* [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported. @ 2008-07-31 1:38 chuli 2008-08-05 0:18 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: chuli @ 2008-07-31 1:38 UTC (permalink / raw) To: 'Steve Grubb'; +Cc: 'linux-audit' Hi Steve, When I use "-a user,always -S open", errors will be reported. But when I use "-S open -a user,always", no errors will report. There is no corresponding codes to deal with the later format. Here is my patch. Hope for your opinion about such modification. (I move the code for checking "task" list to the handle_request().) Signed-off-by: Chu Li <chul@cn.fujitsu.com> --- diff --git a/src/auditctl.c b/src/auditctl.c index d740509..9cc3df0 100755 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[]) retval = -2; break; case 'a': - if (strstr(optarg, "task") && audit_syscalladded) { + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); + retval = -1; + } else if (rc == 2) { fprintf(stderr, - "Syscall auditing requested for task list\n"); + "Append rule - bad keyword %s\n", + optarg); retval = -1; - } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Append rule - bad keyword %s\n", - optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else - retval = 1; /* success - please send */ - } + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ + } else + retval = 1; /* success - please send */ break; case 'A': - if (strstr(optarg, "task") && audit_syscalladded) { - fprintf(stderr, - "Error: syscall auditing requested for task list\n"); + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); retval = -1; + } else if (rc == 2) { + fprintf(stderr, + "Add rule - bad keyword %s\n", optarg); + retval = -1; + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Add rule - bad keyword %s\n", optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else { - add |= AUDIT_FILTER_PREPEND; - retval = 1; /* success - please send */ - } + add |= AUDIT_FILTER_PREPEND; + retval = 1; /* success - please send */ } break; case 'd': @@ -1167,6 +1155,27 @@ static int handle_request(int status) audit_rule_syscallbyname_data( rule_new, "all"); } + if(audit_syscalladded == 1){ + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_TASK || (del & + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_TASK)) { + fprintf(stderr, + "Error: syscall auditing being added to task list\n"); + return -1; + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_USER || (del & + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_USER)) { + fprintf(stderr, + "Error: syscall auditing being added to user list\n"); + return -1; + } else if (exclude) { + fprintf(stderr, + "Error: syscall auditing cannot be put on exclude list\n"); + return -1; + } + } if (which == OLD) { rc = audit_add_rule(fd, &rule, add, action); } else { Regards Chu Li ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported. 2008-07-31 1:38 [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported chuli @ 2008-08-05 0:18 ` Steve Grubb 2008-08-06 7:27 ` Chu Li 0 siblings, 1 reply; 5+ messages in thread From: Steve Grubb @ 2008-08-05 0:18 UTC (permalink / raw) To: chuli; +Cc: 'linux-audit' Hi, On Wednesday 30 July 2008 21:38:26 chuli wrote: > When I use "-a user,always -S open", errors will be reported. But when I > use "-S open -a user,always", no errors will report. There is no > corresponding codes to deal with the later format. I'm still thinking about this patch. I'll look at it again tomorrow. Thanks, -Steve > Here is my patch. Hope for your opinion about such modification. > (I move the code for checking "task" list to the handle_request().) > > Signed-off-by: Chu Li <chul@cn.fujitsu.com> > --- > diff --git a/src/auditctl.c b/src/auditctl.c > index d740509..9cc3df0 100755 > --- a/src/auditctl.c > +++ b/src/auditctl.c > @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[]) > retval = -2; > break; > case 'a': > - if (strstr(optarg, "task") && audit_syscalladded) { > + rc = audit_rule_setup(optarg, &add, &action); > + if (rc == 3) { > + fprintf(stderr, > + "Multiple rule insert/delete operations are not allowed\n"); > + retval = -1; > + } else if (rc == 2) { > fprintf(stderr, > - "Syscall auditing requested for task list\n"); > + "Append rule - bad keyword %s\n", > + optarg); > retval = -1; > - } else { > - rc = audit_rule_setup(optarg, &add, &action); > - if (rc == 3) { > - fprintf(stderr, > - "Multiple rule insert/delete operations are not allowed\n"); > - retval = -1; > - } else if (rc == 2) { > - fprintf(stderr, > - "Append rule - bad keyword %s\n", > - optarg); > - retval = -1; > - } else if (rc == 1) { > - fprintf(stderr, > - "Append rule - possible is deprecated\n"); > - return -3; /* deprecated - eat it */ > - } else > - retval = 1; /* success - please send */ > - } > + } else if (rc == 1) { > + fprintf(stderr, > + "Append rule - possible is deprecated\n"); > + return -3; /* deprecated - eat it */ > + } else > + retval = 1; /* success - please send */ > break; > case 'A': > - if (strstr(optarg, "task") && audit_syscalladded) { > - fprintf(stderr, > - "Error: syscall auditing requested for task list\n"); > + rc = audit_rule_setup(optarg, &add, &action); > + if (rc == 3) { > + fprintf(stderr, > + "Multiple rule insert/delete operations are not allowed\n"); > retval = -1; > + } else if (rc == 2) { > + fprintf(stderr, > + "Add rule - bad keyword %s\n", optarg); > + retval = -1; > + } else if (rc == 1) { > + fprintf(stderr, > + "Append rule - possible is deprecated\n"); > + return -3; /* deprecated - eat it */ > } else { > - rc = audit_rule_setup(optarg, &add, &action); > - if (rc == 3) { > - fprintf(stderr, > - "Multiple rule insert/delete operations are not allowed\n"); > - retval = -1; > - } else if (rc == 2) { > - fprintf(stderr, > - "Add rule - bad keyword %s\n", optarg); > - retval = -1; > - } else if (rc == 1) { > - fprintf(stderr, > - "Append rule - possible is deprecated\n"); > - return -3; /* deprecated - eat it */ > - } else { > - add |= AUDIT_FILTER_PREPEND; > - retval = 1; /* success - please send */ > - } > + add |= AUDIT_FILTER_PREPEND; > + retval = 1; /* success - please send */ > } > break; > case 'd': > @@ -1167,6 +1155,27 @@ static int handle_request(int status) > audit_rule_syscallbyname_data( > rule_new, "all"); > } > + if(audit_syscalladded == 1){ > + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_TASK || (del & > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_TASK)) { > + fprintf(stderr, > + "Error: syscall auditing being added to task list\n"); > + return -1; > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_USER || (del & > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_USER)) { > + fprintf(stderr, > + "Error: syscall auditing being added to user list\n"); > + return -1; > + } else if (exclude) { > + fprintf(stderr, > + "Error: syscall auditing cannot be put on exclude list\n"); > + return -1; > + } > + } > if (which == OLD) { > rc = audit_add_rule(fd, &rule, add, action); > } else { > > Regards > Chu Li ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported. 2008-08-05 0:18 ` Steve Grubb @ 2008-08-06 7:27 ` Chu Li 2008-08-06 8:51 ` Chu Li 2008-08-06 16:57 ` Steve Grubb 0 siblings, 2 replies; 5+ messages in thread From: Chu Li @ 2008-08-06 7:27 UTC (permalink / raw) To: 'Steve Grubb'; +Cc: 'linux-audit' Hi Steve, > > When I use "-a user,always -S open", errors will be reported. But when I > > use "-S open -a user,always", no errors will report. There is no > > corresponding codes to deal with the later format. > > I'm still thinking about this patch. I'll look at it again tomorrow. > I modified the original patch. (I moved the judgment codes for list and syscall in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".) Then when using "-S open -a user,always" or "-S open -d user,always" will report error to users. And I found another problem, when using "-a 'list','action' -w /mnt", it will always add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa". I found "-w" will use the "exit" list automatically. I think it's better to add something about it in manual. How about your opinion? Signed-off-by: Chu Li <chul@cn.fujitsu.com> --- diff --git a/src/auditctl.c b/src/auditctl.c index 48f1369..f4f9553 100755 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -575,52 +575,41 @@ static int setopt(int count, char *vars[]) retval = -2; break; case 'a': - if (strstr(optarg, "task") && audit_syscalladded) { + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); + retval = -1; + } else if (rc == 2) { fprintf(stderr, - "Syscall auditing requested for task list\n"); + "Append rule - bad keyword %s\n", + optarg); retval = -1; - } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Append rule - bad keyword %s\n", - optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else - retval = 1; /* success - please send */ + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ + } else + retval = 1; /* success - please send */ } break; case 'A': - if (strstr(optarg, "task") && audit_syscalladded) { - fprintf(stderr, - "Error: syscall auditing requested for task list\n"); + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); retval = -1; + } else if (rc == 2) { + fprintf(stderr, + "Add rule - bad keyword %s\n", optarg); + retval = -1; + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Add rule - bad keyword %s\n", optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else { - add |= AUDIT_FILTER_PREPEND; - retval = 1; /* success - please send */ - } + add |= AUDIT_FILTER_PREPEND; + retval = 1; /* success - please send */ } break; case 'd': @@ -1215,6 +1204,27 @@ static int handle_request(int status) status = 0; // report success else if (status > 0) { int rc; + if(audit_syscalladded == 1){ + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_TASK || (del & + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_TASK)) { + fprintf(stderr, + "Error: syscall auditing being added to task list\n"); + return -1; + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_USER || (del & + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_USER)) { + fprintf(stderr, + "Error: syscall auditing being added to user list\n"); + return -1; + } else if (exclude) { + fprintf(stderr, + "Error: syscall auditing cannot be put on exclude list\n"); + return -1; + } + } if (add != AUDIT_FILTER_UNSET) { // if !task add syscall any if not specified if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK && > -----Original Message----- > From: Steve Grubb [mailto:sgrubb@redhat.com] > Sent: Tuesday, August 05, 2008 8:19 AM > To: chuli > Cc: 'linux-audit' > Subject: Re: [Patch]Fix the bug of using "-S syscall -a list,action", no errors > will be reported. > > Hi, > > On Wednesday 30 July 2008 21:38:26 chuli wrote: > > When I use "-a user,always -S open", errors will be reported. But when I > > use "-S open -a user,always", no errors will report. There is no > > corresponding codes to deal with the later format. > > I'm still thinking about this patch. I'll look at it again tomorrow. > > Thanks, > -Steve > > > > Here is my patch. Hope for your opinion about such modification. > > (I move the code for checking "task" list to the handle_request().) > > > > Signed-off-by: Chu Li <chul@cn.fujitsu.com> > > --- > > diff --git a/src/auditctl.c b/src/auditctl.c > > index d740509..9cc3df0 100755 > > --- a/src/auditctl.c > > +++ b/src/auditctl.c > > @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[]) > > retval = -2; > > break; > > case 'a': > > - if (strstr(optarg, "task") && audit_syscalladded) { > > + rc = audit_rule_setup(optarg, &add, &action); > > + if (rc == 3) { > > + fprintf(stderr, > > + "Multiple rule insert/delete operations are not allowed\n"); > > + retval = -1; > > + } else if (rc == 2) { > > fprintf(stderr, > > - "Syscall auditing requested for task list\n"); > > + "Append rule - bad keyword %s\n", > > + optarg); > > retval = -1; > > - } else { > > - rc = audit_rule_setup(optarg, &add, &action); > > - if (rc == 3) { > > - fprintf(stderr, > > - "Multiple rule insert/delete operations are not allowed\n"); > > - retval = -1; > > - } else if (rc == 2) { > > - fprintf(stderr, > > - "Append rule - bad keyword %s\n", > > - optarg); > > - retval = -1; > > - } else if (rc == 1) { > > - fprintf(stderr, > > - "Append rule - possible is deprecated\n"); > > - return -3; /* deprecated - eat it */ > > - } else > > - retval = 1; /* success - please send */ > > - } > > + } else if (rc == 1) { > > + fprintf(stderr, > > + "Append rule - possible is deprecated\n"); > > + return -3; /* deprecated - eat it */ > > + } else > > + retval = 1; /* success - please send */ > > break; > > case 'A': > > - if (strstr(optarg, "task") && audit_syscalladded) { > > - fprintf(stderr, > > - "Error: syscall auditing requested for task list\n"); > > + rc = audit_rule_setup(optarg, &add, &action); > > + if (rc == 3) { > > + fprintf(stderr, > > + "Multiple rule insert/delete operations are not allowed\n"); > > retval = -1; > > + } else if (rc == 2) { > > + fprintf(stderr, > > + "Add rule - bad keyword %s\n", optarg); > > + retval = -1; > > + } else if (rc == 1) { > > + fprintf(stderr, > > + "Append rule - possible is deprecated\n"); > > + return -3; /* deprecated - eat it */ > > } else { > > - rc = audit_rule_setup(optarg, &add, &action); > > - if (rc == 3) { > > - fprintf(stderr, > > - "Multiple rule insert/delete operations are not allowed\n"); > > - retval = -1; > > - } else if (rc == 2) { > > - fprintf(stderr, > > - "Add rule - bad keyword %s\n", optarg); > > - retval = -1; > > - } else if (rc == 1) { > > - fprintf(stderr, > > - "Append rule - possible is deprecated\n"); > > - return -3; /* deprecated - eat it */ > > - } else { > > - add |= AUDIT_FILTER_PREPEND; > > - retval = 1; /* success - please send */ > > - } > > + add |= AUDIT_FILTER_PREPEND; > > + retval = 1; /* success - please send */ > > } > > break; > > case 'd': > > @@ -1167,6 +1155,27 @@ static int handle_request(int status) > > audit_rule_syscallbyname_data( > > rule_new, "all"); > > } > > + if(audit_syscalladded == 1){ > > + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_TASK || (del & > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_TASK)) { > > + fprintf(stderr, > > + "Error: syscall auditing being added to task list\n"); > > + return -1; > > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_USER || (del & > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > + AUDIT_FILTER_USER)) { > > + fprintf(stderr, > > + "Error: syscall auditing being added to user list\n"); > > + return -1; > > + } else if (exclude) { > > + fprintf(stderr, > > + "Error: syscall auditing cannot be put on exclude > list\n"); > > + return -1; > > + } > > + } > > if (which == OLD) { > > rc = audit_add_rule(fd, &rule, add, action); > > } else { > > > > Regards > > Chu Li ^ permalink raw reply related [flat|nested] 5+ messages in thread
* RE: [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported. 2008-08-06 7:27 ` Chu Li @ 2008-08-06 8:51 ` Chu Li 2008-08-06 16:57 ` Steve Grubb 1 sibling, 0 replies; 5+ messages in thread From: Chu Li @ 2008-08-06 8:51 UTC (permalink / raw) To: 'Steve Grubb'; +Cc: 'linux-audit' Hi Steve, > > > When I use "-a user,always -S open", errors will be reported. But when I > > > use "-S open -a user,always", no errors will report. There is no > > > corresponding codes to deal with the later format. > > > > I'm still thinking about this patch. I'll look at it again tomorrow. > > > I modified the original patch. (I moved the judgment codes for list and > syscall > in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".) > Then when using "-S open -a user,always" or "-S open -d user,always" will > report > error to users. > There is another method, that is the format of "-S xx -a list,action" and "-S xx -a list,action " are not allowed. Only "-a list,action -S xx" and "-d list,action -S xx" can be allowed. The users have to add "list" before "syscall". Here is the patch for such method. Hope your opinion. Signed-off-by: Chu Li <chul@cn.fujitsu.com> --- diff --git a/src/auditctl.c b/src/auditctl.c index 48f1369..0906369 100755 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -575,53 +575,42 @@ static int setopt(int count, char *vars[]) retval = -2; break; case 'a': - if (strstr(optarg, "task") && audit_syscalladded) { + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); + retval = -1; + } else if (rc == 2) { fprintf(stderr, - "Syscall auditing requested for task list\n"); + "Append rule - bad keyword %s\n", + optarg); retval = -1; - } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Append rule - bad keyword %s\n", - optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else - retval = 1; /* success - please send */ + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ + } else + retval = 1; /* success - please send */ } break; case 'A': - if (strstr(optarg, "task") && audit_syscalladded) { - fprintf(stderr, - "Error: syscall auditing requested for task list\n"); + rc = audit_rule_setup(optarg, &add, &action); + if (rc == 3) { + fprintf(stderr, + "Multiple rule insert/delete operations are not allowed\n"); + retval = -1; + } else if (rc == 2) { + fprintf(stderr, + "Add rule - bad keyword %s\n", optarg); retval = -1; + } else if (rc == 1) { + fprintf(stderr, + "Append rule - possible is deprecated\n"); + return -3; /* deprecated - eat it */ } else { - rc = audit_rule_setup(optarg, &add, &action); - if (rc == 3) { - fprintf(stderr, - "Multiple rule insert/delete operations are not allowed\n"); - retval = -1; - } else if (rc == 2) { - fprintf(stderr, - "Add rule - bad keyword %s\n", optarg); - retval = -1; - } else if (rc == 1) { - fprintf(stderr, - "Append rule - possible is deprecated\n"); - return -3; /* deprecated - eat it */ - } else { - add |= AUDIT_FILTER_PREPEND; - retval = 1; /* success - please send */ - } - } + add |= AUDIT_FILTER_PREPEND; + retval = 1; /* success - please send */ + } break; case 'd': rc = audit_rule_setup(optarg, &del, &action); @@ -643,7 +632,12 @@ static int setopt(int count, char *vars[]) case 'S': /* Do some checking to make sure that we are not adding a * syscall rule to a list that does not make sense. */ - if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + if ((add == AUDIT_FILTER_UNSET || del == AUDIT_FILTER_UNSET ) + && !exclude){ + fprintf(stderr, + "Error: list should be first added to rule\n"); + return -1; + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == AUDIT_FILTER_TASK || (del & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == AUDIT_FILTER_TASK)) { @@ -1206,10 +1200,6 @@ int main(int argc, char *argv[]) static int handle_request(int status) { if (status == 0) { - if (audit_syscalladded) { - fprintf(stderr, "Error - no list specified\n"); - return -1; - } get_reply(); } else if (status == -2) status = 0; // report success > -----Original Message----- > From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On > Behalf Of Chu Li > Sent: Wednesday, August 06, 2008 3:27 PM > To: 'Steve Grubb' > Cc: 'linux-audit' > Subject: RE: [Patch]Fix the bug of using "-S syscall -a list, action",no errors > will be reported. > > Hi Steve, > > > When I use "-a user,always -S open", errors will be reported. But when I > > > use "-S open -a user,always", no errors will report. There is no > > > corresponding codes to deal with the later format. > > > > I'm still thinking about this patch. I'll look at it again tomorrow. > > > I modified the original patch. (I moved the judgment codes for list and > syscall > in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".) > Then when using "-S open -a user,always" or "-S open -d user,always" will > report > error to users. > > And I found another problem, when using "-a 'list','action' -w /mnt", it will > always > add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa". I found "-w" > will > use the "exit" list automatically. I think it's better to add something about it > in > manual. > > How about your opinion? > > Signed-off-by: Chu Li <chul@cn.fujitsu.com> > --- > diff --git a/src/auditctl.c b/src/auditctl.c > index 48f1369..f4f9553 100755 > --- a/src/auditctl.c > +++ b/src/auditctl.c > @@ -575,52 +575,41 @@ static int setopt(int count, char *vars[]) > retval = -2; > break; > case 'a': > - if (strstr(optarg, "task") && audit_syscalladded) { > + rc = audit_rule_setup(optarg, &add, &action); > + if (rc == 3) { > + fprintf(stderr, > + "Multiple rule insert/delete operations are not allowed\n"); > + retval = -1; > + } else if (rc == 2) { > fprintf(stderr, > - "Syscall auditing requested for task list\n"); > + "Append rule - bad keyword %s\n", > + optarg); > retval = -1; > - } else { > - rc = audit_rule_setup(optarg, &add, &action); > - if (rc == 3) { > - fprintf(stderr, > - "Multiple rule insert/delete operations are not allowed\n"); > - retval = -1; > - } else if (rc == 2) { > - fprintf(stderr, > - "Append rule - bad keyword %s\n", > - optarg); > - retval = -1; > - } else if (rc == 1) { > - fprintf(stderr, > - "Append rule - possible is deprecated\n"); > - return -3; /* deprecated - eat it */ > - } else > - retval = 1; /* success - please send */ > + } else if (rc == 1) { > + fprintf(stderr, > + "Append rule - possible is deprecated\n"); > + return -3; /* deprecated - eat it */ > + } else > + retval = 1; /* success - please send */ > } > break; > case 'A': > - if (strstr(optarg, "task") && audit_syscalladded) { > - fprintf(stderr, > - "Error: syscall auditing requested for task list\n"); > + rc = audit_rule_setup(optarg, &add, &action); > + if (rc == 3) { > + fprintf(stderr, > + "Multiple rule insert/delete operations are not allowed\n"); > retval = -1; > + } else if (rc == 2) { > + fprintf(stderr, > + "Add rule - bad keyword %s\n", optarg); > + retval = -1; > + } else if (rc == 1) { > + fprintf(stderr, > + "Append rule - possible is deprecated\n"); > + return -3; /* deprecated - eat it */ > } else { > - rc = audit_rule_setup(optarg, &add, &action); > - if (rc == 3) { > - fprintf(stderr, > - "Multiple rule insert/delete operations are not allowed\n"); > - retval = -1; > - } else if (rc == 2) { > - fprintf(stderr, > - "Add rule - bad keyword %s\n", optarg); > - retval = -1; > - } else if (rc == 1) { > - fprintf(stderr, > - "Append rule - possible is deprecated\n"); > - return -3; /* deprecated - eat it */ > - } else { > - add |= AUDIT_FILTER_PREPEND; > - retval = 1; /* success - please send */ > - } > + add |= AUDIT_FILTER_PREPEND; > + retval = 1; /* success - please send */ > } > break; > case 'd': > @@ -1215,6 +1204,27 @@ static int handle_request(int status) > status = 0; // report success > else if (status > 0) { > int rc; > + if(audit_syscalladded == 1){ > + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_TASK || (del & > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_TASK)) { > + fprintf(stderr, > + "Error: syscall auditing being added to task list\n"); > + return -1; > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_USER || (del & > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > + AUDIT_FILTER_USER)) { > + fprintf(stderr, > + "Error: syscall auditing being added to user list\n"); > + return -1; > + } else if (exclude) { > + fprintf(stderr, > + "Error: syscall auditing cannot be put on exclude list\n"); > + return -1; > + } > + } > if (add != AUDIT_FILTER_UNSET) { > // if !task add syscall any if not specified > if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK && > > > -----Original Message----- > > From: Steve Grubb [mailto:sgrubb@redhat.com] > > Sent: Tuesday, August 05, 2008 8:19 AM > > To: chuli > > Cc: 'linux-audit' > > Subject: Re: [Patch]Fix the bug of using "-S syscall -a list,action", no > > errors > > will be reported. > > > > Hi, > > > > On Wednesday 30 July 2008 21:38:26 chuli wrote: > > > When I use "-a user,always -S open", errors will be reported. But when I > > > use "-S open -a user,always", no errors will report. There is no > > > corresponding codes to deal with the later format. > > > > I'm still thinking about this patch. I'll look at it again tomorrow. > > > > Thanks, > > -Steve > > > > > > > Here is my patch. Hope for your opinion about such modification. > > > (I move the code for checking "task" list to the handle_request().) > > > > > > Signed-off-by: Chu Li <chul@cn.fujitsu.com> > > > --- > > > diff --git a/src/auditctl.c b/src/auditctl.c > > > index d740509..9cc3df0 100755 > > > --- a/src/auditctl.c > > > +++ b/src/auditctl.c > > > @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[]) > > > retval = -2; > > > break; > > > case 'a': > > > - if (strstr(optarg, "task") && audit_syscalladded) { > > > + rc = audit_rule_setup(optarg, &add, &action); > > > + if (rc == 3) { > > > + fprintf(stderr, > > > + "Multiple rule insert/delete operations are not allowed\n"); > > > + retval = -1; > > > + } else if (rc == 2) { > > > fprintf(stderr, > > > - "Syscall auditing requested for task list\n"); > > > + "Append rule - bad keyword %s\n", > > > + optarg); > > > retval = -1; > > > - } else { > > > - rc = audit_rule_setup(optarg, &add, &action); > > > - if (rc == 3) { > > > - fprintf(stderr, > > > - "Multiple rule insert/delete operations are not allowed\n"); > > > - retval = -1; > > > - } else if (rc == 2) { > > > - fprintf(stderr, > > > - "Append rule - bad keyword %s\n", > > > - optarg); > > > - retval = -1; > > > - } else if (rc == 1) { > > > - fprintf(stderr, > > > - "Append