Commit 0a4ff8c2598b72f2fa9d50aae9e1809e684dbf41
Committed by
Al Viro
1 parent
5712e88f2b
Exists in
master
and in
4 other branches
[PATCH] Abnormal End of Processes
Hi, I have been working on some code that detects abnormal events based on audit system events. One kind of event that we currently have no visibility for is when a program terminates due to segfault - which should never happen on a production machine. And if it did, you'd want to investigate it. Attached is a patch that collects these events and sends them into the audit system. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Showing 3 changed files with 44 additions and 0 deletions Side-by-side Diff
fs/exec.c
include/linux/audit.h
... | ... | @@ -112,6 +112,7 @@ |
112 | 112 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 |
113 | 113 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 |
114 | 114 | #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ |
115 | +#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ | |
115 | 116 | |
116 | 117 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ |
117 | 118 | |
... | ... | @@ -377,6 +378,7 @@ |
377 | 378 | if (unlikely(!audit_dummy_context())) |
378 | 379 | __audit_inode_child(dname, inode, parent); |
379 | 380 | } |
381 | +void audit_core_dumps(long signr); | |
380 | 382 | |
381 | 383 | static inline void audit_ptrace(struct task_struct *t) |
382 | 384 | { |
... | ... | @@ -467,6 +469,7 @@ |
467 | 469 | #define __audit_inode_child(d,i,p) do { ; } while (0) |
468 | 470 | #define audit_inode(n,i) do { ; } while (0) |
469 | 471 | #define audit_inode_child(d,i,p) do { ; } while (0) |
472 | +#define audit_core_dumps(i) do { ; } while (0) | |
470 | 473 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) |
471 | 474 | #define audit_get_loginuid(c) ({ -1; }) |
472 | 475 | #define audit_log_task_context(b) do { ; } while (0) |
kernel/auditsc.c
... | ... | @@ -2037,4 +2037,43 @@ |
2037 | 2037 | |
2038 | 2038 | return 0; |
2039 | 2039 | } |
2040 | + | |
2041 | +/** | |
2042 | + * audit_core_dumps - record information about processes that end abnormally | |
2043 | + * @sig: signal value | |
2044 | + * | |
2045 | + * If a process ends with a core dump, something fishy is going on and we | |
2046 | + * should record the event for investigation. | |
2047 | + */ | |
2048 | +void audit_core_dumps(long signr) | |
2049 | +{ | |
2050 | + struct audit_buffer *ab; | |
2051 | + u32 sid; | |
2052 | + | |
2053 | + if (!audit_enabled) | |
2054 | + return; | |
2055 | + | |
2056 | + if (signr == SIGQUIT) /* don't care for those */ | |
2057 | + return; | |
2058 | + | |
2059 | + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); | |
2060 | + audit_log_format(ab, "auid=%u uid=%u gid=%u", | |
2061 | + audit_get_loginuid(current->audit_context), | |
2062 | + current->uid, current->gid); | |
2063 | + selinux_get_task_sid(current, &sid); | |
2064 | + if (sid) { | |
2065 | + char *ctx = NULL; | |
2066 | + u32 len; | |
2067 | + | |
2068 | + if (selinux_sid_to_string(sid, &ctx, &len)) | |
2069 | + audit_log_format(ab, " ssid=%u", sid); | |
2070 | + else | |
2071 | + audit_log_format(ab, " subj=%s", ctx); | |
2072 | + kfree(ctx); | |
2073 | + } | |
2074 | + audit_log_format(ab, " pid=%d comm=", current->pid); | |
2075 | + audit_log_untrustedstring(ab, current->comm); | |
2076 | + audit_log_format(ab, " sig=%ld", signr); | |
2077 | + audit_log_end(ab); | |
2078 | +} |