Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Richard Guy Briggs <rgb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>, pmoody@google.com
Subject: [[PATCH V2] 2/2] Allow monitoring of any activity on an executable with a specific path.
Date: Tue, 14 Jul 2015 11:46:49 -0400	[thread overview]
Message-ID: <1436888809-32238-3-git-send-email-rgb@redhat.com> (raw)
In-Reply-To: <1436888809-32238-1-git-send-email-rgb@redhat.com>

Allow rules to be created that are not accompanied by a file or directory
watch, nor by a syscall specification.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/errormsg.h |    2 +-
 trunk/lib/libaudit.c |   12 ++++++++----
 trunk/lib/private.h  |    1 +
 trunk/src/auditctl.c |    8 +++++++-
 4 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 8d72bd8..2624567 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -52,7 +52,7 @@ static const struct msg_tab err_msgtab[] = {
     { -16,    2,    "-F unknown file type - " },
     { -17,    1,    "can only be used with exit and entry filter list" },
     { -18,    1,    "only takes = operator" },
-    { -19,    0,    "Key field needs a watch or syscall given prior to it" },
+    { -19,    0,    "Key field needs a watch, syscall or exe path given prior to it" },
     { -20,    2,    "-F missing value after operation for" },
     { -21,    2,    "-F value should be number for" },
     { -22,    2,    "-F missing field name before operator for" },
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index d7da4ec..b06c76b 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -82,6 +82,7 @@ static const struct nv_list failure_actions[] =
 int _audit_permadded = 0;
 int _audit_archadded = 0;
 int _audit_syscalladded = 0;
+int _audit_exeadded = 0;
 unsigned int _audit_elf = 0U;
 static struct libaudit_conf config;
 
@@ -1397,10 +1398,13 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 		case AUDIT_FILTERKEY:
 		case AUDIT_EXE_CHILDREN:
 		case AUDIT_EXE:
-			if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) &&
-			    op != AUDIT_EQUAL)
-				return -18;
-			if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded))
+			if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE)) {
+				if (op != AUDIT_EQUAL)
+					return -18;
+				_audit_exeadded = 1;
+			}
+			if (field == AUDIT_FILTERKEY
+			    && !(_audit_syscalladded || _audit_permadded || _audit_exeadded))
                                 return -19;
 			vlen = strlen(v);
 			if (field == AUDIT_FILTERKEY &&
diff --git a/trunk/lib/private.h b/trunk/lib/private.h
index a0e3e35..7d7fd13 100644
--- a/trunk/lib/private.h
+++ b/trunk/lib/private.h
@@ -131,6 +131,7 @@ extern int audit_send_user_message(int fd, int type, hide_t hide_err,
 extern int _audit_permadded;
 extern int _audit_archadded;
 extern int _audit_syscalladded;
+extern int _audit_exeadded;
 extern unsigned int _audit_elf;
 
 hidden_proto(audit_send_user_message);
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index b084b1a..40e9812 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -73,6 +73,7 @@ static int reset_vars(void)
 	_audit_syscalladded = 0;
 	_audit_permadded = 0;
 	_audit_archadded = 0;
+	_audit_exeadded = 0;
 	_audit_elf = 0;
 	add = AUDIT_FILTER_UNSET;
 	del = AUDIT_FILTER_UNSET;
@@ -821,6 +822,11 @@ static int setopt(int count, int lineno, char *vars[])
 			if (rule_new->fields[rule_new->field_count-1] ==
 						AUDIT_PERM)
 				_audit_permadded = 1;
+			if ((rule_new->fields[rule_new->field_count-1] ==
+						AUDIT_EXE) ||
+			    (rule_new->fields[rule_new->field_count-1] ==
+						AUDIT_EXE_CHILDREN))
+				_audit_exeadded = 1;
 		}
 
 		break;
@@ -908,7 +914,7 @@ static int setopt(int count, int lineno, char *vars[])
 		}
 		break;
 	case 'k':
-		if (!(_audit_syscalladded || _audit_permadded ) ||
+		if (!(_audit_syscalladded || _audit_permadded || _audit_exeadded) ||
 				(add==AUDIT_FILTER_UNSET &&
 					del==AUDIT_FILTER_UNSET)) {
 			audit_msg(LOG_ERR,
-- 
1.7.1

      parent reply	other threads:[~2015-07-14 15:46 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-14 15:46 [[PATCH V2] 0/2] Log on the future execution of a path Richard Guy Briggs
2015-07-14 15:46 ` [[PATCH V2] 1/2] userspace: audit: log " Richard Guy Briggs
2015-07-14 15:46 ` Richard Guy Briggs [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1436888809-32238-3-git-send-email-rgb@redhat.com \
    --to=rgb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=pmoody@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox