* [[PATCH V2] 1/2] userspace: audit: log on the future execution of a path
2015-07-14 15:46 [[PATCH V2] 0/2] Log on the future execution of a path Richard Guy Briggs
@ 2015-07-14 15:46 ` Richard Guy Briggs
2015-07-14 15:46 ` [[PATCH V2] 2/2] Allow monitoring of any activity on an executable with a specific path Richard Guy Briggs
1 sibling, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2015-07-14 15:46 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs, pmoody
Enable creation of rules to monitor for the execution of a path in the future.
For example, to log occurances of touch(1)ing a file in /tmp, use:
-a always,exit -F dir=/tmp -F exe=/usr/sbin/touch -F key=touch_tmp
The command:
touch /tmp/test
should generate a log message that can be verified by:
ausearch --start recent -k touch_tmp
Similarly, use "exe_children=" in the place of "exe=" to detect the case for
any descendent processes.
Based-on-work-by: Peter Moody <pmoody@google.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 5 +++++
trunk/lib/libaudit.h | 7 ++++++-
trunk/src/auditctl-listing.c | 8 +++++++-
5 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index a4fea66..8d72bd8 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
{ -15, 2, "-F unknown errno -"},
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
- { -18, 1, "" }, // Unused
+ { -18, 1, "only takes = operator" },
{ -19, 0, "Key field needs a watch or syscall given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index dd7474c..c458c32 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" )
_S(AUDIT_FILTERKEY, "key" )
+_S(AUDIT_EXE, "exe" )
+_S(AUDIT_EXE_CHILDREN, "exe_children" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index dddfd0b..d7da4ec 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1395,6 +1395,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
case AUDIT_FILTERKEY:
+ case AUDIT_EXE_CHILDREN:
+ case AUDIT_EXE:
+ if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) &&
+ op != AUDIT_EQUAL)
+ return -18;
if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded))
return -19;
vlen = strlen(v);
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 05ee91e..1d3a697 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -274,6 +274,12 @@ extern "C" {
#ifndef AUDIT_FIELD_COMPARE
#define AUDIT_FIELD_COMPARE 111
#endif
+#ifndef AUDIT_EXE
+#define AUDIT_EXE 112
+#endif
+#ifndef AUDIT_EXE_CHILDREN
+#define AUDIT_EXE_CHILDREN 113
+#endif
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
@@ -580,4 +586,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
#endif
#endif
-
diff --git a/trunk/src/auditctl-listing.c b/trunk/src/auditctl-listing.c
index 1dc9729..339dec7 100644
--- a/trunk/src/auditctl-listing.c
+++ b/trunk/src/auditctl-listing.c
@@ -63,7 +63,8 @@ int key_match(const struct audit_rule_data *r)
}
if (((field >= AUDIT_SUBJ_USER && field <= AUDIT_OBJ_LEV_HIGH)
&& field != AUDIT_PPID) || field == AUDIT_WATCH ||
- field == AUDIT_DIR || field == AUDIT_FILTERKEY) {
+ field == AUDIT_DIR || field == AUDIT_FILTERKEY
+ || field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) {
boffset += r->values[i];
}
}
@@ -357,6 +358,11 @@ static void print_rule(const struct audit_rule_data *r)
&r->buf[boffset]);
boffset += r->values[i];
+ } else if (field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) {
+ printf(" -F exe%s=%.*s",
+ field == AUDIT_EXE_CHILDREN ? "_children" : "",
+ r->values[i], &r->buf[boffset]);
+ boffset += r->values[i];
} else if (field == AUDIT_FILTERKEY) {
char *rkey, *ptr, *saved=NULL;
if (asprintf(&rkey, "%.*s", r->values[i],
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* [[PATCH V2] 2/2] Allow monitoring of any activity on an executable with a specific path.
2015-07-14 15:46 [[PATCH V2] 0/2] Log on the future execution of a path Richard Guy Briggs
2015-07-14 15:46 ` [[PATCH V2] 1/2] userspace: audit: log " Richard Guy Briggs
@ 2015-07-14 15:46 ` Richard Guy Briggs
1 sibling, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2015-07-14 15:46 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs, pmoody
Allow rules to be created that are not accompanied by a file or directory
watch, nor by a syscall specification.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/libaudit.c | 12 ++++++++----
trunk/lib/private.h | 1 +
trunk/src/auditctl.c | 8 +++++++-
4 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 8d72bd8..2624567 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -52,7 +52,7 @@ static const struct msg_tab err_msgtab[] = {
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
{ -18, 1, "only takes = operator" },
- { -19, 0, "Key field needs a watch or syscall given prior to it" },
+ { -19, 0, "Key field needs a watch, syscall or exe path given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
{ -22, 2, "-F missing field name before operator for" },
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index d7da4ec..b06c76b 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -82,6 +82,7 @@ static const struct nv_list failure_actions[] =
int _audit_permadded = 0;
int _audit_archadded = 0;
int _audit_syscalladded = 0;
+int _audit_exeadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1397,10 +1398,13 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_FILTERKEY:
case AUDIT_EXE_CHILDREN:
case AUDIT_EXE:
- if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) &&
- op != AUDIT_EQUAL)
- return -18;
- if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded))
+ if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE)) {
+ if (op != AUDIT_EQUAL)
+ return -18;
+ _audit_exeadded = 1;
+ }
+ if (field == AUDIT_FILTERKEY
+ && !(_audit_syscalladded || _audit_permadded || _audit_exeadded))
return -19;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
diff --git a/trunk/lib/private.h b/trunk/lib/private.h
index a0e3e35..7d7fd13 100644
--- a/trunk/lib/private.h
+++ b/trunk/lib/private.h
@@ -131,6 +131,7 @@ extern int audit_send_user_message(int fd, int type, hide_t hide_err,
extern int _audit_permadded;
extern int _audit_archadded;
extern int _audit_syscalladded;
+extern int _audit_exeadded;
extern unsigned int _audit_elf;
hidden_proto(audit_send_user_message);
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index b084b1a..40e9812 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -73,6 +73,7 @@ static int reset_vars(void)
_audit_syscalladded = 0;
_audit_permadded = 0;
_audit_archadded = 0;
+ _audit_exeadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -821,6 +822,11 @@ static int setopt(int count, int lineno, char *vars[])
if (rule_new->fields[rule_new->field_count-1] ==
AUDIT_PERM)
_audit_permadded = 1;
+ if ((rule_new->fields[rule_new->field_count-1] ==
+ AUDIT_EXE) ||
+ (rule_new->fields[rule_new->field_count-1] ==
+ AUDIT_EXE_CHILDREN))
+ _audit_exeadded = 1;
}
break;
@@ -908,7 +914,7 @@ static int setopt(int count, int lineno, char *vars[])
}
break;
case 'k':
- if (!(_audit_syscalladded || _audit_permadded ) ||
+ if (!(_audit_syscalladded || _audit_permadded || _audit_exeadded) ||
(add==AUDIT_FILTER_UNSET &&
del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread