| Name | Size | Rev. | Time | Author | Log Message |
|---|---|---|---|---|---|
 probe.c |
26.34 k | r688 | 2022-09-10 00:24:05 | kumaneko | |
| tt.c |
22.48 k | r697 | 2023-10-03 19:23:54 | kumaneko | |
 Makefile |
56 | r467 | 2014-04-15 23:04:30 | kumaneko | Add tasktracker module |
| README |
4.66 k | r567 | 2018-03-05 19:28:42 | kumaneko | Update tasktracker |
 probe.h |
1.83 k | r688 | 2022-09-10 00:24:05 | kumaneko |
About this module:
When an unexpected system event (e.g. reboot) occurs, the administrator
may want to identify which application triggered the event. System call
auditing could be used for recording such event. However, the audit log
may not be able to provide sufficient information for identifying the
application because the audit log does not reflect how the program was
executed.
I sometimes receive "which application triggered the event" questions
on RHEL systems. TOMOYO security module can track how the program was
executed, but TOMOYO is not yet available in Fedora/RHEL distributions.
Although subj= field is added to the audit log if SELinux is not
disabled, SELinux is too difficult to customize as fine grained as
I expect in order to reflect how the program was executed. Therefore,
I wrote a LSM module which is implemented as a loadable kernel module
which emits TOMOYO-like information into the audit logs.
This module is released under the GPLv2.
How to compile this module:
This module can run on Linux 2.6.26 and later kernels built with
CONFIG_SECURITY=y CONFIG_KALLSYMS=y CONFIG_PROC_FS=y CONFIG_MODULES=y
CONFIG_AUDITSYSCALL=y .
Install the kernel development package and go to the directory that it
has installed into.
RedHat distributions
# VERSION=$(uname -r)
# yum -y install kernel-devel-${VERSION}
# cd /usr/src/kernels/${VERSION}/
Debian distributions
# VERSION=$(uname -r)
# apt-get -y install linux-headers-${VERSION}
# cd /usr/src/linux-headers-${VERSION}/
SUSE distributions
# VERSION=$(uname -r)
# yast -i kernel-devel
# cd /lib/modules/${VERSION}/build/
Then, extract this module's source code under tasktracker subdirectory
and run the following commands.
# make SUBDIRS=$PWD/tasktracker modules
# make SUBDIRS=$PWD/tasktracker modules_install
# depmod ${VERSION}
How to run this module:
If you want to trace from now on, you just load the compiled module.
# modprobe tasktracker
If you want to trace from the beginning of global /sbin/init process,
you need to load the compiled module before the /sbin/init process
starts. For example, create /sbin/tt-init like shown below and pass
security=none init=/sbin/tt-init to the kernel command line parameters.
# echo '#! /bin/sh' > /sbin/tt-init
# echo '/sbin/modprobe tasktracker && exec /sbin/init "$@"' >> /sbin/tt-init
# chmod 755 /sbin/tt-init
If you are using systemd-based distributions where passing init=/sbin/tt-init
does not work, include tasktracker.ko into initramfs and load from initramfs.
For example, create /etc/dracut.conf.d/tasktracker.conf like shown below and
recreate initramfs and pass security=none rd.driver.pre=tasktracker to the
kernel command line parameters.
# echo 'add_drivers+=" tasktracker "' > /etc/dracut.conf.d/tasktracker.conf
# dracut -f
You will get history of current thread in the subj= field of audit logs
in the form of name=$commname;pid=$pid;start=$YYYYMMDDhhmmss delimited by =>
like an example shown below.
time->Sun Jan 11 20:59:47 2015
type=PATH msg=audit(1420977587.794:367): item=1 name=(null) inode=382165972
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
type=PATH msg=audit(1420977587.794:367): item=0 name="/sbin/reboot"
inode=97095 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
type=CWD msg=audit(1420977587.794:367): cwd="/root"
type=EXECVE msg=audit(1420977587.794:367): argc=1 a0="reboot"
type=SYSCALL msg=audit(1420977587.794:367): arch=c000003e syscall=59
success=yes exit=0 a0=140dcc0 a1=1420750 a2=1402580 a3=7fffe2a8b630 items=2
ppid=3401 pid=3424 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=1 comm="reboot" exe="/usr/bin/systemctl" subj="name=
systemd;pid=1;start=20150111205847=>name=systemd;pid=1;start=20150111205849
=>name=sshd;pid=2471;start=20150111115858=>name=sshd;pid=3399;start=
20150111115907=>name=bash;pid=3401;start=20150111115911=>name=reboot;pid=
3424;start=20150111115947" key=(null)
ChangeLog:
Version 0.1 2014/04/15 Initial backport.
Backported the version posted to Linux Security Module ML (readable
at https://lwn.net/Articles/575044/ ) as a loadable kernel module.
Version 0.2 2014/04/20 Bug fix.
Allocate and print current thread's history rather than printing
"(null)" when current thread's record is not yet allocated after
loading this kernel module.
Make conversion of time stamp a bit faster.
Version 0.3 2015/01/11 Bug fix.
Change the history format.
Add a check at load time for known conflicting modules.