On Monday 04 August 2008 18:18:17 LC Bruzenak wrote: > Since the audit-viewer script has: > exec /usr/bin/python -O /usr/share/audit-viewer/main.py "$@" > > I'd guess that you were pointing in the right direction. > But I would prefer that the comm field be more trustworthy.
I don't know how to make it more trustworthy without making it bigger. That item lives in the task struct and is copied at every fork and rewritten on exec. using kmalloc would add some overhead and picking anything bigger might not be acceptable upstream. Al, do you have any suggestions here? > In reality, the /usr/bin/audit-viewer executable script really called > the python exec which then interpreted the main.py script...I think. I'm > not getting that from this event, however. Its almost there. :) You have to make some assumptions which may or may not be palatable. For one, you have to assume that no one has written anything you don't know about. And you have to asume that they have not added directories that you don't know about. Given those boundaries, you can sometimes guess what it is when full paths are used. > I guess the real issue here (as you pointed out) is that we have > different entities - interpreted script/interpreter executable as > opposed to command/resulting executable, but the same structure is used > for each. Well, we have 2 models...interpreter + script and just executable. We fit both into the same structuire as the interpreter is the executable while the script is the command. When you have an elf binary, the command and the executable are the same thing. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
