Re: [logs] adduser log

From: Paul D. Robertson (probertsat_private)
Date: Wed Jan 22 2003 - 07:45:02 PST

  • Next message: Jose Nazario: "Re: [logs] adduser log"

    On Wed, 22 Jan 2003, Bennett Todd wrote:
    > 2003-01-21T20:14:20 Paul D. Robertson:
    > > So, I could offer up a module that logs all execve() calls to     
    > > klogd in a few days (I'd want to test it for 3-4 days continuosly 
    > > since it's kernel memory before handing it out,) and you could    
    > > play from there, anything else takes more time and research than  
    > > I have free at the moment.                                        
    > I'd like that. I'd use that. I think that ought to be submitted for
    > inclusion in the stock Linux kernel, it's so useful.
    Actually, there's no reason the *real* syscall couldn't have a logging 
    vector in it.  I might be able to persue that longer-term if I get a 
    chance to dig through the recent capability stuff.
    > > I'd expect that to generate *lots* of log data though, so it's
    > > probably not all that useful.  If we nuked logging /bin/sh it
    > > might not be all that horrendous though...
    > Why special-case anything. Logging the invoking pid, [e]uid, gids,
    > cmd, argv, and env is far, far less work than implementing an exec,
    > so the performance impact should be small.
    /bin/sh gets called a *lot*, so that might actually be a useful thing to 
    nix, even if it's a compile time #ifdef (yeah, I know, I was a *great* 
    mainframe assembly language programmer, I'm just an *ok* C programmer.)
    I ripped PID out of the code, (original module was a protective execve() 
    wrapper that might see the light of day sometime in the distant future.  
    Quickly trying to reinsert it doesn't seem to want to work, so that make 
    take an hour when I have time to diagnose it.
    Give me a couple of days to put somewhere together that I can have the 
    code available for download, I promise not to wait for me to get my DNS 
    working first- if you haven't seen anything on this list by say Friday, 
    drop me a note and I'll cover it over the weekend.
    I'd really like to run the code for a few days though, unless someone 
    has a development system and wants to do that deed?  I'm really, really 
    paranoid about testing kernel mode stuff (though the original and much 
    more complex code has been completely tested.)
    Paul D. Robertson      "My statements in this message are personal opinions
    probertsat_private      which may have no basis whatsoever in fact."
    probertsonat_private Director of Risk Assessment TruSecure Corporation
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 10:07:21 PST