From: hsultan@thefroid.net
To: linux-audit@redhat.com
Subject: Re: Detecting loading of libraries
Date: Wed, 21 Jan 2015 17:30:07 -0800 [thread overview]
Message-ID: <e5fbdb457a658e2d2399d0f416d260f5@thefroid.net> (raw)
In-Reply-To: <5dc8468401e6007eaad18a0b7d782927@thefroid.net>
Ok, I now see the file descriptor in a context record for mmap
*sometimes*
1300 - audit(1421886600.839:25623): arch=c000003e syscall=9 success=yes
exit=140564293636096 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1300 - audit(1421886600.839:25624): arch=c000003e syscall=9 success=yes
exit=140564293636096 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1300 - audit(1421886600.839:25625): arch=c000003e syscall=9 success=yes
exit=140564239544320 a0=0 a1=2020f0 a2=5 a3=802 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1323 - audit(1421886600.839:25625): fd=10 flags=0x802
1300 - audit(1421886600.839:25626): arch=c000003e syscall=9 success=yes
exit=140564241645568 a0=7fd7a9b10000 a1=2000 a2=3 a3=812 items=0
ppid=23505 pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1323 - audit(1421886600.839:25626): fd=10 flags=0x812
1300 - audit(1421886600.839:25627): arch=c000003e syscall=9 success=yes
exit=140564293640192 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
Any idea why the 1323 shows up sometimes and not each time an mmap call
is made ? Is the record generated only on the 1st mmap call for a
library ?
Thanks,
Hassan
On 2015-01-21 16:01, hsultan@thefroid.net wrote:
> Hi,
>
> I'm wondering if there's a good way of detecting the loading of
> libraries by processes (I am specifically NOT talking about the
> uselib
> syscall).
>
> strace shows me apps do open(...)/mmap/mprotect
> I'm currently intercepting mmap calls, however no additional context
> records are given to provide the name of the library, and the file
> descriptor is the 5th parameter, so I can't get that either to match
> it to an open(...)
>
> Is there a way to do this that I'm missing ?
>
> Thanks,
>
> Hassan
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2015-01-22 1:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-22 0:01 Detecting loading of libraries hsultan
2015-01-22 1:30 ` hsultan [this message]
2015-01-27 0:48 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e5fbdb457a658e2d2399d0f416d260f5@thefroid.net \
--to=hsultan@thefroid.net \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.