[PATCH] Abnormal End of Processes

Hi, I have been working on some code that detects abnormal events based on audit system events. One kind of event that we currently have no visibility for is when a program terminates due to segfault - which should never happen on a production machine. And if it did, you'd want to investigate it. Attached is a patch that collects these events and sends them into the audit system. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Steve Grubb <sgrubb@redhat.com> 2007-04-19 10:28:21 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2007-05-11 05:38:26 -0400
commit: 0a4ff8c2598b72f2fa9d50aae9e1809e684dbf41 (patch)
tree: 309f2b2b5874692302862534cd9052a1d96018ba /kernel
parent: 5712e88f2b0f626a4857c24128810bbf8ce09537 (diff)
1 files changed, 39 insertions, 0 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 5276b7ef05f1..e36481ed61b4 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2037,3 +2037,42 @@ int __audit_signal_info(int sig, struct task_struct *t)
        return 0;
 }
+/**
+ * audit_core_dumps - record information about processes that end abnormally
+ * @sig: signal value
+ *
+ * If a process ends with a core dump, something fishy is going on and we
+ * should record the event for investigation.
+ */
+void audit_core_dumps(long signr)
+{
+        struct audit_buffer *ab;
+        u32 sid;
+        if (!audit_enabled)
+                return;
+        if (signr == SIGQUIT)   /* don't care for those */
+                return;
+        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+        audit_log_format(ab, "auid=%u uid=%u gid=%u",
+                        audit_get_loginuid(current->audit_context),
+                        current->uid, current->gid);
+        selinux_get_task_sid(current, &sid);
+        if (sid) {
+                char *ctx = NULL;
+                u32 len;
+                if (selinux_sid_to_string(sid, &ctx, &len))
+                        audit_log_format(ab, " ssid=%u", sid);
+                else
+                        audit_log_format(ab, " subj=%s", ctx);
+                kfree(ctx);
+        }
+        audit_log_format(ab, " pid=%d comm=", current->pid);
+        audit_log_untrustedstring(ab, current->comm);
+        audit_log_format(ab, " sig=%ld", signr);
+        audit_log_end(ab);
+}
author	Steve Grubb <sgrubb@redhat.com>	2007-04-19 10:28:21 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2007-05-11 05:38:26 -0400
commit	0a4ff8c2598b72f2fa9d50aae9e1809e684dbf41 (patch)
tree	309f2b2b5874692302862534cd9052a1d96018ba /kernel
parent	5712e88f2b0f626a4857c24128810bbf8ce09537 (diff)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 5276b7ef05f1..e36481ed61b4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -2037,3 +2037,42 @@ int __audit_signal_info(int sig, struct task_struct *t)
2037		2037
2038	return 0;	2038	return 0;
2039	}	2039	}
		2040
		2041	/**
		2042	* audit_core_dumps - record information about processes that end abnormally
		2043	* @sig: signal value
		2044	*
		2045	* If a process ends with a core dump, something fishy is going on and we
		2046	* should record the event for investigation.
		2047	*/
		2048	void audit_core_dumps(long signr)
		2049	{
		2050	struct audit_buffer *ab;
		2051	u32 sid;
		2052
		2053	if (!audit_enabled)
		2054	return;
		2055
		2056	if (signr == SIGQUIT) /* don't care for those */
		2057	return;
		2058
		2059	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
		2060	audit_log_format(ab, "auid=%u uid=%u gid=%u",
		2061	audit_get_loginuid(current->audit_context),
		2062	current->uid, current->gid);
		2063	selinux_get_task_sid(current, &sid);
		2064	if (sid) {
		2065	char *ctx = NULL;
		2066	u32 len;
		2067
		2068	if (selinux_sid_to_string(sid, &ctx, &len))
		2069	audit_log_format(ab, " ssid=%u", sid);
		2070	else
		2071	audit_log_format(ab, " subj=%s", ctx);
		2072	kfree(ctx);
		2073	}
		2074	audit_log_format(ab, " pid=%d comm=", current->pid);
		2075	audit_log_untrustedstring(ab, current->comm);
		2076	audit_log_format(ab, " sig=%ld", signr);
		2077	audit_log_end(ab);
		2078	}