Add BSM record conversion for a number of syscalls:
- thr_kill(2) and thr_exit(2) generally (no argument auditing here. - A set of syscalls for the process descriptor family, specifically: pdfork(2), pdgetpid(2) and pdkill(2) For these syscalls, audit the file descriptor. In the case of pdfork(2) a pointer to an integer (file descriptor) is passed in as an argument. We audit the post initialized file descriptor (not the random garbage that would have been passed in). We will also audit the child process which was created from the fork operation (similar to what is done for the fork(2) syscall). pdkill(2) we audit the signal value and fd, and finally pdgetpid(2) just the file descriptor: - Following is a sample of the produced audit trails: header,111,11,pdfork(2),0,Sat May 16 03:07:50 2020, + 394 msec argument,0,0x39d,child PID argument,2,0x2,flags argument,1,0x8,fd subject,root,root,0,root,0,924,0,0,0.0.0.0 return,success,925 header,79,11,pdgetpid(2),0,Sat May 16 03:07:50 2020, + 394 msec argument,1,0x8,fd subject,root,root,0,root,0,924,0,0,0.0.0.0 return,success,0 trailer,79 header,135,11,pdkill(2),0,Sat May 16 03:07:50 2020, + 395 msec argument,1,0x8,fd argument,2,0xf,signal process_ex,root,root,0,root,0,925,0,0,0.0.0.0 subject,root,root,0,root,0,924,0,0,0.0.0.0 return,success,0 trailer,135 MFC after: 1 week
This commit is contained in:
parent
26644b0125
commit
757a564248
@ -128,6 +128,7 @@ sys_pdfork(struct thread *td, struct pdfork_args *uap)
|
||||
fr.fr_pidp = &pid;
|
||||
fr.fr_pd_fd = &fd;
|
||||
fr.fr_pd_flags = uap->flags;
|
||||
AUDIT_ARG_FFLAGS(uap->flags);
|
||||
/*
|
||||
* It is necessary to return fd by reference because 0 is a valid file
|
||||
* descriptor number, and the child needs to be able to distinguish
|
||||
@ -909,6 +910,7 @@ fork1(struct thread *td, struct fork_req *fr)
|
||||
fr->fr_pd_flags, fr->fr_pd_fcaps);
|
||||
if (error != 0)
|
||||
goto fail2;
|
||||
AUDIT_ARG_FD(*fr->fr_pd_fd);
|
||||
}
|
||||
|
||||
mem_charged = 0;
|
||||
|
@ -1317,6 +1317,38 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
|
||||
UPATH1_VNODE1_TOKENS;
|
||||
break;
|
||||
|
||||
case AUE_PDKILL:
|
||||
if (ARG_IS_VALID(kar, ARG_FD)) {
|
||||
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
|
||||
kau_write(rec, tok);
|
||||
}
|
||||
if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
|
||||
tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
|
||||
kau_write(rec, tok);
|
||||
}
|
||||
PROCESS_PID_TOKENS(1);
|
||||
break;
|
||||
case AUE_PDFORK:
|
||||
if (ARG_IS_VALID(kar, ARG_PID)) {
|
||||
tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
|
||||
kau_write(rec, tok);
|
||||
}
|
||||
if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
|
||||
tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
|
||||
kau_write(rec, tok);
|
||||
}
|
||||
if (ARG_IS_VALID(kar, ARG_FD)) {
|
||||
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
|
||||
kau_write(rec, tok);
|
||||
}
|
||||
break;
|
||||
case AUE_PDGETPID:
|
||||
if (ARG_IS_VALID(kar, ARG_FD)) {
|
||||
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
|
||||
kau_write(rec, tok);
|
||||
}
|
||||
break;
|
||||
|
||||
case AUE_PROCCTL:
|
||||
if (ARG_IS_VALID(kar, ARG_VALUE)) {
|
||||
tok = au_to_arg32(1, "idtype", ar->ar_arg_value);
|
||||
@ -1747,6 +1779,8 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
|
||||
break;
|
||||
|
||||
case AUE_THR_NEW:
|
||||
case AUE_THR_KILL:
|
||||
case AUE_THR_EXIT:
|
||||
break;
|
||||
|
||||
case AUE_NULL:
|
||||
|
Loading…
x
Reference in New Issue
Block a user