<div>This patch extends Eric's test patch from 11/17 (<a href="http://www.redhat.com/archives/linux-audit/2011-November/msg00045.html" target="_blank">http://www.redhat.com/archives/linux-audit/2011-November/msg00045.html</a>). This turns -C into a long opt with similar syntax to -F. </div> <div><br></div><div>This allows uid/euid and gid/egid to be compared, like</div><div><br></div><div>auditctl -a exit,always -F arch=b64 -C 'euid!=uid' -S execve -F 'euid!=0' -F 'success=1'</div><div> <br></div><div>which would audit on someone executing a setuid binary if the binary isn't setuid root.</div><div><br></div><div>You can also check for writes to overly permissive files like</div><div><br></div><div>auditctl -a exit,always -F arch=b64 -C 'obj_uid!=uid' -F 'uid!=0' -F 'dir=/home/' -F 'success=1' -S open -F 'a2&=2'</div> <div><br></div><div><div>This functionality is helpful in detecting user compromises across a shared fleet; eg, attacker finds a world-writable shell script (/home/victim/.bashrc, it's happened...) and inserts "cp /bin/bash /tmp/; chmod 7777 /tmp/bash". After victim executes this, attacker executes /tmp/bash -p and becomes victim.</div> </div><div><br></div><div>One strange thing related to this patch: auditd seems to be reporting success for a normal user process (gklrellm) opening /proc/meminfo (mode 444) O_RDWR, and I don't see how this is possible. eg:</div> <div><br></div><div><div><div>type=SYSCALL msg=audit(1323540255.146:97): arch=c000003e syscall=2 success=yes exit=13 a0=4b1972 a1=0 a2=1b6 a3=0 items=1 ppid=1704 pid=1797 auid=11532 uid=11532 gid=5000 euid=11532 suid=11532 fsuid=11532 egid=5000 sgid=5000 fsgid=5000 tty=(none) ses=1 comm="gkrellm" exe="/usr/bin/gkrellm" key="permissive"</div> <div>type=CWD msg=audit(1323540255.146:97): cwd="/home/pmoody"</div><div>type=PATH msg=audit(1323540255.146:97): item=0 name="/proc/meminfo" inode=<a href="tel:4026532008" value="+14026532008" target="_blank">4026532008</a> dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00</div> </div></div><div><br></div><div>hopefully someone with more auditd internal knowledge can explain what's going on.</div><div><br></div><div>auditctl -l doesn't know how to report this yet; if this patch is generally acceptable, I can try to fix that and update the manpage, etc.</div> <div><br></div><div>Signed-off-by: Peter Moody <<a href="mailto:pmoody@google.com">pmoody@google.com</a>></div><div><div>---</div><div> trunk/auparse/typetab.h | 1 +</div><div> trunk/lib/fieldtab.h | 1 +</div> <div> trunk/lib/libaudit.c | 144 +++++++++++++++++++++++++++++++++++++++++++</div><div> trunk/lib/libaudit.h | 2 +</div><div> trunk/src/auditctl.c | 19 +++++-</div><div> trunk/src/ausearch-report.c | 1 +</div> <div> 6 files changed, 166 insertions(+), 2 deletions(-)</div><div><br></div><div>diff --git a/trunk/auparse/typetab.h b/trunk/auparse/typetab.h</div><div>index 746573c..3e6c6d1 100644</div><div>--- a/trunk/auparse/typetab.h</div> <div>+++ b/trunk/auparse/typetab.h</div><div>@@ -32,6 +32,7 @@ _S(AUPARSE_TYPE_UID,<span class="Apple-tab-span" style="white-space:pre"> </span>"iuid"<span class="Apple-tab-span" style="white-space:pre"> </span>)</div> <div> _S(AUPARSE_TYPE_UID,<span class="Apple-tab-span" style="white-space:pre"> </span>"id"<span class="Apple-tab-span" style="white-space:pre"> </span>)</div><div> _S(AUPARSE_TYPE_UID,<span class="Apple-tab-span" style="white-space:pre"> </span>"inode_uid"<span class="Apple-tab-span" style="white-space:pre"> </span>)</div> <div> _S(AUPARSE_TYPE_UID,<span class="Apple-tab-span" style="white-space:pre"> </span>"sauid"<span class="Apple-tab-span" style="white-space:pre"> </span>)</div><div>+_S(AUPARSE_TYPE_UID,<span class="Apple-tab-span" style="white-space:pre"> </span>"obj_uid"<span class="Apple-tab-span" style="white-space:pre"> </span>)</div> <div> _S(AUPARSE_TYPE_GID,<span class="Apple-tab-span" style="white-space:pre"> </span>"gid"<span class="Apple-tab-span" style="white-space:pre"> </span>)</div><div> _S(AUPARSE_TYPE_GID,<span class="Apple-tab-span" style="white-space:pre"> </span>"egid"<span class="Apple-tab-span" style="white-space:pre"> </span>)</div> <div> _S(AUPARSE_TYPE_GID,<span class="Apple-tab-span" style="white-space:pre"> </span>"sgid"<span class="Apple-tab-span" style="white-space:pre"> </span>)</div><div>diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h</div> <div>index ad95814..e053df6 100644</div><div>--- a/trunk/lib/fieldtab.h</div><div>+++ b/trunk/lib/fieldtab.h</div><div>@@ -55,6 +55,7 @@ _S(AUDIT_WATCH, "path" )</div><div> _S(AUDIT_PERM, "perm" )</div> <div> _S(AUDIT_DIR, "dir" )</div><div> _S(AUDIT_FILETYPE, "filetype" )</div><div>+_S(AUDIT_OBJ_UID, "obj_uid" )</div><div> </div><div> _S(AUDIT_ARG0, "a0" )</div> <div> _S(AUDIT_ARG1, "a1" )</div><div>diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c</div><div>index 9a5070c..b10f984 100644</div><div>--- a/trunk/lib/libaudit.c</div><div>+++ b/trunk/lib/libaudit.c</div> <div>@@ -783,6 +783,148 @@ int audit_rule_syscallbyname_data(struct audit_rule_data *rule,</div><div> }</div><div> hidden_def(audit_rule_syscallbyname_data)</div><div> </div><div>+int audit_rule_interfield_fieldpair_data(struct audit_rule_data **rulep,</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span> const char *pair,</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span> int flags) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>const char *f = pair;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>char *v;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>int op;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>int field1, field2;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>int vlen;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>int offset;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>struct audit_rule_data *rule = *rulep;</div> <div>+</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (f == NULL)</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -1;</div><div>+</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>/* look for 2-char operators first</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span> then look for 1-char operators afterwards</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span> when found, null out the bytes under the operators to split</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span> and set value pointer just past operator bytes</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>*/</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if ( (v = strstr(pair, "!