logging the process commandline when grsec denies action?

Discuss and suggest new grsecurity features

logging the process commandline when grsec denies action?

Postby mnalis » Fri Aug 26, 2011 6:55 pm

Hi,

would it be possible (perhaps only when "extra logging" flag is added) to make grsec log also command line of the offending process (probably limited to first 512 chars or something) ?

It would be very useful in some situations; for example I get lots of RBAC denies that log something along the lines of:

Code: Select all
(users:G:/usr/bin/php5-cgi) denied create of /fmb4cf0a.txt for writing by /usr/bin/php5-cgi[php-cgi:xxxx] uid/euid: yyyy/zzzz


If command line was logged, it would be possible to actually see which .php script was broken into (or if it was just a stupid bug)

also, for example:

Code: Select all
denied connect() to a.b.c.d port 80 sock type stream protocol tcp by /usr/bin/wget[wget:xxxx]


it would help to see the options and URL passwd to wget(1) command line, as it might indicate if that request was legitimate or if wget was forked by the cracked process in order to retrieve the rootkit, etc.

Thanks for your consideration,
Matija
mnalis
 
Posts: 57
Joined: Fri Sep 29, 2006 11:23 am

Re: logging the process commandline when grsec denies action

Postby spender » Sun Aug 28, 2011 4:25 pm

Hi Matija,

I think this is a good idea for the reason you demonstrated and have added this to my TODO list.

Thanks,
-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity development

cron