rule - possible is deprecated\n"); > > > - return -3; /* deprecated - eat it */ > > > - } else > > > - retval = 1; /* success - please send */ > > > - } > > > + } else if (rc == 1) { > > > + fprintf(stderr, > > > + "Append rule - possible is deprecated\n"); > > > + return -3; /* deprecated - eat it */ > > > + } else > > > + retval = 1; /* success - please send */ > > > break; > > > case 'A': > > > - if (strstr(optarg, "task") && audit_syscalladded) { > > > - fprintf(stderr, > > > - "Error: syscall auditing requested for task list\n"); > > > + rc = audit_rule_setup(optarg, &add, &action); > > > + if (rc == 3) { > > > + fprintf(stderr, > > > + "Multiple rule insert/delete operations are not allowed\n"); > > > retval = -1; > > > + } else if (rc == 2) { > > > + fprintf(stderr, > > > + "Add rule - bad keyword %s\n", optarg); > > > + retval = -1; > > > + } else if (rc == 1) { > > > + fprintf(stderr, > > > + "Append rule - possible is deprecated\n"); > > > + return -3; /* deprecated - eat it */ > > > } else { > > > - rc = audit_rule_setup(optarg, &add, &action); > > > - if (rc == 3) { > > > - fprintf(stderr, > > > - "Multiple rule insert/delete operations are not allowed\n"); > > > - retval = -1; > > > - } else if (rc == 2) { > > > - fprintf(stderr, > > > - "Add rule - bad keyword %s\n", optarg); > > > - retval = -1; > > > - } else if (rc == 1) { > > > - fprintf(stderr, > > > - "Append rule - possible is deprecated\n"); > > > - return -3; /* deprecated - eat it */ > > > - } else { > > > - add |= AUDIT_FILTER_PREPEND; > > > - retval = 1; /* success - please send */ > > > - } > > > + add |= AUDIT_FILTER_PREPEND; > > > + retval = 1; /* success - please send */ > > > } > > > break; > > > case 'd': > > > @@ -1167,6 +1155,27 @@ static int handle_request(int status) > > > audit_rule_syscallbyname_data( > > > rule_new, "all"); > > > } > > > + if(audit_syscalladded == 1){ > > > + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > > + AUDIT_FILTER_TASK || (del & > > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > > + AUDIT_FILTER_TASK)) { > > > + fprintf(stderr, > > > + "Error: syscall auditing being added to task > list\n"); > > > + return -1; > > > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) > == > > > + AUDIT_FILTER_USER || (del & > > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == > > > + AUDIT_FILTER_USER)) { > > > + fprintf(stderr, > > > + "Error: syscall auditing being added to user > list\n"); > > > + return -1; > > > + } else if (exclude) { > > > + fprintf(stderr, > > > + "Error: syscall auditing cannot be put on exclude > > list\n"); > > > + return -1; > > > + } > > > + } > > > if (which == OLD) { > > > rc = audit_add_rule(fd, &rule, add, action); > > > } else { > > > > > > Regards > > > Chu Li > > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported. 2008-08-06 7:27 ` Chu Li 2008-08-06 8:51 ` Chu Li @ 2008-08-06 16:57 ` Steve Grubb 1 sibling, 0 replies; 5+ messages in thread From: Steve Grubb @ 2008-08-06 16:57 UTC (permalink / raw) To: Chu Li; +Cc: 'linux-audit' On Wednesday 06 August 2008 03:27:00 Chu Li wrote: > And I found another problem, when using "-a 'list','action' -w /mnt", it > will always add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa". > I found "-w" will use the "exit" list automatically. I think it's better to > add something about it in manual. There are 2 forms of audit rules, the syscall syntax (-a) and the watch syntax (-w). They cannot be mixed. When -w is given, only -p and -k are valid. When -a is given, -w is invalid. The -w notation is primarily for backwards compatibility with RHEL4. In it you do not give a list. When writing watches in RHEL5 and later, you can now use syscall notation like this: -a always,exit -F perm=wa -F path=/etc/shadow Note that -S is not given. The kernel selects the syscalls based on the perm field. Hope this helps. -Steve ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-08-06 16:57 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-07-31 1:38 [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported chuli 2008-08-05 0:18 ` Steve Grubb 2008-08-06 7:27 ` Chu Li 2008-08-06 8:51 ` Chu Li 2008-08-06 16:57 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox