[RFC][PATCH] auditctl: add user anomoly type option
George C. Wilson
ltcgcw at us.ibm.com
Mon Mar 20 19:57:25 UTC 2006
This patch adds -u <type> to auditctl. It allows a userspace
message sender to specify the message type by number. Manpage
update to follow if this proves OK.
diff -Narp audit-1.1.5.orig/src/auditctl.c audit-1.1.5/src/auditctl.c
*** audit-1.1.5.orig/src/auditctl.c 2006-03-05 07:40:35.000000000 -0600
--- audit-1.1.5/src/auditctl.c 2006-03-18 19:25:43.000000000 -0600
*************** static void usage(void)
*** 128,133 ****
--- 128,134 ----
" -R <file> read rules from file\n"
" -s Report status\n"
" -S syscall Build rule: syscall name or number\n"
+ " -u <type> Specify the type of user-space anomaly message by number\n"
" -v Version\n"
" -w <path> Insert watch at <path>\n"
" -W <path> Remove watch at <path>\n"
*************** void audit_request_both_lists(int fd)
*** 326,337 ****
static int setopt(int count, char *vars[])
{
int c;
int retval = 0;
optind = 0;
opterr = 0;
while ((retval >= 0) && (c = getopt(count, vars,
! "hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:")) != EOF) {
int flags = AUDIT_FILTER_UNSET;
switch (c) {
case 'h':
--- 327,340 ----
static int setopt(int count, char *vars[])
{
int c;
+ int user_message_type = 0;
int retval = 0;
optind = 0;
opterr = 0;
+
while ((retval >= 0) && (c = getopt(count, vars,
! "hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:u:")) != EOF) {
int flags = AUDIT_FILTER_UNSET;
switch (c) {
case 'h':
*************** static int setopt(int count, char *vars[
*** 589,599 ****
}
break;
case 'm':
! if (audit_log_user_message( fd, AUDIT_USER, optarg, NULL,
! NULL, NULL, 1) <=0)
! retval = -1;
! else
! return -2; // success - no reply for this
break;
case 'R':
fprintf(stderr, "Error - nested rule files not supported\n");
--- 592,608 ----
}
break;
case 'm':
! if (user_message_type) {
! if (audit_log_user_message( fd, user_message_type, optarg,
! NULL, NULL, NULL, 1) <=0)
! retval = -1;
! else
! return -2; // success - no reply for this
! } else {
! fprintf(stderr,
! "Error - -u must be given before -m\n");
! retval = -1;
! }
break;
case 'R':
fprintf(stderr, "Error - nested rule files not supported\n");
*************** static int setopt(int count, char *vars[
*** 659,664 ****
--- 668,689 ----
else
retval = audit_setup_perms(&watch, optarg);
break;
+ case 'u':
+ if (optarg) {
+ user_message_type = atoi(optarg);
+ if (user_message_type >= AUDIT_FIRST_ANOM_MSG &&
+ user_message_type <= AUDIT_LAST_ANOM_MSG) {
+ } else {
+ fprintf(stderr,
+ "user message type must be a number from %d to %d\n",
+ AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG);
+ retval = -1;
+ }
+ } else {
+ fprintf(stderr, "user message type option needs a type number\n");
+ retval = -1;
+ }
+ break;
case 'v':
printf("auditctl version %s\n", VERSION);
retval = -2;
--
George Wilson <ltcgcw at us.ibm.com>
IBM Linux Technology Center
More information about the Linux-audit
mailing list