From: Richard Guy Briggs <rgb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
Subject: [userspace PATCH v2 1/2] exclude filter: add support for user filter fields
Date: Thu, 18 Aug 2016 14:33:19 -0400 [thread overview]
Message-ID: <1471545200-3742-2-git-send-email-rgb@redhat.com> (raw)
In-Reply-To: <1471545200-3742-1-git-send-email-rgb@redhat.com>
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5
Enable the exclude filter to additionally filter on PID, UID, GID, AUID,
LOGINUID_SET, SUBJ_*.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/docs/auditctl.8 | 2 +-
trunk/lib/errormsg.h | 2 +-
trunk/lib/libaudit.c | 24 ++++++++++++++++++++----
3 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8
index ceb6c40..540ff70 100644
--- a/trunk/docs/auditctl.8
+++ b/trunk/docs/auditctl.8
@@ -76,7 +76,7 @@ Add a rule to the syscall exit list. This list is used upon exit from a system c
Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
.TP
.B exclude
-Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field.
+Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, login user ID set, message type or subject context.
.RE
The following describes the valid \fIactions\fP for the rule:
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index c678315..84bfdb3 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -66,7 +66,7 @@ static const struct msg_tab err_msgtab[] = {
{ -28, 2, "Too many fields in rule:" },
{ -29, 1, "only takes = operator" },
{ -30, 2, "Field option not supported by kernel:" },
- { -31, 1, "can only be used with exit and user filter lists" },
+ { -31, 1, "can only be used with exit, user and exclude filter lists" },
{ -32, 2, "-F value should be boolean 0 or 1 for" },
};
#endif
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 236f8bc..798b3c8 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1400,9 +1400,24 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if ((field = audit_name_to_field(f)) < 0)
return -2;
- /* Exclude filter can be used only with MSGTYPE field */
- if (flags == AUDIT_FILTER_EXCLUDE && field != AUDIT_MSGTYPE)
- return -12;
+ /* Exclude filter can be used only with MSGTYPE and cred fields */
+ if (flags == AUDIT_FILTER_EXCLUDE)
+ switch(field) {
+ case AUDIT_PID:
+ case AUDIT_UID:
+ case AUDIT_GID:
+ case AUDIT_LOGINUID:
+ case AUDIT_LOGINUID_SET:
+ case AUDIT_MSGTYPE:
+ case AUDIT_SUBJ_USER:
+ case AUDIT_SUBJ_ROLE:
+ case AUDIT_SUBJ_TYPE:
+ case AUDIT_SUBJ_SEN:
+ case AUDIT_SUBJ_CLR:
+ break;
+ default:
+ return -12;
+ }
rule->fields[rule->field_count] = field;
rule->fieldflags[rule->field_count] = op;
@@ -1630,7 +1645,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_LOGINUID_SET:
if(!features)
return -30;
- if (flags != AUDIT_FILTER_USER &&
+ if (flags != AUDIT_FILTER_EXCLUDE &&
+ flags != AUDIT_FILTER_USER &&
flags != AUDIT_FILTER_EXIT)
return -31;
if (isdigit((char)*(v))) {
--
1.7.1
next prev parent reply other threads:[~2016-08-18 18:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-18 18:33 [userspace PATCH v2 0/2] add support for more fields to the exclude filter Richard Guy Briggs
2016-08-18 18:33 ` Richard Guy Briggs [this message]
2016-08-18 18:33 ` [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel Richard Guy Briggs
2016-10-10 17:47 ` Steve Grubb
2016-10-11 19:09 ` Richard Guy Briggs
2016-10-11 22:56 ` [userspace PATCH v2 0/2] add support for more fields to the exclude filter Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1471545200-3742-2-git-send-email-rgb@redhat.com \
--to=rgb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox