On Wed, 22 Jan 2003, Bennett Todd wrote: > 2003-01-21T20:14:20 Paul D. Robertson: > > So, I could offer up a module that logs all execve() calls to > > klogd in a few days (I'd want to test it for 3-4 days continuosly > > since it's kernel memory before handing it out,) and you could > > play from there, anything else takes more time and research than > > I have free at the moment. > > I'd like that. I'd use that. I think that ought to be submitted for > inclusion in the stock Linux kernel, it's so useful. Actually, there's no reason the *real* syscall couldn't have a logging vector in it. I might be able to persue that longer-term if I get a chance to dig through the recent capability stuff. > > I'd expect that to generate *lots* of log data though, so it's > > probably not all that useful. If we nuked logging /bin/sh it > > might not be all that horrendous though... > > Why special-case anything. Logging the invoking pid, [e]uid, gids, > cmd, argv, and env is far, far less work than implementing an exec, > so the performance impact should be small. /bin/sh gets called a *lot*, so that might actually be a useful thing to nix, even if it's a compile time #ifdef (yeah, I know, I was a *great* mainframe assembly language programmer, I'm just an *ok* C programmer.) I ripped PID out of the code, (original module was a protective execve() wrapper that might see the light of day sometime in the distant future. Quickly trying to reinsert it doesn't seem to want to work, so that make take an hour when I have time to diagnose it. Give me a couple of days to put somewhere together that I can have the code available for download, I promise not to wait for me to get my DNS working first- if you haven't seen anything on this list by say Friday, drop me a note and I'll cover it over the weekend. I'd really like to run the code for a few days though, unless someone has a development system and wants to do that deed? I'm really, really paranoid about testing kernel mode stuff (though the original and much more complex code has been completely tested.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 10:07:21 PST