On Tue, Oct 29, 2013 at 10:44 AM, William Roberts <[email protected]>wrote:
> > > > On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb <[email protected]> wrote: > >> On Monday, October 28, 2013 04:50:38 PM William Roberts wrote: >> > On some devices, the cmdline and task info vary. For instance, on >> > Android, the cmdline is set to the package name, and the task info >> > is the name of the VM, which is not very helpful. >> > >> > The additional cmdline output only runs if the audit feature >> > AUDIT_FEATURE_CMDLINE_OUTPUT is set high at runtime. >> >> I don't exactly like this. The audit event records are very normalized. >> When >> you have a specific kind of record, you can count on always having the >> certain >> fields even if its value is (NULL). So, having fields swinging in and out >> by >> configuration is not something I'd like to see start. >> >> Can you show me an event that has the problem and what it looks like when >> its >> fixed by this patch? >> >> Thanks, >> -Steve >> > > > I'm 100% ok with the dynamic option changing it from NULL to a real value > IMO a like > that better then what I currently have. > > Old: > type=1300 msg=audit(1383022671.232:230): arch=40000028 syscall=54 > per=840000 success=yes exit=0 a0=23 a1=fa05 a2=0 a3=74e1ee34 items=0 > ppid=298 pid=1431 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027 > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295 > comm=4173796E635461736B202331 exe="/system/bin/app_process" subj=u:r:nfc:s0 > key=(null) > > Issue: > comm field in task is only 16 chars, to small for most package names, and > already contains the VM command. I really have no information of what > Android App has created the issue. > > Solution: > Get the proc cmdline info (not trust worthy, but can help debugging > Android) > > type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5 > per=840000 success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c > items=1 ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 > suid=1027 fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) > ses=4294967295 comm=4173796E635461736B202331 exe="/system/bin/app_process" > cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null) > > Now I know it was the NFC app > > FYI, from this point I would get the application from a trustworthy source and audit it, obviously this could be an app using setproctitle() and spoofing something legitimate. Like malicious app A pretending to be angry birds. I cant read this cmdline value form userspace, as a denial from selinux may cause the app to crash. So sometimes the apps proc entry is gone before I can record what happened in userspace.
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
