Hrvoje Marjanovic | 4 Jan 19:40 2007
Picon

logging command arguments

Hello,

I am wondering if it is possible to log complete commands (together with 
arguments) with RSBAC.

When I log EXECUTE events on FILE target. I get the events logged, but 
arguments are not logged, only command path, user, pid etc.

Grsecurity has such a feature, but I don't think it is possible to patch 
kernel with both grsecurity and rsbac.

Hrvoje
Amon Ott | 9 Jan 09:46 2007

Re: logging command arguments

On Donnerstag 04 Januar 2007 19:40, Hrvoje Marjanovic wrote:
> I am wondering if it is possible to log complete commands (together 
with 
> arguments) with RSBAC.
> 
> When I log EXECUTE events on FILE target. I get the events logged, 
but 
> arguments are not logged, only command path, user, pid etc.
> 
> Grsecurity has such a feature, but I don't think it is possible to 
patch 
> kernel with both grsecurity and rsbac.

We discussed this idea some time ago, but decided not to log the 
arguments. They blow up the logs significantly, produce extra 
overhead and are seldom needed. If you convince us that it is a 
necessary feature, we can add it as an option.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
kang | 16 Jan 11:41 2007

Re: logging command arguments

Hrvoje Marjanovic wrote:
> Hello,
>
> I am wondering if it is possible to log complete commands (together with 
> arguments) with RSBAC.
>
> When I log EXECUTE events on FILE target. I get the events logged, but 
> arguments are not logged, only command path, user, pid etc.
>
> Grsecurity has such a feature, but I don't think it is possible to patch 
> kernel with both grsecurity and rsbac.
>
> Hrvoje
>   

It requires some hand patching but several people have successfully
patched kernels with both RSBAC and GrSecurity (1).
Note that a lot of functionality from GrSec's RBAC will overlap however.
Additionally, I am not aware of any of the patches being available online.

kang

1) http://www.rsbac.org/pipermail/rsbac/2005-August/001615.html

Gmane