Page 1 of 1

logging the process commandline when grsec denies action?

PostPosted: Fri Aug 26, 2011 6:55 pm
by mnalis
Hi,

would it be possible (perhaps only when "extra logging" flag is added) to make grsec log also command line of the offending process (probably limited to first 512 chars or something) ?

It would be very useful in some situations; for example I get lots of RBAC denies that log something along the lines of:

Code: Select all
(users:G:/usr/bin/php5-cgi) denied create of /fmb4cf0a.txt for writing by /usr/bin/php5-cgi[php-cgi:xxxx] uid/euid: yyyy/zzzz


If command line was logged, it would be possible to actually see which .php script was broken into (or if it was just a stupid bug)

also, for example:

Code: Select all
denied connect() to a.b.c.d port 80 sock type stream protocol tcp by /usr/bin/wget[wget:xxxx]


it would help to see the options and URL passwd to wget(1) command line, as it might indicate if that request was legitimate or if wget was forked by the cracked process in order to retrieve the rootkit, etc.

Thanks for your consideration,
Matija

Re: logging the process commandline when grsec denies action

PostPosted: Sun Aug 28, 2011 4:25 pm
by spender
Hi Matija,

I think this is a good idea for the reason you demonstrated and have added this to my TODO list.

Thanks,
-Brad