On Mon, 5 May 2014 16:41:53 -0400 Richard Guy Briggs <[email protected]> wrote:
> Only problem is, it doesn't work. What assumptions am I making that > aren't valid about the approach in this kernel code? > > I also considered adding the path string pointer to the struct > audit_field. > > Any suggestions? What I was thinking about is that it should work a lot like a watch for execution except when the watch triggers, it actually fills in a pid field for a syscall rule and loads it instead of emitting an event. For example, suppose you had this rule: -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1 It could be started as this: -a exit,always -F path=/bin/bash -F perm=x Then when it triggers, it loads this: -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F success=1 -F pid=## Where ## is the pid known to the kernel. Then when the program exits for any reason, the rules it created for that pid are all removed. It would also need to handle execve/clone/fork/vfork sanely once a rule was created. auditctl -l should only show the rule that was loaded from user space and not any helpers that might be created dynamically. Deleting the rule should get rid of any helpers. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
