Created
December 13, 2020 11:29
-
-
Save metaquanta/5f87a89dde83b2d3da164ed8b0dc0972 to your computer and use it in GitHub Desktop.
How to SyscallFilter a systemd unit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# $1 is the command to audit (it will be run) | |
echo "my pid: $$" | |
# Log all chidren of this shell | |
auditctl -a always,exit -S all -F ppid=$$ | |
$1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# $1 is the parent pid | |
echo "SystemCallFilter=$( | |
ausearch -i -pp $1 | \ | |
grep -o "syscall=\S*" | cut -d = -f 2 | \ | |
sort | uniq | \ | |
grep -Ev '(execve|exit|exit_group|getrlimit|rt_sigreturn|sigreturn)' \ | |
tr '\n' ' ' | |
)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Depends: auditd | |
# Add an audit rule to log all syscalls... | |
auditctl -a always,exit -S all -F <my filter> | |
# Available filters include, by an execution of the given binary: | |
exe=<absolute path to executable> | |
# by the process with pid: | |
pid=<pid> | |
# by any child of the process with pid: | |
ppid=<pid> | |
# Then run the process. | |
# Delete all audit rules (stop logging syscalls) | |
auditctl -D | |
# Query the audit log.. | |
# (systemd implicitly grants the syscalls excluded by the second grep.) | |
ausearch -i <my filter> | grep -o "syscall=\S*" | cut -d = -f 2 | sort | uniq | \ | |
grep -Ev '(execve|exit|exit_group|getrlimit|rt_sigreturn|sigreturn)' | |
# Filter by executable: | |
-x <absolute path to executable> | |
# by the process with pid: | |
-p <pid> | |
# by any child of the process with pid: | |
-pp <pid> | |
# Then add the list to your .service file ie: | |
SystemCallFilter=getcwd access arch_prctl brk clone close dup2 fchdir fcntl fstat fstatfs futex getdents64 getuid ioctl lseek mmap mprotect munmap newfstatat openat pipe poll ppoll prlimit64 read recvfrom rt_sigaction rt_sigprocmask sendto set_robust_list set_tid_address socket stat statfs uname wait4 write | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment