) to make grsec log also command line of the offending process (probably limited to first 512 chars or something) ?
It would be very useful in some situations; for example I get lots of RBAC denies that log something along the lines of:
- Code: Select all
(users:G:/usr/bin/php5-cgi) denied create of /fmb4cf0a.txt for writing by /usr/bin/php5-cgi[php-cgi:xxxx] uid/euid: yyyy/zzzz
If command line was logged, it would be possible to actually see which .php script was broken into (or if it was just a stupid bug)
also, for example:
- Code: Select all
denied connect() to a.b.c.d port 80 sock type stream protocol tcp by /usr/bin/wget[wget:xxxx]
it would help to see the options and URL passwd to wget(1) command line, as it might indicate if that request was legitimate or if wget was forked by the cracked process in order to retrieve the rootkit, etc.
Thanks for your consideration,
Matija