Re: [logs] adduser log

From: Paul D. Robertson (probertsat_private)
Date: Tue Jan 21 2003 - 17:14:20 PST

  • Next message: Darren Reed: "Re: [logs] syslog TCP discussion"

    On Tue, 21 Jan 2003, Pinel Pierre-Marc wrote:
    > I need to log the use of the adduser comand on a Red
    > Hat server.
    Just the adduser command, or any commands, and what if the command is 
    copied to a new name?
    > Is there any other solution than to modify comand and
    > doing a script than logs an event.
    A kernel module that klogs things passed to execve is pretty easy to do- 
    I just wrote a proof of concept one that seems to work ok.  I had some 
    execve wrapping stuff laying around, so it was <5 minutes of work to nuke 
    the extraneous code.
    This requires replacing the execve() syscall with a wrapper that logs the 
    argument and then calls the original syscall.  Making the module so that 
    it can't be unloaded is simple under the 2.4.x kernel series[0].  Logging 
    all, or logging a list of commands that's hardwired into the module are 
    both simple.
    Additional stuff is more difficult (like MD5'ing the binary) because 
    accessing filesystems in kernel mode pretty much sucks AFAICT.  I still 
    haven't figured out non-parameterized kernel module arguments though[1], 
    so dynamic unlimited list stuff is a PITA for me, someone doing full-time 
    programming might be more clued in and be able to help with more useful 
    feature sets.  
    So, I could offer up a module that logs all execve() calls to klogd in a 
    few days (I'd want to test it for 3-4 days continuosly since it's kernel 
    memory before handing it out,) and you could play from there, anything 
    else takes more time and research than I have free at the moment.  
    I'd expect that to generate *lots* of log data though, so it's probably 
    not all that useful.  If we nuked logging /bin/sh it might not be all that 
    horrendous though...
    The other hole in the scheme is that it's possible to come in behind and 
    load another moudle that overloads execve() again, and I really don't have 
    time to go through that whole "protect the protector" scenerio.  If that 
    limitation works and the idea is interesting, let me know.
    [0] Increment and never decrement the usage counter.
    [1] I can do cmd1=foo, cmd2=bar, but I can't seem to get argv-ish stuff 
    figured out.
    Paul D. Robertson      "My statements in this message are personal opinions
    probertsat_private      which may have no basis whatsoever in fact."
    probertsonat_private Director of Risk Assessment TruSecure Corporation
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 20:20:21 PST