Re: [PATCH] Support for auditing on the actions of a not-yet-executed process.

[Richard Guy Briggs <rgb@redhat.com>]

On 12/08/23, Peter Moody wrote:
> eg:
> 
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1
> 
> to see instances of /bin/bash opening a non-local socket. Or
> 
> -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F success=1
> 
> to instances of /bin/bash, and any descendant processes, opening a non local socket.

In addition to these sample rules, do you have a command or script to
trigger it?

> proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html
> and it seemed like there was interest.
> 
> Signed-off-by: Peter Moody <pmoody@google.com>
> ---
>  trunk/lib/errormsg.h |    2 +-
>  trunk/lib/fieldtab.h |    2 ++
>  trunk/lib/libaudit.c |   11 +++++++++++
>  trunk/lib/libaudit.h |    7 ++++++-
>  4 files changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
> index 4d996d5..cd595ec 100644
> --- a/trunk/lib/errormsg.h
> +++ b/trunk/lib/errormsg.h
> @@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
>      { -15,    2,    "-F unknown errno -"},
>      { -16,    2,    "-F unknown file type - " },
>      { -17,    1,    "can only be used with exit and entry filter list" },
> -    { -18,    1,    "" }, // Unused
> +    { -18,    1,    "only takes = operator" },
>      { -19,    0,    "Key field needs a watch or syscall given prior to it" },
>      { -20,    2,    "-F missing value after operation for" },
>      { -21,    2,    "-F value should be number for" },
> diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
> index c0432cc..245b541 100644
> --- a/trunk/lib/fieldtab.h
> +++ b/trunk/lib/fieldtab.h
> @@ -66,3 +66,5 @@ _S(AUDIT_ARG3,         "a3"           )
>  _S(AUDIT_FILTERKEY,    "key"          )
>  
>  _S(AUDIT_FIELD_COMPARE, "field_compare" )
> +_S(AUDIT_EXE,          "exe"          )
> +_S(AUDIT_EXE_CHILDREN, "exe_children" )
> diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
> index 20eaf5f..06eed86 100644
> --- a/trunk/lib/libaudit.c
> +++ b/trunk/lib/libaudit.c
> @@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
>  			else 
>  				return -21;
>  			break;
> +		case AUDIT_EXE_CHILDREN:
> +		case AUDIT_EXE:
> +		{
> +			struct stat buf;
> +			if ((stat(v, &buf)) < 0)
> +				return -2;
> +			if (op != AUDIT_EQUAL)
> +				return -18;
> +			rule->values[rule->field_count] = (unsigned long)buf.st_ino;
> +		}
> +			break;
>  		case AUDIT_DEVMAJOR...AUDIT_INODE:
>  		case AUDIT_SUCCESS:
>  			if (flags != AUDIT_FILTER_EXIT)
> diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
> index 89dd588..2c8a802 100644
> --- a/trunk/lib/libaudit.h
> +++ b/trunk/lib/libaudit.h
> @@ -243,6 +243,12 @@ extern "C" {
>  #ifndef AUDIT_FIELD_COMPARE
>  #define AUDIT_FIELD_COMPARE 111
>  #endif
> +#ifndef AUDIT_EXE
> +#define AUDIT_EXE 112
> +#endif
> +#ifndef AUDIT_EXE_CHILDREN
> +#define AUDIT_EXE_CHILDREN 113
> +#endif
>  
>  #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
>  #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
> @@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
>  #endif
>  
>  #endif
> -
> -- 
> 1.7.7.3

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545