Re: Process arguments

---

• From: Julian Elischer <julian@xxxxxxxxxxxx>
• Date: Sun, 29 Oct 2006 21:26:26 -0800

---

Dave Clausen wrote:

Hello list,

I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run on the command line from within the kernel for security purposes by loading a kernel module which redefines execve(). I've successfully created the KLD and have it working, but am having problems saving the command's arguments.
Could anyone point me to where in the kernel I should be looking for the arguments sent to the process? p->p_args gives me the parent process's cmdname only (sh, in this case), and uap->argv is just the relative pathname of uap->fname. Ideally, I'd like the user, full command line, and cwd logged for each command entered.

Here's an example of what I've been working away on:

int
new_execve (struct thread *td, struct execve_args *uap)
{
char *user;
struct proc *p = td->td_proc;

user = p->p_pgrp->pg_session->s_login;
if (p->p_ucred->cr_ruid == 1001) {
printf("%s %d %s\n", user, p->p_pid, uap->fname);
}
return (execve(td,uap));
}

Running 'ls -al' with the above, I get the username, pid, and absolute filename printed such as, but can't find the actual arguments:
dave 6689 /bin/ls

Any help would be appreciated.

there have been patches around for years that do this..

I know I used them for Bank of America in their security auditing.

I can not remember the name of them however..

_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

---

• References:
  • Process arguments
    • From: Dave Clausen

• Prev by Date: Process arguments
• Next by Date: Re: Process arguments
• Previous by thread: Process arguments
• Next by thread: Re: Process arguments
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [PATCH 19-rc1] Fix typos in /Documentation : Misc ... +do not have a corresponding kernel virtual address space mapping) and ... This command sets the scale factor for the ABSOLUTE MOUSE POSITIONING mode. ... If you check the source code you will see that what I draw here as a frame ... interrupt-parent: contains the phandle of the interrupt ... (Linux-Kernel) [PATCH 19-rc1] Fix typos in /Documentation : Misc ... -> bus translation). ... +do not have a corresponding kernel virtual address space mapping) and ... This command sets the scale factor for the ABSOLUTE MOUSE POSITIONING mode. ... If you check the source code you will see that what I draw here as a frame ... (Linux-Kernel) Re: Process arguments ... the command line from within the kernel for security purposes by loading a kernel module which redefines execve. ... Ideally, I'd like the user, full command line, and cwd logged for each command entered. ... Audit support is considered experimental in 6.2, as there are some areas that need testing and/or are not complete. ... (freebsd-hackers) [PATCH] nfs: Update Documentation/nfsroot.txt to include dhcp, syslinux and isolinux ... Document the ip command a little differently to make the ... Update autoconfiguration the current set of options, ... The following text describes on how to use NFS for the ... Kernel command line ... (Linux-Kernel) Process arguments ... I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run on the command line from within the kernel for security purposes by loading a kernel module which redefines execve. ... (freebsd-questions)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > hackers  > 2006-10