Auditã«ã¤ãã¦
Linux2.6ã«ã¯auditãå
¥ã£ã¦ããã
SELinuxãªã©ã®ã»ãã¥ã¢OSã§ã¯ãããã使ã£ã¦ãã°åã£ã¦ããããã¾ãç¥ããã¦ããªãã
çµè¾¼ã¿ç¨®ITãã£ã¦ãããauditãç´ãå¿
è¦ã«è¿«ãããã®ã§ã解æãã¦ã¿ããã
auditã®æ§æ
- ã«ã¼ãã«é¨å
- kernel/audit.c
- auditæ¬ä½ãkauditãåä½ãkauditã¯ãnetlinkã½ã±ããã§æ¥ç¶å¾ ã¡ããã«ã¼ãã«ç©ºéã§åä½ãããã¼ã¢ã³ããã°ã¡ãã»ã¼ã¸ã®çªå£ã¨ãªããã¼ã¢ã³
- kernel/auditsc.c
- ã·ã¹ãã ã³ã¼ã«ã®ãã°åãé¢ä¿ã
- kernel/auditfilter.c
- ã½ã¼ã¹èªã¿ä¸
- kernel/audit.c
- ã¦ã¼ã¶ã©ã³ã
- auditd,auditctlç
- auditdã¯ã¦ã¼ã¶ã©ã³ãã§åããã¼ã¢ã³ã§ãkauditd->auditd->audit.logæ¸ããã¿ã®ããã«ãã°ãåããããauditctlã¯ãã«ã¼ãã«ã®auditã®ãã©ã¡ã¼ã¿èª¿æ´ãªã©ããããauditdãåãã¦ãªãå ´åã¯ãkauditd->ã³ã³ã½ã¼ã«ãsyslogã®ããã«é£ã¶ã®ã§ãã¦ã¼ã¶ã©ã³ãã³ã³ãã¼ãã³ãã¯å¿ é ã§ã¯ãªã
- ä»ãdispatchãªã©ã®ä»çµã¿ãããã¿ããã ããä»åã¯é£ã°ãã
çµè¾¼ã¿SELinuxã®auditã®åé¡
SELinuxã®ã¢ã¯ã»ã¹æå¦ãã°ã¯ã
type=PATH ï¼ã¢ã¯ã»ã¹ãããã¡ã¤ã«ã®ãã«ãã¹æ å ±ï¼
type=AVC ï¼ã¢ã¯ã»ã¹æå¦æ å ±ããã¡ã¤ã«åã¯ããã«ãã¹ãããªãï¼
ã®ããã«2種é¡ã®é ç®ãåºãï¼ä»ã«ãè²ã åºããã©ã主ãªãã®ï¼
ãããªããSHã¢ã¼ããã¯ãã£ã ã¨ã
type=AVCã¯åºãã®ã ããtype=PATHã«ç¸å½ããé¨åãåºãªããã¨ãçºè¦ã
ããã ã¨ãã¢ã¯ã»ã¹æå¦ããããã¡ã¤ã«ã®ãã«ãã¹ãåãããªãã¦å°ãã
ãã¦ãä½ã§åºãªãã®ãã¨èª¿ã¹ã¦ã¿ãã¨ãã
type=PATHã®ãã°ã¯ãã·ã¹ãã ã³ã¼ã«ã®ãã°åå¾é¨å(kernel/auditsc.c)ã§åºåãããã
ããauditsc.cã®å¦çãæ£ããåããããã«ã¯ãarch以ä¸ã«æãå ããå¿
è¦ãããã
ããSHã§ã¯ããã®å¯¾å¿ãã¾ã ã ã£ãã®ã§ãåããªãã£ãã
auditã¯ã¢ã¼ããã¯ãã£ä¾åã ã£ãã®ããã
SHã§ãauditã使ããããã«ãã¦ã¿ã
以ä¸èªåç¨ã¡ã¢
ã·ã¹ãã ã³ã¼ã«ã®å
¥å£ãåºå£ã®é¨åã§ã
audité¢é£ã®é¢æ°ãå¼ã¶ããã«ããã°ããã
ãã¦ãã·ã¹ãã ã³ã¼ã«ã®å
¥å£åºå£ã¯ã
SHã®å ´åãarch/sh/entry-common.S
ã®ããã ãããã¯ã¢ã»ã³ãã©ãã¤ãã«ã¢ã»ã³ãã©ããããç¾½ç®ã«ã
ä¾ãã°ã
ã·ã¹ãã ã³ã¼ã«åºå£ã®ã³ã¼ãã¯ä»¥ä¸ã®ããã ã
