Process arguments
Julian Elischer
julian at elischer.org
Mon Oct 30 05:26:30 UTC 2006
Dave Clausen wrote:
> Hello list,
>
> I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run
> on the command line from within the kernel for security purposes by
> loading a kernel module which redefines execve(). I've successfully
> created the KLD and have it working, but am having problems saving the
> command's arguments.
> Could anyone point me to where in the kernel I should be looking for the
> arguments sent to the process? p->p_args gives me the parent process's
> cmdname only (sh, in this case), and uap->argv is just the relative
> pathname of uap->fname. Ideally, I'd like the user, full command line,
> and cwd logged for each command entered.
>
> Here's an example of what I've been working away on:
>
> int
> new_execve (struct thread *td, struct execve_args *uap)
> {
> char *user;
> struct proc *p = td->td_proc;
>
> user = p->p_pgrp->pg_session->s_login;
> if (p->p_ucred->cr_ruid == 1001) {
> printf("%s %d %s\n", user, p->p_pid, uap->fname);
> }
> return (execve(td,uap));
> }
>
> Running 'ls -al' with the above, I get the username, pid, and absolute
> filename printed such as, but can't find the actual arguments:
> dave 6689 /bin/ls
>
> Any help would be appreciated.
>
there have been patches around for years that do this..
I know I used them for Bank of America in their security auditing.
I can not remember the name of them however..
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list