Dave Clausen wrote:
Hello list,
I'm a n00b to the FreeBSD kernel and I'm trying to log all commands
run on the command line from within the kernel for security purposes
by loading a kernel module which redefines execve(). I've
successfully created the KLD and have it working, but am having
problems saving the command's arguments.
Could anyone point me to where in the kernel I should be looking for
the arguments sent to the process? p->p_args gives me the parent
process's cmdname only (sh, in this case), and uap->argv is just the
relative pathname of uap->fname. Ideally, I'd like the user, full
command line, and cwd logged for each command entered.
Here's an example of what I've been working away on:
int
new_execve (struct thread *td, struct execve_args *uap)
{
char *user;
struct proc *p = td->td_proc;
user = p->p_pgrp->pg_session->s_login;
if (p->p_ucred->cr_ruid == 1001) {
printf("%s %d %s\n", user, p->p_pid, uap->fname);
}
return (execve(td,uap));
}
Running 'ls -al' with the above, I get the username, pid, and absolute
filename printed such as, but can't find the actual arguments:
dave 6689 /bin/ls
If I'm not mistaken pjd@ has written similar module which is called
lrexec for RELENG_4 and RELENG_5. See his web site.
Also recently rwatson@ enabled audit support in RELENG_6 and CURRENT,
though I don't know yet whether it can log arguments.
hth,
Ganbold
Any help would be appreciated.
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
