From: Steve Grubb <sgrubb@redhat.com>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Richard Guy Briggs <rgb@redhat.com>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
akpm@linux-foundation.org, Stephen Smalley <sds@tycho.nsa.gov>,
William Roberts <wroberts@tresys.com>
Subject: Re: [PATCH v3 3/3] audit: Audit proc cmdline value
Date: Thu, 16 Jan 2014 06:02:02 -0500 [thread overview]
Message-ID: <2002335.9x4iUKkcnh@x2> (raw)
In-Reply-To: <CAFftDdoi-9KZvuWz4czNMSWE=Y1tPQEhZVAeQb=S+jKQ=m8rZQ@mail.gmail.com>
On Wednesday, January 15, 2014 09:08:39 PM William Roberts wrote:
> >> > Try this,
> >> >
> >> > cp /bin/ls 'test test test'
> >> > auditctll -a always,exit -F arch=b64 -S stat -k test
> >> > ./test\ test\ test './test\ test\ test'
> >> > auditctl -D
> >> > ausearch --start recent --key test
> >> >
> >> >> On the event of weird chars, it gets hex escaped.
> >> >
> >> > and its all in 1 lump with no escaping to figure out what is what.
> >>
> >> Un-escape it. ausearch does this with paths. Then if you need to parse
> >> it, do it.
> >
> > How can you? When you unescape cmdline for the example I gave, you will
> > have "./test test test ./test test test". Which program ran and how many
> > arguments were passed? If we are trying to improve on what comm= provides
> > by having the full information, I have to be able to find out exactly
> > what the program name was so it can be used for searching. If that can't
> > be done, then we don't need this addition in its current form.
>
> In your example, you will have an execve record, with it parsed, will you
> not?
Only if you change your patch.
> cmdline does not necessarily represent the arguments or process name.
> Sometimes it does, sometimes it doesn't. Just treat the thing as one
> string, perhaps do some form of substring matching in a tool.
You are missing the point. The point is that you are trying to place trust in
something that can be gamed. The audit system is designed such that it cannot
be fooled very easily. Each piece of the subject and object are separated so
that programs can be written to analyze events. What I am trying to say is now
you are making something that concatenates fields with no way to regroup them
later to reconstruct what really happened,
> To make this clear, I am not trying to improve on what comm provides.
> comm provides
> 16 chars for per thread name. The key is, its per thread, and can be
> anything. The
> "cmdline" value, is an arbitrary spot that is a global entity for the
> process. So in my change, all things coming into these events will have a
> similar cmdline audit. Which may help in narrowing down on whats going on
> in the system
It needs to be more trustworthy than this.
-Steve
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2014-01-16 11:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-15 18:02 [PATCH v3 1/3] mm: Create utility function for accessing a tasks commandline value William Roberts
2014-01-15 18:02 ` [PATCH v3 2/3] proc: Update get proc_pid_cmdline() to use mm.h helpers William Roberts
2014-01-15 18:02 ` [PATCH v3 3/3] audit: Audit proc cmdline value William Roberts
2014-01-15 21:54 ` Steve Grubb
2014-01-15 22:08 ` William Roberts
2014-01-15 22:33 ` Steve Grubb
2014-01-15 22:44 ` William Roberts
2014-01-16 1:51 ` Steve Grubb
2014-01-16 2:08 ` William Roberts
2014-01-16 11:02 ` Steve Grubb [this message]
2014-01-16 12:03 ` William Roberts
2014-01-16 12:11 ` Steve Grubb
[not found] ` <CAFftDdpyXdgk7hUt4geKLER7s44bOieZ4ugpQXUKj5m0mVkdyg@mail.gmail.com>
2014-01-16 13:42 ` William Roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2002335.9x4iUKkcnh@x2 \
--to=sgrubb@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=bill.c.roberts@gmail.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rgb@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=viro@zeniv.linux.org.uk \
--cc=wroberts@tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox