Closed mzpqnxow closed 1 year ago
After a quick review of the userspace audisp code for untangling SYS_clone, this is clear a significant amount of effort
one issue with SYS_clone
is definitely that its called a lot :)
I think in general execve()
catches most of what you want, but yes, it wont log an exploit abusing certain arguments to clone()
if it were logged, you'd most likely just log it with all arguments and filter based on that - as long as you're ok with the amount of data it will likely generate and of course have use for it (ie actually detect the exploit for example)
There is currently no support for the SYS_clone system call. This is desirable especially since it has been used for privilege escalation exploits in the wild in the past. There are of course plenty of legitimate uses for it as well. I will take a look to see if I have time to PR this as I would like it for my systems