=")) ) {</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>*v++ = '\0';</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>*v++ = '\0';</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>op = AUDIT_NOT_EQUAL;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>} else if ( (v = strstr(pair, "=")) ) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>*v++ = '\0';</div><div> +<span class="Apple-tab-span" style="white-space:pre"> </span>op = AUDIT_EQUAL;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>} else {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>fprintf(stderr, "only =, != comparisons are allowed in interfield\n");</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -1;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>+</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (v == NULL)</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -1;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span></div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (*f == 0)</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -22;</div><div>+</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (*v == 0)</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -20;</div> <div>+</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if ((field1 = audit_name_to_field(f)) < 0) </div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -2;</div><div> +</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if ((field2 = audit_name_to_field(v)) < 0) </div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -2;</div><div>+</div><div> +<span class="Apple-tab-span" style="white-space:pre"> </span>/* Exclude filter can be used only with MSGTYPE field */</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (flags == AUDIT_FILTER_EXCLUDE && field1 != AUDIT_MSGTYPE)</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -12; </div> <div>+</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>// It should always be AUDIT_FIELD_COMPARE</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->fields[rule->field_count] = AUDIT_FIELD_COMPARE;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->fieldflags[rule->field_count] = op;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>switch (field1)</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>{</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_UID:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>switch(field2) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_EUID:</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_EUID;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_OBJ_UID:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_OBJ_UID;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>default:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -1;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_EUID:</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>switch(field2) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_UID:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_EUID;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>default:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -1;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_OBJ_UID:</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>switch(field2) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_UID:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_OBJ_UID;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>default:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -1;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_OBJ_GID:</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>switch(field2) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_GID:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_OBJ_GID;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>default:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -1;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_GID:</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>switch(field2) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_EGID:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_EGID;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_OBJ_GID:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_OBJ_GID;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>default:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -1;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_EGID:</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>switch(field2) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_OBJ_GID:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_EGID;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>default:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -1;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>/* fallthrough */</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>default:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (field1 == AUDIT_INODE) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (!(op == AUDIT_NOT_EQUAL ||</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>op == AUDIT_EQUAL))</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -13;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div> <div>+</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (field1 == AUDIT_PPID && !(flags == AUDIT_FILTER_EXIT</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>|| flags == AUDIT_FILTER_ENTRY))</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -17;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span></div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (!isdigit((char)*(v)))</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return -21;</div><div>+</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (field1 == AUDIT_INODE)</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] =</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>strtoul(v, NULL, 0);</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>else</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->values[rule->field_count] =</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>strtol(v, NULL, 0);</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rule->field_count++;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>return 0;<span class="Apple-tab-span" style="white-space:pre"> </span></div> <div>+}</div><div>+</div><div> int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,</div><div> int flags)</div><div> {</div><div>@@ -857,6 +999,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,</div> <div> <span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_SUID:</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_FSUID:</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_LOGINUID:</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_OBJ_UID:</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case AUDIT_OBJ_GID:</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>// Do positive & negative separate for 32 bit systems</div> <div> <span class="Apple-tab-span" style="white-space:pre"> </span>vlen = strlen(v);</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>if (isdigit((char)*(v))) </div><div>diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h</div> <div>index 8feaa39..911bce4 100644</div><div>--- a/trunk/lib/libaudit.h</div><div>+++ b/trunk/lib/libaudit.h</div><div>@@ -428,6 +428,8 @@ extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule,</div><div> * adding new fields */</div><div> extern int audit_rule_fieldpair_data(struct audit_rule_data **rulep,</div><div> const char *pair, int flags);</div><div>+extern int audit_rule_interfield_fieldpair_data(struct audit_rule_data **rulep,</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span> const char *pair, int flags);</div><div> extern void audit_rule_free_data(struct audit_rule_data *rule);</div><div> </div><div> #ifdef __cplusplus</div> <div>diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c</div><div>index 34b7935..d7ec998 100644</div><div>--- a/trunk/src/auditctl.c</div><div>+++ b/trunk/src/auditctl.c</div><div>@@ -482,7 +482,7 @@ static int setopt(int count, int lineno, char *vars[])</div> <div> keylen = AUDIT_MAX_KEY_LEN;</div><div> </div><div> while ((retval >= 0) && (c = getopt(count, vars,</div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span>"hislDvte:f:r:b:a:A:d:S:F:m:R:w:W:k:p:q:")) != EOF) {</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>"hislDvtC:e:f:r:b:a:A:d:S:F:m:R:w:W:k:p:q:")) != EOF) {</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>int flags = AUDIT_FILTER_UNSET;</div> <div> <span class="Apple-tab-span" style="white-space:pre"> </span>rc = 10;<span class="Apple-tab-span" style="white-space:pre"> </span>// Init to something impossible to see if unused.</div><div> switch (c) {</div> <div>@@ -731,7 +731,6 @@ static int setopt(int count, int lineno, char *vars[])</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>retval = -1;</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>break;</div> <div> <span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>-</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>rc = audit_rule_fieldpair_data(&rule_new,optarg,flags);</div> <div> <span class="Apple-tab-span" style="white-space:pre"> </span>if (rc != 0) {</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>audit_number_to_errmsg(rc, optarg);</div><div>@@ -743,6 +742,22 @@ static int setopt(int count, int lineno, char *vars[])</div> <div> <span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div> </div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>case 'C':</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (add != AUDIT_FILTER_UNSET)</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>flags = add & AUDIT_FILTER_MASK;</div><div> +<span class="Apple-tab-span" style="white-space:pre"> </span>else if (del != AUDIT_FILTER_UNSET)</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>flags = del & AUDIT_FILTER_MASK;</div><div>+</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>rc = audit_rule_interfield_fieldpair_data(&rule_new, optarg, flags);</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (rc != 0) {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>audit_number_to_errmsg(rc, optarg);</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>retval = -1;</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>} else {</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>if (rule_new->fields[rule_new->field_count - 1] ==</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span> AUDIT_PERM)</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>audit_permadded = 1;</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>break;</div> <div> case 'm':</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>if (count > 3) {</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>fprintf(stderr,</div> <div> diff --git a/trunk/src/ausearch-report.c b/trunk/src/ausearch-report.c</div><div>index d50c732..62e1ae0 100644</div><div>--- a/trunk/src/ausearch-report.c</div><div>+++ b/trunk/src/ausearch-report.c</div><div>@@ -333,6 +333,7 @@ static struct nv_pair typetab[] = {</div> <div> <span class="Apple-tab-span" style="white-space:pre"> </span>{T_UID, "id"},</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>{T_UID, "inode_uid"},</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>{T_UID, "sauid"},</div> <div>+<span class="Apple-tab-span" style="white-space:pre"> </span>{T_UID, "obj_uid"},</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>{T_GID, "gid"},</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>{T_GID, "egid"},</div> <div> <span class="Apple-tab-span" style="white-space:pre"> </span>{T_GID, "sgid"},</div><div>-- </div><div>1.7.3.1</div><div><br></div><div><div><br></div></div>-- <br> <font face="arial, helvetica, sans-serif">Peter Moody Google <a href="tel:1.650.253.7306" value="+16502537306" target="_blank">1.650.253.7306</a> <br>Security Engineer pgp:0xC3410038</font><br><br> </div>