[RFC][PATCH] auditctl: add user anomaly type options v0.2

George C. Wilson ltcgcw at us.ibm.com
Wed Mar 22 17:26:05 UTC 2006 

This patch is a slight cleanup to the original patch.  It also has
manpage changes.  I couldn't resist correcting typos in the original
manpage but was bad and didn't break them out into a separate patch.
You may want to fix them manually even if you don't accept this
patch as a whole.

Thanks,
George

diff -Naurp audit-1.1.5.orig/docs/auditctl.8 audit-1.1.5/docs/auditctl.8
--- audit-1.1.5.orig/docs/auditctl.8	2006-01-04 16:30:16.000000000 -0600
+++ audit-1.1.5/docs/auditctl.8	2006-03-20 22:11:24.000000000 -0600
@@ -29,17 +29,20 @@ List all rules 1 per line.
 \fB\-k\fR <key>
 Set a filter key on a filesystem watch. The filterkey is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by the watch.  
 .TP
+\fB\-u\fR <type>
+Set userspace message type. <type> is an integer from 2100 to 2199 that corresponds to one of the anomaly constants defined in libaudit.h. It is used in conjunction with the -m option, which it must precede.
+.TP
 \fB\-m\fR text
-Send a user-space message into the audit system. This can only be done by the root user.
+Send a userspace message into the audit system. This can only be done by the root user. This option must follow the -u option.
 .TP
 \fB\-p\fR [r|w|x|a]
 Set permissions filter for a file system watch. r=read, w=write, x=execute, a=append.
 .TP
 \fB\-r\fR <rate>
-Set limit in messages/sec (0=none) If this rate is non-zero and is exceeded, the failure flag is consulted by the kernel for action. The default value is 0.
+Set limit in messages/sec (0=none). If this rate is non-zero and is exceeded, the failure flag is consulted by the kernel for action. The default value is 0.
 .TP
 \fB\-R\fR <file>
-Read rules from a file. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except they are not preceeded by auditctl (since auditctl is the one executing the file).
+Read rules from a file. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except they are not preceded by auditctl (since auditctl is the one executing the file).
 .TP
 \fB\-s\fR
 Report status
@@ -58,7 +61,7 @@ Add a rule to the syscall entry list. Th
 Add a rule to the syscall exit list. This list is used upon exit from a system call to determine if an audit event should be created.
 .TP
 .B user
-Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, and  pid. All other fileds will be treated as non-matching.
+Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, and  pid. All other fields will be treated as non-matching.
 .TP
 .B watch
 Add a rule to the file system watch filter list. This list is used to filter events that originate from file system watches. You can use syscall matching with this list, but the only syscalls that are meaningful are I/O related.
@@ -154,7 +157,7 @@ Exit value from a syscall
 If the exit value is >= 0 this is true/yes otherwise its false/no. When writing a rule, use a 1 for true/yes and a 0 for false/no
 .TP
 .B a0, a1, a2, a3
-Respectively, the first 4 arguments to a syscall. Note that string arguments are not supported. This is because the kernel is passed a pointer to the string. Triggering on a pointer address value is not likely to work. So, when using this, you should only use on numeric values. This is most likely to be used on platforms that multiplex socket or ipc operations.
+Respectively, the first 4 arguments to a syscall. Note that string arguments are not supported. This is because the kernel is passed a pointer to the string. Triggering on a pointer address value is not likely to work. So, when using this, you should only use on numeric values. This is most likely to be used on platforms that multiplex socket or IPC operations.
 .RE
 .TP
 \fB\-w\fR <path>
@@ -175,5 +178,9 @@ To see unsuccessful open call's:
 
 auditctl -a exit,always -S open -F success!=0
 
+To send a userspace RBAC anomaly message:
+
+auditctl -u 2108 -m "rbac failed"
+
 .SH "SEE ALSO"
 .B auditd(8)
diff -Naurp audit-1.1.5.orig/src/auditctl.c audit-1.1.5/src/auditctl.c
--- audit-1.1.5.orig/src/auditctl.c	2006-03-05 07:40:35.000000000 -0600
+++ audit-1.1.5/src/auditctl.c	2006-03-20 22:11:24.000000000 -0600
@@ -121,13 +121,14 @@ static void usage(void)
      "    -i           Ignore errors when reading rules from file\n"
      "    -k <key>     Set filterkey on watch\n"
      "    -l           List rules\n"
-     "    -m text      Send a user-space message\n"
+     "    -m text      Send a userspace message\n"
      "    -p [r|w|x|a] Set permissions filter on watch\n"
      "                 r=read, w=write, x=execute, a=append\n"
      "    -r <rate>    Set limit in messages/sec (0=none)\n"
      "    -R <file>    read rules from file\n"
      "    -s           Report status\n"
      "    -S syscall   Build rule: syscall name or number\n"
+     "    -u <type>    Specify the type of userspace anomaly message by number\n"
      "    -v           Version\n"
      "    -w <path>    Insert watch at <path>\n"
      "    -W <path>    Remove watch at <path>\n"
@@ -326,12 +327,14 @@ void audit_request_both_lists(int fd)
 static int setopt(int count, char *vars[])
 {
     int c;
+    int user_message_type = 0;
     int retval = 0;
 
     optind = 0;
     opterr = 0;
+
     while ((retval >= 0) && (c = getopt(count, vars,
-			"hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:")) != EOF) {
+			"hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:u:")) != EOF) {
 	int flags = AUDIT_FILTER_UNSET;
         switch (c) {
         case 'h':
@@ -589,11 +592,17 @@ static int setopt(int count, char *vars[
 		}
 		break;
         case 'm':
-		if (audit_log_user_message( fd, AUDIT_USER, optarg, NULL, 
-				NULL, NULL, 1) <=0)
-			retval = -1;
-		else
-			return -2;  // success - no reply for this
+		if (user_message_type) {
+			if (audit_log_user_message( fd, user_message_type, optarg,
+					NULL, NULL, NULL, 1) <=0)
+				retval = -1;
+			else
+				return -2;  // success - no reply for this
+		} else {
+			fprintf(stderr,
+			    "Error - -u must be given before -m\n");
+				retval = -1;
+		}
 		break;
 	case 'R':
 		fprintf(stderr, "Error - nested rule files not supported\n");
@@ -659,6 +668,21 @@ static int setopt(int count, char *vars[
 		else
 			retval = audit_setup_perms(&watch, optarg);
 		break;
+	case 'u':
+		if (optarg) {
+			user_message_type = atoi(optarg);
+			if (user_message_type < AUDIT_FIRST_ANOM_MSG ||
+					user_message_type > AUDIT_LAST_ANOM_MSG) {
+				fprintf(stderr,
+					"user message type must be a number from %d to %d\n",
+					AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG);
+				retval = -1;
+			}
+		} else {
+			fprintf(stderr, "user message type option needs a type number\n");	
+			retval = -1;
+		}
+		break;
 	case 'v':
 			printf("auditctl version %s\n", VERSION);
 			retval = -2;

-- 
George Wilson <ltcgcw at us.ibm.com>
IBM Linux Technology Center

More information about the Linux-audit mailing list