From 3d3bd1a6dceaf21e9b1c5a9a24416058442cf1a4 Mon Sep 17 00:00:00 2001 From: George Neville-Neil Date: Mon, 4 Jul 2016 16:33:04 -0230 Subject: [PATCH 1/3] Add a test script to just show open returns and closes As a way of tracking down all the fi_pathname issues we use a single script that helps us correlate the return of an open with a close. --- openclose.d | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100755 openclose.d diff --git a/openclose.d b/openclose.d new file mode 100755 index 0000000..ad44fef --- /dev/null +++ b/openclose.d @@ -0,0 +1,28 @@ +#!/usr/sbin/dtrace -s +/* + * Test only the open() and close() system call's use of the + * fi_pathname member of the fds[] array. + * + * Usage: openclose.d (either sudo or as root) + */ + +#pragma D option quiet +#pragma D option switchrate=100hz +#pragma D option dynvarsize=16m +#pragma D option bufsize=16m +#pragma D option strsize=1024 + +syscall::open:return +/pid != $pid/ +{ + printf("{\"event\": \"%s:%s:%s:\", \"time\": %d, \"pid\": %d, \"ppid\": %d, \"tid\": %d, \"uid\": %d, \"exec\": \"%s\", \"dir\": \"%s\",\"path\": \"%s\", \"fd\": %d }\n", + probeprov, probemod, probefunc, walltimestamp, pid, ppid, tid, uid, execname, fds[arg1].fi_dirname, fds[arg1].fi_pathname, arg1); +} + + +syscall::close:entry +/pid != $pid/ +{ + printf("{\"event\": \"%s:%s:%s:\", \"time\": %d, \"pid\": %d, \"ppid\": %d, \"tid\": %d, \"uid\": %d, \"exec\": \"%s\", \"dir\": \"%s\",\"path\": \"%s\", \"fd\": %d }\n", + probeprov, probemod, probefunc, walltimestamp, pid, ppid, tid, uid, execname, fds[arg0].fi_dirname, fds[arg0].fi_pathname, arg0); +} From 66abb0685ae6df774743e976a169ba32417f9947 Mon Sep 17 00:00:00 2001 From: George Neville-Neil Date: Fri, 12 Aug 2016 10:04:56 -0230 Subject: [PATCH 2/3] Add support for TCP connection recording Add support for recording when a TCP connection is successfully accepted or established, via connect() to a foreign host and port. Failed or refused connections are not currently recorded. Only the remote IP and port are recorded when accepting an inbound connection or when establishing an outbound connection. --- audit.d | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/audit.d b/audit.d index 46306ae..8dd83bc 100755 --- a/audit.d +++ b/audit.d @@ -266,3 +266,29 @@ audit::aue_futimes*:commit printf("}\n"); comma=","; } + +tcp:::accept-established +/(pid != $pid) +#if !AUDIT_SSH_MORE + && ((execname != "sshd") || ((execname == "sshd") && + (probefunc != "aue_read") && (probefunc != "aue_write") && (probefunc != "aue_mmap"))) +#endif +/ +{ + printf("Accepted connection from %s:%d\n", + args[2]->ip_saddr, + args[4]->tcp_sport) +} + +tcp:::connect-established +/(pid != $pid) +#if !AUDIT_SSH_MORE + && ((execname != "sshd") || ((execname == "sshd") && + (probefunc != "aue_read") && (probefunc != "aue_write") && (probefunc != "aue_mmap"))) +#endif +/ +{ + printf("Established connection to %s:%d\n", + args[2]->ip_saddr, + args[4]->tcp_sport) +} From db8b91e09f33b0f912c55da17369243e6000dffc Mon Sep 17 00:00:00 2001 From: George Neville-Neil Date: Fri, 12 Aug 2016 16:19:21 -0230 Subject: [PATCH 3/3] Add support for local address and port, UDP and UUIDs TCP accept and connect now give the UUID. UDP send and receive do the same. Both report the local IP and port as well as the remote. --- audit.d | 48 +++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 43 insertions(+), 5 deletions(-) diff --git a/audit.d b/audit.d index 8dd83bc..14ce734 100755 --- a/audit.d +++ b/audit.d @@ -275,9 +275,12 @@ tcp:::accept-established #endif / { - printf("Accepted connection from %s:%d\n", - args[2]->ip_saddr, - args[4]->tcp_sport) + printf("TCP accepted a connection from %s:%d to %s:%d on UUID %U\n", + args[2]->ip_saddr, + args[4]->tcp_sport, + args[2]->ip_daddr, + args[4]->tcp_dport, + ((struct tcpcb *)args[3]->tcps_addr)->t_inpcb->inp_socket->so_uuid); } tcp:::connect-established @@ -288,7 +291,42 @@ tcp:::connect-established #endif / { - printf("Established connection to %s:%d\n", + printf("TCP established a connection to %s:%d from %s:%d on UUID %U\n", + args[2]->ip_saddr, + args[4]->tcp_sport, + args[2]->ip_daddr, + args[4]->tcp_dport, + ((struct tcpcb *)args[3]->tcps_addr)->t_inpcb->inp_socket->so_uuid); +} + +udp:::send +/(pid != $pid) +#if !AUDIT_SSH_MORE + && ((execname != "sshd") || ((execname == "sshd") && + (probefunc != "aue_read") && (probefunc != "aue_write") && (probefunc != "aue_mmap"))) +#endif +/ +{ + printf("UDP sent data to %s:%d from %s:%d on UUID %U\n", + args[2]->ip_daddr, + args[4]->udp_dport, + args[2]->ip_saddr, + args[4]->udp_sport, + ((struct inpcb *)args[3]->udps_addr)->inp_socket->so_uuid); +} + +udp:::receive +/(pid != $pid) +#if !AUDIT_SSH_MORE + && ((execname != "sshd") || ((execname == "sshd") && + (probefunc != "aue_read") && (probefunc != "aue_write") && (probefunc != "aue_mmap"))) +#endif +/ +{ + printf("UDP received data from %s:%d to %s:%d on UUID %U\n", args[2]->ip_saddr, - args[4]->tcp_sport) + args[4]->udp_sport, + args[2]->ip_daddr, + args[4]->udp_dport, + ((struct inpcb *)args[3]->udps_addr)->inp_socket->so_uuid); }