arch/sh/entry-common.S 224 syscall_exit_work: 225 ! r0: current_thread_info->flags 226 ! r8: current_thread_info 227 tst #_TIF_SYSCALL_TRACE, r0 228 bt/s work_pending 229 tst #_TIF_NEED_RESCHED, r0 230 #ifdef CONFIG_TRACE_IRQFLAGS 231 mov.l 5f, r0 232 jsr @r0 233 nop 234 #endif 235 sti 236 ! XXX setup arguments... 237 mov.l 4f, r0 ! do_syscall_trace 238 jsr @r0 ->do_syscall_traceé¢æ°å¼ã³åºã ... 407 4: .long do_syscall_trace
syscall_exit_workã¨ããã¨ããã§å§ã¾ãã
237 mov.l 4f, r0 ! do_syscall_trace
ã§ãptrace.cã®do_syscall_traceã«å¦çãé£ã¶ã
ã¾ãããã®do_syscall_trace(ptrace.cä¸)ããauditã®å¦çãããããã«ä¿®æ£ã
ã¾ãã
auditã«å¿
è¦ãªæ
å ±ã¨ãã¦ãdo_syscall_traceã«
ã·ã¹ãã ã³ã¼ã«çªå·ã¨ã
ã¬ã¸ã¹ã¿æ
å ±ã渡ãå¿
è¦ããã
ã³ã¼ããçºãã¦ã¿ãã¨ãSHã§ã¯ã
r3ã¬ã¸ã¹ã¿ãã·ã¹ãã ã³ã¼ã«çªå·ã
r15ã¬ã¸ã¹ã¿ãã¹ã¿ãã¯ãã¤ã³ã¿ãr15å¨è¾ºã«å種ã¬ã¸ã¹ã¿ãéé¿ããã¦ãããã ã
r3ãr15ã®å¤ããdo_syscall_traceã«æ¸¡ãã°ããã¯ããã
ã¾ããdo_syscall_traceå
ã§ã¯ã
r4ã第ä¸å¼æ°ãr5ã第äºå¼ãæ°ã¨ãã¦ä½¿ãããã
ãªã®ã§ãr4ã«r3ãã³ãã¼ãr5ã«r15ãã³ãã¼ããã°ããã
236 ! XXX setup arguments... mov r3 r4 mov r15 r5 237 mov.l 4f, r0 ! do_syscall_trace 238 jsr @r0
ã§ãã´ãã§ã´ãã§ãã£ã¦ã¿ããã
ã·ã¹ãã ã³ã¼ã«ã®ãã°ãåããããã«ãªã£ãã
auditdã使ããªãå ´åã¯ãaudit=1ãã«ã¼ãã«èµ·åãã©ã¡ã¼ã¿ã«æ¸¡ããªãã¨ãã·ã¹ãã ã³ã¼ã«ã®ãã°ãåºãªãã®ã«æ³¨æã
ããããã§ããªã念é¡ã®PATHã¨ã³ããªãåºãªãããã
auditdãåããã¨åºãããã ããauditdãå
¥ããã®ã¯é¢åãªã®ã§ã
auditdã¯æãã«ããããåå 調æ»ä¸ã
kernel/auditsc.c 1080 void audit_syscall_entry(int arch, int major, 1081 unsigned long a1, unsigned long a2, 1082 unsigned long a3, unsigned long a4) 1083 { .. 1139 context->dummy = !audit_n_rules; âcontext->dummyã¯ãaudit_n_rulesãã¼ãã ã¨ã1ã«ã»ããããã ã§ãPATHåå¾ã«ä½¿ãããå¦çã¯ãcontext->dummyã1ã ã¨ãä½ãããªãã
ã¨ãããã¨ã¯ãPATHåå¾ã®ããã«ã¯ãaudit_n_rulesãä½ã§ãããã®ã§éã¼ãã«ããå¿ è¦ããããããããcontext->dummyã«1ãã¼ãã«ã»ããããã°ããã®ãï¼ï¼