Re: Process arguments

Mon, 30 Oct 2006 06:34:31 -0800 


On Mon, 30 Oct 2006, Dave Clausen wrote:
I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run on the command line from within the kernel for security purposes by loading a kernel module which redefines execve(). I've successfully created the KLD and have it working, but am having problems saving the command's arguments. Could anyone point me to where in the kernel I should be looking for the arguments sent to the process? p->p_args gives me the parent process's cmdname only (sh, in this case), and uap->argv is just the relative pathname of uap->fname. Ideally, I'd like the user, full command line, and cwd logged for each command entered.
As of FreeBSD 6.2, you can use our security audit subsystem to do this. There's a FreeBSD handbook chapter with the details, but the short version is: 

- Enable options AUDIT in your kernel.  This enables kernel audit support.

- Add auditd_enable="YES" to /etc/rc.conf.  This turns on the audit daemon.

- Modify the flags and naflags entries in /etc/security/audit_control to be
  lo,+ex -- the +ex means "log successful executions".

- Add ,argv to the policy line in /etc/security/audit_control.  This causes
  auditing of the full command line, not just the program run.

- Reboot.
You can then extract complete command lines (among other things) from trails in /var/audit, or watch them live by running praudit on /dev/auditpipe.
FYI: Audit support is considered experimental in 6.2, as there are some areas that need testing and/or are not complete. However, it works quite well in practice, and any feedback would be most welcome. 

Robert N M Watson
Computer Laboratory
University of Cambridge



Here's an example of what I've been working away on:

int
new_execve (struct thread *td, struct execve_args *uap)
{
     char *user;
     struct proc *p = td->td_proc;

     user = p->p_pgrp->pg_session->s_login;
     if (p->p_ucred->cr_ruid == 1001) {
             printf("%s %d %s\n", user, p->p_pid, uap->fname);
     }
     return (execve(td,uap));
}
Running 'ls -al' with the above, I get the username, pid, and absolute filename printed such as, but can't find the actual arguments: 
dave 6689 /bin/ls

Any help would be appreciated.


_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to