Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audisp-json does not support SYS_clone (syscall #120) #23

Open
mzpqnxow opened this Issue Apr 5, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@mzpqnxow
Copy link

mzpqnxow commented Apr 5, 2019

There is currently no support for the SYS_clone system call. This is desirable especially since it has been used for privilege escalation exploits in the wild in the past. There are of course plenty of legitimate uses for it as well. I will take a look to see if I have time to PR this as I would like it for my systems

@mzpqnxow

This comment has been minimized.

Copy link
Author

mzpqnxow commented Apr 5, 2019

After a quick review of the userspace audisp code for untangling SYS_clone, this is clear a significant amount of effort

@gdestuynder

This comment has been minimized.

Copy link
Owner

gdestuynder commented Apr 11, 2019

one issue with SYS_clone is definitely that its called a lot :)

I think in general execve() catches most of what you want, but yes, it wont log an exploit abusing certain arguments to clone()

if it were logged, you'd most likely just log it with all arguments and filter based on that - as long as you're ok with the amount of data it will likely generate and of course have use for it (ie actually detect the exploit for example)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.