Name | Size | Rev. | Time | Author | Log Message |
---|---|---|---|---|---|
probe.c | 26.34 k | r688 | 2022-09-10 00:24:05 | kumaneko | |
tt.c | 22.48 k | r697 | 2023-10-03 19:23:54 | kumaneko | |
Makefile | 56 | r467 | 2014-04-15 23:04:30 | kumaneko | Add tasktracker module |
README | 4.66 k | r567 | 2018-03-05 19:28:42 | kumaneko | Update tasktracker |
probe.h | 1.83 k | r688 | 2022-09-10 00:24:05 | kumaneko |
About this module: When an unexpected system event (e.g. reboot) occurs, the administrator may want to identify which application triggered the event. System call auditing could be used for recording such event. However, the audit log may not be able to provide sufficient information for identifying the application because the audit log does not reflect how the program was executed. I sometimes receive "which application triggered the event" questions on RHEL systems. TOMOYO security module can track how the program was executed, but TOMOYO is not yet available in Fedora/RHEL distributions. Although subj= field is added to the audit log if SELinux is not disabled, SELinux is too difficult to customize as fine grained as I expect in order to reflect how the program was executed. Therefore, I wrote a LSM module which is implemented as a loadable kernel module which emits TOMOYO-like information into the audit logs. This module is released under the GPLv2. How to compile this module: This module can run on Linux 2.6.26 and later kernels built with CONFIG_SECURITY=y CONFIG_KALLSYMS=y CONFIG_PROC_FS=y CONFIG_MODULES=y CONFIG_AUDITSYSCALL=y . Install the kernel development package and go to the directory that it has installed into. RedHat distributions # VERSION=$(uname -r) # yum -y install kernel-devel-${VERSION} # cd /usr/src/kernels/${VERSION}/ Debian distributions # VERSION=$(uname -r) # apt-get -y install linux-headers-${VERSION} # cd /usr/src/linux-headers-${VERSION}/ SUSE distributions # VERSION=$(uname -r) # yast -i kernel-devel # cd /lib/modules/${VERSION}/build/ Then, extract this module's source code under tasktracker subdirectory and run the following commands. # make SUBDIRS=$PWD/tasktracker modules # make SUBDIRS=$PWD/tasktracker modules_install # depmod ${VERSION} How to run this module: If you want to trace from now on, you just load the compiled module. # modprobe tasktracker If you want to trace from the beginning of global /sbin/init process, you need to load the compiled module before the /sbin/init process starts. For example, create /sbin/tt-init like shown below and pass security=none init=/sbin/tt-init to the kernel command line parameters. # echo '#! /bin/sh' > /sbin/tt-init # echo '/sbin/modprobe tasktracker && exec /sbin/init "$@"' >> /sbin/tt-init # chmod 755 /sbin/tt-init If you are using systemd-based distributions where passing init=/sbin/tt-init does not work, include tasktracker.ko into initramfs and load from initramfs. For example, create /etc/dracut.conf.d/tasktracker.conf like shown below and recreate initramfs and pass security=none rd.driver.pre=tasktracker to the kernel command line parameters. # echo 'add_drivers+=" tasktracker "' > /etc/dracut.conf.d/tasktracker.conf # dracut -f You will get history of current thread in the subj= field of audit logs in the form of name=$commname;pid=$pid;start=$YYYYMMDDhhmmss delimited by => like an example shown below. time->Sun Jan 11 20:59:47 2015 type=PATH msg=audit(1420977587.794:367): item=1 name=(null) inode=382165972 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1420977587.794:367): item=0 name="/sbin/reboot" inode=97095 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1420977587.794:367): cwd="/root" type=EXECVE msg=audit(1420977587.794:367): argc=1 a0="reboot" type=SYSCALL msg=audit(1420977587.794:367): arch=c000003e syscall=59 success=yes exit=0 a0=140dcc0 a1=1420750 a2=1402580 a3=7fffe2a8b630 items=2 ppid=3401 pid=3424 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="reboot" exe="/usr/bin/systemctl" subj="name= systemd;pid=1;start=20150111205847=>name=systemd;pid=1;start=20150111205849 =>name=sshd;pid=2471;start=20150111115858=>name=sshd;pid=3399;start= 20150111115907=>name=bash;pid=3401;start=20150111115911=>name=reboot;pid= 3424;start=20150111115947" key=(null) ChangeLog: Version 0.1 2014/04/15 Initial backport. Backported the version posted to Linux Security Module ML (readable at https://lwn.net/Articles/575044/ ) as a loadable kernel module. Version 0.2 2014/04/20 Bug fix. Allocate and print current thread's history rather than printing "(null)" when current thread's record is not yet allocated after loading this kernel module. Make conversion of time stamp a bit faster. Version 0.3 2015/01/11 Bug fix. Change the history format. Add a check at load time for known conflicting modules.