• R/O
  • SSH
  • HTTPS

akari: Source Tree


Name Size Rev. Time Author Log Message
Makefile 56 r467 2014-04-15 23:04:30 kumaneko Add tasktracker module
README 4.66 k r567 2018-03-05 19:28:42 kumaneko Update tasktracker
probe.h 1.72 k r665 2020-12-05 19:55:03 kumaneko
probe.c 24.54 k r666 2020-12-06 14:47:54 kumaneko check by codespell program
tt.c 22.48 k r644 2020-06-15 11:29:50 kumaneko

README

About this module:

  When an unexpected system event (e.g. reboot) occurs, the administrator
  may want to identify which application triggered the event. System call
  auditing could be used for recording such event. However, the audit log
  may not be able to provide sufficient information for identifying the
  application because the audit log does not reflect how the program was
  executed.

  I sometimes receive "which application triggered the event" questions
  on RHEL systems. TOMOYO security module can track how the program was
  executed, but TOMOYO is not yet available in Fedora/RHEL distributions.

  Although subj= field is added to the audit log if SELinux is not
  disabled, SELinux is too difficult to customize as fine grained as
  I expect in order to reflect how the program was executed. Therefore,
  I wrote a LSM module which is implemented as a loadable kernel module
  which emits TOMOYO-like information into the audit logs.

  This module is released under the GPLv2.

How to compile this module:

  This module can run on Linux 2.6.26 and later kernels built with
  CONFIG_SECURITY=y CONFIG_KALLSYMS=y CONFIG_PROC_FS=y CONFIG_MODULES=y
  CONFIG_AUDITSYSCALL=y .

  Install the kernel development package and go to the directory that it
  has installed into.

    RedHat distributions

      # VERSION=$(uname -r)
      # yum -y install kernel-devel-${VERSION}
      # cd /usr/src/kernels/${VERSION}/

    Debian distributions

      # VERSION=$(uname -r)
      # apt-get -y install linux-headers-${VERSION}
      # cd /usr/src/linux-headers-${VERSION}/

    SUSE distributions

      # VERSION=$(uname -r)
      # yast -i kernel-devel
      # cd /lib/modules/${VERSION}/build/

  Then, extract this module's source code under tasktracker subdirectory
  and run the following commands.

    # make SUBDIRS=$PWD/tasktracker modules
    # make SUBDIRS=$PWD/tasktracker modules_install
    # depmod ${VERSION}

How to run this module:

  If you want to trace from now on, you just load the compiled module.

    # modprobe tasktracker

  If you want to trace from the beginning of global /sbin/init process,
  you need to load the compiled module before the /sbin/init process
  starts. For example, create /sbin/tt-init like shown below and pass
  security=none init=/sbin/tt-init to the kernel command line parameters.

    # echo '#! /bin/sh' > /sbin/tt-init
    # echo '/sbin/modprobe tasktracker && exec /sbin/init "$@"' >> /sbin/tt-init
    # chmod 755 /sbin/tt-init

  If you are using systemd-based distributions where passing init=/sbin/tt-init
  does not work, include tasktracker.ko into initramfs and load from initramfs.
  For example, create /etc/dracut.conf.d/tasktracker.conf like shown below and
  recreate initramfs and pass security=none rd.driver.pre=tasktracker to the
  kernel command line parameters. 

    # echo 'add_drivers+=" tasktracker "' > /etc/dracut.conf.d/tasktracker.conf
    # dracut -f

  You will get history of current thread in the subj= field of audit logs
  in the form of name=$commname;pid=$pid;start=$YYYYMMDDhhmmss delimited by =>
  like an example shown below.

    time->Sun Jan 11 20:59:47 2015
    type=PATH msg=audit(1420977587.794:367): item=1 name=(null) inode=382165972
    dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
    type=PATH msg=audit(1420977587.794:367): item=0 name="/sbin/reboot"
    inode=97095 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
    type=CWD msg=audit(1420977587.794:367):  cwd="/root"
    type=EXECVE msg=audit(1420977587.794:367): argc=1 a0="reboot"
    type=SYSCALL msg=audit(1420977587.794:367): arch=c000003e syscall=59
    success=yes exit=0 a0=140dcc0 a1=1420750 a2=1402580 a3=7fffe2a8b630 items=2
    ppid=3401 pid=3424 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
    fsgid=0 tty=pts0 ses=1 comm="reboot" exe="/usr/bin/systemctl" subj="name=
    systemd;pid=1;start=20150111205847=>name=systemd;pid=1;start=20150111205849
    =>name=sshd;pid=2471;start=20150111115858=>name=sshd;pid=3399;start=
    20150111115907=>name=bash;pid=3401;start=20150111115911=>name=reboot;pid=
    3424;start=20150111115947" key=(null)

ChangeLog:

  Version 0.1   2014/04/15   Initial backport.

    Backported the version posted to Linux Security Module ML (readable
    at https://lwn.net/Articles/575044/ ) as a loadable kernel module.

  Version 0.2   2014/04/20   Bug fix.

    Allocate and print current thread's history rather than printing
    "(null)" when current thread's record is not yet allocated after
    loading this kernel module.

    Make conversion of time stamp a bit faster.

  Version 0.3   2015/01/11   Bug fix.

    Change the history format.

    Add a check at load time for known conflicting modules.
Show on old repository browser