TOMOYO Linux users mailing list (English)

Peter Moody | 26 Jan 20:16

[tomoyo-users-en 452] logging and execution tracing

I know that MAC isn't really the right place to do this, but I'm
investigating all possibilities.

Is it possible to have tomoyo log more information about binaries that
are exec'd? I know that it tracks the execution chain for all process
starting with init, but is it possible to attach more information to
the log tomoyo stores about each execve like the time and uid that
executed it? Actually, does tomoyo already log the uid? The other
question is would it be possible/easy to extract this information with
user-land tools?

Cheers,
peter

Tetsuo Handa | 26 Jan 22:53

Picon

[tomoyo-users-en 453] Re: logging and execution tracing

Peter Moody wrote:
> Actually, does tomoyo already log the uid? The other
> question is would it be possible/easy to extract this information with
> user-land tools?

Yes. The first line of TOMOYO's audit log includes both timestamp and uid.

#2010/12/25 15:47:10# profile=2 mode=permissive granted=no (global-pid=3390) task={ pid=3390
ppid=3386 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler }
path1={ uid=0 gid=0 ino=1545499 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0
ino=1540116 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={
"TERM=vt100" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin"
"LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }
<kernel> /usr/sbin/httpd /bin/sh
file execute /usr/bin/id

Also, use of Linux kernel's audit subsystem might be helpful.
http://tomoyo.sourceforge.jp/cgi-bin/lxr/ident?i=audit_log_execve_info

Peter Moody | 26 Jan 23:01

[tomoyo-users-en 455] Re: logging and execution tracing

On Thu, Jan 26, 2012 at 1:53 PM, Tetsuo Handa
<from-tomoyo-users-en@...> wrote:
> Peter Moody wrote:
>> Actually, does tomoyo already log the uid? The other
>> question is would it be possible/easy to extract this information with
>> user-land tools?
>
> Yes. The first line of TOMOYO's audit log includes both timestamp and uid.
>
> #2010/12/25 15:47:10# profile=2 mode=permissive granted=no (global-pid=3390) task={ pid=3390
ppid=3386 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler }
path1={ uid=0 gid=0 ino=1545499 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0
ino=1540116 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={
"TERM=vt100" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin"
"LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }
> <kernel> /usr/sbin/httpd /bin/sh
> file execute /usr/bin/id

It generates this for everything executed (I think I mean for every
domain transition in tomoyo parlance).

> Also, use of Linux kernel's audit subsystem might be helpful.
> http://tomoyo.sourceforge.jp/cgi-bin/lxr/ident?i=audit_log_execve_info

I'm familiar with auditd, I'm trying to find a lighter-weight version
of the equivalent of auditctl -a exit,always -S execve -F success=1

Peter Moody | 27 Jan 03:27

[tomoyo-users-en 456] Re: logging and execution tracing

On Thu, Jan 26, 2012 at 2:01 PM, Peter Moody <tomoyo@...> wrote:
> On Thu, Jan 26, 2012 at 1:53 PM, Tetsuo Handa
> <from-tomoyo-users-en@...> wrote:
>> Peter Moody wrote:
>>> Actually, does tomoyo already log the uid? The other
>>> question is would it be possible/easy to extract this information with
>>> user-land tools?
>>
>> Yes. The first line of TOMOYO's audit log includes both timestamp and uid.
>>
>> #2010/12/25 15:47:10# profile=2 mode=permissive granted=no (global-pid=3390) task={ pid=3390
ppid=3386 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler }
path1={ uid=0 gid=0 ino=1545499 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0
ino=1540116 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={
"TERM=vt100" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin"
"LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }
>> <kernel> /usr/sbin/httpd /bin/sh
>> file execute /usr/bin/id

Whoops, this was meant to be a question.

It generates this for everything executed (I think I mean for every
domain transition in tomoyo parlance)?

>> Also, use of Linux kernel's audit subsystem might be helpful.
>> http://tomoyo.sourceforge.jp/cgi-bin/lxr/ident?i=audit_log_execve_info
>
> I'm familiar with auditd, I'm trying to find a lighter-weight version
> of the equivalent of auditctl -a exit,always -S execve -F success=1

(Continue reading)

Tetsuo Handa | 27 Jan 06:28

Picon

[tomoyo-users-en 457] Re: logging and execution tracing

Peter Moody wrote:
> It generates this for everything executed (I think I mean for every
> domain transition in tomoyo parlance)?

TOMOYO's audit log is generated for every do_execve() request that reached
TOMOYO's permission checks for do_execve().

> I'm familiar with auditd, I'm trying to find a lighter-weight version
> of the equivalent of auditctl -a exit,always -S execve -F success=1

But TOMOYO cannot prune audit logs for failed do_execve() requests because
TOMOYO checks permission before do_execve() succeeds (i.e. before
install_exec_creds() in fs/exec.c is called).

Unless MAC implementation generates audit logs for do_execve() from
security_bprm_committing_creds() in install_exec_creds(), I think it is
impossible for MAC to do "-F success=1" part.

Return

Return to gmane.linux.tomoyo.user.english.

Project Web Page

TOMOYO Linux users mailing list (English)

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane