1 kernel netlink
1.1 nlmon
nlmon.ko: CONFIG_NLMON=m
ip link add dev nlmon0 type nlmon
ip link set dev nlmon0 up
tcpdump -i nlmon0 -w nlmsg.pcap
In netlink_filter_tap() add the protocol NETLINK_KOBJECT_UEVENT, then nlmon can catch USB uevent.
1.2 API
netlink_kernel_create()
netlink_unicast()
netlink_broadcast()
netlink_has_listeners()
nlmsg_for_each_msg(...)
1.3 control buffer
struct sk_buff {
...
// NETLINK_CB control buffer
char cb[48];
...
// nlmsghdr
unsigned char *data;
...
}
1.4 Port ID
struct sockaddr_nl.nl_pid
if nl_pid = 0, kernel will assign it.
struct nlmsghdr.nlmsg_pid
-
to kernel, nlmsg_pid = 0
-
to user space, nlmsg_pid = VALID Port ID
netlink select(): datagram_poll()
2 Android auditd
2.1 kernel配置
关闭selinux audit log messages:
BOARD_KERNEL_CMDLINE += audit=0
打开selinux audit log messages:
BOARD_KERNEL_CMDLINE += audit=1
2.2 logd
system/core/logd/libaudit.c
system/core/logd/libaudit.h
system/core/logd/main.cpp
bool auditd =
__android_logger_property_get_bool(
"ro.logd.auditd",
BOOL_DEFAULT_TRUE);
ro.logd.auditd=false,就可以禁止logd访问NETLINK_AUDIT了。
使能logd访问NETLINK_AUDIT
ro.logd.auditd=true
ro.logd.auditd.dmesg=true
ro.logd.auditd.main=true
ro.logd.auditd.events=true
3 Linux auditd
3.1 移植要点
audit log写到文件函数:
src/auditd-event.c
write_to_log()
3.2 auditctl简单使用
monitor who remove my file
auditctl -w /data/mytest.txt
auditctl -l
auditctl -W data/mytest.txt
auditctl -l
monitor signal
auditctl -a always,exit -F arch=b64 -S kill -k test_kill
Which process sent SIGKILL (exe=) to the process being audited (opid= and ocomm=).
3.3 监控文件读写
auditctl -w /etc/passwd -p war -k password_file
-w 监控文件路径 /etc/passwd
-p 监控文件筛选: r(读)、w(写)、x(执行)、a(属性改变)
-k 筛选TAG,用于查询监控日志
3.4 URLs
nwhusted/AuditdAndroid