On Tue, 21 Jan 2003, Pinel Pierre-Marc wrote: > I need to log the use of the adduser comand on a Red > Hat server. Just the adduser command, or any commands, and what if the command is copied to a new name? > Is there any other solution than to modify comand and > doing a script than logs an event. A kernel module that klogs things passed to execve is pretty easy to do- I just wrote a proof of concept one that seems to work ok. I had some execve wrapping stuff laying around, so it was <5 minutes of work to nuke the extraneous code. This requires replacing the execve() syscall with a wrapper that logs the argument and then calls the original syscall. Making the module so that it can't be unloaded is simple under the 2.4.x kernel series[0]. Logging all, or logging a list of commands that's hardwired into the module are both simple. Additional stuff is more difficult (like MD5'ing the binary) because accessing filesystems in kernel mode pretty much sucks AFAICT. I still haven't figured out non-parameterized kernel module arguments though[1], so dynamic unlimited list stuff is a PITA for me, someone doing full-time programming might be more clued in and be able to help with more useful feature sets. So, I could offer up a module that logs all execve() calls to klogd in a few days (I'd want to test it for 3-4 days continuosly since it's kernel memory before handing it out,) and you could play from there, anything else takes more time and research than I have free at the moment. I'd expect that to generate *lots* of log data though, so it's probably not all that useful. If we nuked logging /bin/sh it might not be all that horrendous though... The other hole in the scheme is that it's possible to come in behind and load another moudle that overloads execve() again, and I really don't have time to go through that whole "protect the protector" scenerio. If that limitation works and the idea is interesting, let me know. Paul [0] Increment and never decrement the usage counter. [1] I can do cmd1=foo, cmd2=bar, but I can't seem to get argv-ish stuff figured out. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 20:20:21 PST