RFE Module Load and Unload Record Format

Richard Guy Briggs edited this page Mar 9, 2017 · 2 revisions

Feature Description

System administrators monitoring the audit logs want to know what module was loaded during an init_module or finit_module system call or unloaded during a delete_module system call. Currently the only hint is the PROCTITLE line and that won't help if a binary other than insmod(8) or modprobe(8) are used that get their module list elsewhere than the command line, or the user deliberately obfuscates the PROCTITLE. This will require a kernel change to implement a new audit auxiliary record type to the syscall record and modifications to the userspace audit tools to recognize the new auxiliary record type.

Feature Design

  • Create a new kernel function audit_log_kern_module() called from load_module() or from delete_module() storing the module name in the audit_context, then reporting it at syscall exit by adding a new auxiliary record type AUDIT_KERN_MODULE reporting the value of mod->name (name in the case of delete_module) in an encoded name= field.
  • May add other fields (args?) not necessary at this time.
  • Add userspace support to recognize the AUDIT_KERN_MODULE auxiliary record type to the AUDIT_SYSCALL record type.

Development Tasks

  • Develop an RFC kernel patch to post upstream.
  • Iterate until accepted.
  • Develop userspace patch to parse new record.
  • Develop audit-testsuite acceptance test

Functional Testing and Verification, and Example Usage

For loading:

  1. Add "-a always,exit -F arch=x86_64 -S init_module -S finit_module -F key=mod-load" to the audit rules
  2. Reboot the system
  3. Run 'ausearch --start today -k mod-load -i | less'

This should result in audit syscall init_module events with the following records:

type=PROCTITLE msg=audit(01/19/2017 20:49:06.317:159) : proctitle=/sbin/modprobe mymodule
type=KERN_MODULE msg=audit(01/19/2017 20:49:06.317:159) : name=mymodule
type=SYSCALL msg=audit(01/19/2017 20:49:06.317:159) : arch=x86_64
  syscall=init_module success=yes exit=0 a0=0x55c54f292980 a1=0xcfb3 a2=0x55c54dcfb106 a3=0x0
  items=0 ppid=61 pid=561 auid=unset uid=root gid=root euid=root suid=root fsuid=root
  egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod 
  subj=system_u:system_r:insmod_t:s0 key=mod-load`

For unloading:

  1. Add "-a always,exit -F arch=x86_64 -S delete_module -F key=mod-unload" to the audit rules
  2. Issue the command rmmod <modulename> for a module that can be unloaded.
  3. Run 'ausearch --start today -k mod-unload -i | less'

This should result in audit syscall delete_module events with the following records:

type=PROCTITLE msg=audit(03/09/2017 07:14:50.374:238) : proctitle=/sbin/rmmod mymodule
type=KERN_MODULE msg=audit(03/09/2017 07:14:50.374:238) : name=mymodule
type=SYSCALL msg=audit(03/09/2017 07:14:50.374:238) : arch=x86_64
  syscall=delete_module success=yes exit=0 a0=0x55fdf8a10268 a1=0x800 a2=0xa a3=0x7f19deb1e6c0
  items=0 ppid=1249 pid=1266 auid=root uid=root gid=root euid=root suid=root fsuid=root
  egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=rmmod exe=/usr/bin/kmod
  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=testsuite-1489061681-syuQAWSx-unload

Example Audit Records

This new auxiliary record is added to the SYSCALL record:

type=KERN_MODULE msg=audit(01/19/2017 20:49:06.317:159) : name=mymodule

Bugzilla and Issue Trackers

RFE: record the module name passed to init_module(2) RFE: collect module name when deleting a kernel module