cvs commit: src/sys/kern kern_sig.c src/sys/security/audit audit.c
audit.h audit_bsm.c
Christian S.J. Peron
csjp at FreeBSD.org
Thu Oct 25 18:23:08 PDT 2007
csjp 2007-10-26 01:23:07 UTC
FreeBSD src repository
Modified files:
sys/kern kern_sig.c
sys/security/audit audit.c audit.h audit_bsm.c
Log:
Implement AUE_CORE, which adds process core dump support into the kernel.
This change introduces audit_proc_coredump() which is called by coredump(9)
to create an audit record for the coredump event. When a process
dumps a core, it could be security relevant. It could be an indicator that
a stack within the process has been overflowed with an incorrectly constructed
malicious payload or a number of other events.
The record that is generated looks like this:
header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec
argument,0,0xb,signal
path,/usr/home/csjp/test.core
subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2
return,success,1
trailer,111
- We allocate a completely new record to make sure we arent clobbering
the audit data associated with the syscall that produced the core
(assuming the core is being generated in response to SIGABRT and not
an invalid memory access).
- Shuffle around expand_name() so we can use the coredump name at the very
beginning of the coredump call. Make sure we free the storage referenced
by "name" if we need to bail out early.
- Audit both successful and failed coredump creation efforts
Obtained from: TrustedBSD Project
Reviewed by: rwatson
MFC after: 1 month
Revision Changes Path
1.351 +27 -6 src/sys/kern/kern_sig.c
1.34 +48 -0 src/sys/security/audit/audit.c
1.15 +1 -0 src/sys/security/audit/audit.h
1.22 +8 -0 src/sys/security/audit/audit_bsm.c
More information about the cvs-src
mailing list