From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter Moody <pmoody@google.com>
Subject: [PATCH] Support for auditing on the actions of a not-yet-executed
	process.
Date: Thu, 23 Aug 2012 12:25:54 -0700
Message-ID: <1345749954-28749-1-git-send-email-pmoody@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.19])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q7NJQ3rJ014405
	for <linux-audit@redhat.com>; Thu, 23 Aug 2012 15:26:03 -0400
Received: from mail-pb0-f46.google.com (mail-pb0-f46.google.com
	[209.85.160.46])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7NJQ1Su017095
	for <linux-audit@redhat.com>; Thu, 23 Aug 2012 15:26:01 -0400
Received: by pbbrr13 with SMTP id rr13so2022581pbb.33
	for <linux-audit@redhat.com>; Thu, 23 Aug 2012 12:26:01 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

eg:

-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1

to see instances of /bin/bash opening a non-local socket. Or

-a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F success=1

to instances of /bin/bash, and any descendant processes, opening a non local socket.

proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
and it seemed like there was interest.

Signed-off-by: Peter Moody <pmoody@google.com>
---
 trunk/lib/errormsg.h |    2 +-
 trunk/lib/fieldtab.h |    2 ++
 trunk/lib/libaudit.c |   11 +++++++++++
 trunk/lib/libaudit.h |    7 ++++++-
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 4d996d5..cd595ec 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
     { -15,    2,    "-F unknown errno -"},
     { -16,    2,    "-F unknown file type - " },
     { -17,    1,    "can only be used with exit and entry filter list" },
-    { -18,    1,    "" }, // Unused
+    { -18,    1,    "only takes = operator" },
     { -19,    0,    "Key field needs a watch or syscall given prior to it" },
     { -20,    2,    "-F missing value after operation for" },
     { -21,    2,    "-F value should be number for" },
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index c0432cc..245b541 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -66,3 +66,5 @@ _S(AUDIT_ARG3,         "a3"           )
 _S(AUDIT_FILTERKEY,    "key"          )
 
 _S(AUDIT_FIELD_COMPARE, "field_compare" )
+_S(AUDIT_EXE,          "exe"          )
+_S(AUDIT_EXE_CHILDREN, "exe_children" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 20eaf5f..06eed86 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			else 
 				return -21;
 			break;
+		case AUDIT_EXE_CHILDREN:
+		case AUDIT_EXE:
+		{
+			struct stat buf;
+			if ((stat(v, &buf)) < 0)
+				return -2;
+			if (op != AUDIT_EQUAL)
+				return -18;
+			rule->values[rule->field_count] = (unsigned long)buf.st_ino;
+		}
+			break;
 		case AUDIT_DEVMAJOR...AUDIT_INODE:
 		case AUDIT_SUCCESS:
 			if (flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 89dd588..2c8a802 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -243,6 +243,12 @@ extern "C" {
 #ifndef AUDIT_FIELD_COMPARE
 #define AUDIT_FIELD_COMPARE 111
 #endif
+#ifndef AUDIT_EXE
+#define AUDIT_EXE 112
+#endif
+#ifndef AUDIT_EXE_CHILDREN
+#define AUDIT_EXE_CHILDREN 113
+#endif
 
 #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
 #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
@@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
 #endif
 
 #endif
-
-- 
1.7.7.3