diff options
author | Steve Grubb <sgrubb@redhat.com> | 2007-04-19 10:28:21 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2007-05-11 05:38:26 -0400 |
commit | 0a4ff8c2598b72f2fa9d50aae9e1809e684dbf41 (patch) | |
tree | 309f2b2b5874692302862534cd9052a1d96018ba /kernel/auditsc.c | |
parent | 5712e88f2b0f626a4857c24128810bbf8ce09537 (diff) |
[PATCH] Abnormal End of Processes
Hi,
I have been working on some code that detects abnormal events based on audit
system events. One kind of event that we currently have no visibility for is
when a program terminates due to segfault - which should never happen on a
production machine. And if it did, you'd want to investigate it. Attached is a
patch that collects these events and sends them into the audit system.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r-- | kernel/auditsc.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 5276b7ef05f1..e36481ed61b4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -2037,3 +2037,42 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2037 | 2037 | ||
2038 | return 0; | 2038 | return 0; |
2039 | } | 2039 | } |
2040 | |||
2041 | /** | ||
2042 | * audit_core_dumps - record information about processes that end abnormally | ||
2043 | * @sig: signal value | ||
2044 | * | ||
2045 | * If a process ends with a core dump, something fishy is going on and we | ||
2046 | * should record the event for investigation. | ||
2047 | */ | ||
2048 | void audit_core_dumps(long signr) | ||
2049 | { | ||
2050 | struct audit_buffer *ab; | ||
2051 | u32 sid; | ||
2052 | |||
2053 | if (!audit_enabled) | ||
2054 | return; | ||
2055 | |||
2056 | if (signr == SIGQUIT) /* don't care for those */ | ||
2057 | return; | ||
2058 | |||
2059 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); | ||
2060 | audit_log_format(ab, "auid=%u uid=%u gid=%u", | ||
2061 | audit_get_loginuid(current->audit_context), | ||
2062 | current->uid, current->gid); | ||
2063 | selinux_get_task_sid(current, &sid); | ||
2064 | if (sid) { | ||
2065 | char *ctx = NULL; | ||
2066 | u32 len; | ||
2067 | |||
2068 | if (selinux_sid_to_string(sid, &ctx, &len)) | ||
2069 | audit_log_format(ab, " ssid=%u", sid); | ||
2070 | else | ||
2071 | audit_log_format(ab, " subj=%s", ctx); | ||
2072 | kfree(ctx); | ||
2073 | } | ||
2074 | audit_log_format(ab, " pid=%d comm=", current->pid); | ||
2075 | audit_log_untrustedstring(ab, current->comm); | ||
2076 | audit_log_format(ab, " sig=%ld", signr); | ||
2077 | audit_log_end(ab); | ||
2078 | } | ||