[PATCH] Added support for virtualization related fields to ausearch.

Marcelo Cerri mhcerri at linux.vnet.ibm.com
Thu Dec 15 15:53:11 UTC 2011 

This patch adds support to ausearch for searching for events related to a
guest, as proposed in the RFC:

https://www.redhat.com/archives/linux-audit/2011-November/msg00014.html

Two new options were added:

    --uuid uuid
        Search for an event with the given guest UUID. The given uuid is
        compared to the value from the "uuid" field of a record.

    --vmname name
        Search for an event with the given guest name. The given name is
        compared to the value from the "vm" field of a record.

Signed-off-by: Marcelo Cerri <mhcerri at linux.vnet.ibm.com>
---
 docs/ausearch.8        |    6 ++++++
 src/aureport-options.c |    4 ++++
 src/ausearch-common.h  |    4 ++++
 src/ausearch-llist.c   |    8 ++++++++
 src/ausearch-llist.h   |    8 ++++++--
 src/ausearch-match.c   |   18 ++++++++++++++++++
 src/ausearch-options.c |   42 +++++++++++++++++++++++++++++++++++++++++-
 src/ausearch-parse.c   |   47 +++++++++++++++++++++++++++++++++++++++++++++++
 8 files changed, 134 insertions(+), 3 deletions(-)

diff --git a/docs/ausearch.8 b/docs/ausearch.8
index 54018ae..704fb52 100644
--- a/docs/ausearch.8
+++ b/docs/ausearch.8
@@ -129,9 +129,15 @@ Search for an event with the given \fIuser ID\fP.
 .BR \-ul ,\  \-\-loginuid \ \fIlogin-id\fP
 Search for an event with the given \fIlogin user ID\fP. All entry point programs that are pamified need to be configured with pam_loginuid required for the session for searching on loginuid (auid) to be accurate.
 .TP
+.BR \-uu ,\  \-\-uuid \ \fIguest-uuid\fP
+Search for an event with the given \fIguest UUID\fP.
+.TP
 .BR \-v ,\  \-\-version
 Print the version and exit
 .TP
+.BR \-vm ,\  \-\-vm-name \ \fIguest-name\fP
+Search for an event with the given \fIguest name\fP.
+.TP
 .BR \-w ,\  \-\-word
 String based matches must match the whole word. This category of matches include: filename, hostname, terminal, and SE Linux context.
 .TP
diff --git a/src/aureport-options.c b/src/aureport-options.c
index 9786043..72a1d15 100644
--- a/src/aureport-options.c
+++ b/src/aureport-options.c
@@ -1,5 +1,6 @@
 /* aureport-options.c - parse commandline options and configure aureport
  * Copyright 2005-08,2010-11 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2011 IBM Corp.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
@@ -18,6 +19,7 @@
  *
  * Authors:
  *     Steve Grubb <sgrubb at redhat.com>
+ *     Marcelo Henrique Cerri <mhcerri at br.ibm.com>
  */
 
 #include "config.h"
@@ -49,6 +51,8 @@ const char *event_hostname = NULL;
 const char *event_terminal = NULL;
 const char *event_subject = NULL;
 const char *event_object = NULL;
+const char *event_uuid = NULL;
+const char *event_vmname = NULL;
 int event_exit = 0, event_exit_is_set = 0;
 int event_ppid = -1, event_session_id = -2;
 
diff --git a/src/ausearch-common.h b/src/ausearch-common.h
index f9d0d9b..2ee1f33 100644
--- a/src/ausearch-common.h
+++ b/src/ausearch-common.h
@@ -1,5 +1,6 @@
 /* ausearch-common.h -- 
  * Copyright 2006-08,2010 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2011 IBM Corp.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
@@ -18,6 +19,7 @@
  *
  * Authors:
  *   Steve Grubb <sgrubb at redhat.com>
+ *   Marcelo Henrique Cerri <mhcerri at br.ibm.com>
  * 
  */
 
@@ -42,6 +44,8 @@ extern int event_syscall;
 extern const char *event_exe;
 extern int event_ua, event_ga;
 extern int event_exit, event_exit_is_set;
+extern const char *event_uuid;
+extern const char *event_vmname;
 
 typedef enum { F_BOTH, F_FAILED, F_SUCCESS } failed_t;
 typedef enum { C_NEITHER, C_ADD, C_DEL } conf_act_t;
diff --git a/src/ausearch-llist.c b/src/ausearch-llist.c
index 32cda7e..5d25e7c 100644
--- a/src/ausearch-llist.c
+++ b/src/ausearch-llist.c
@@ -1,6 +1,7 @@
 /*
 * ausearch-llist.c - Minimal linked list library
 * Copyright (c) 2005-2008, 2011 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2011 IBM Corp.
 * All Rights Reserved. 
 *
 * This software may be freely redistributed and/or modified under the
@@ -19,6 +20,7 @@
 *
 * Authors:
 *   Steve Grubb <sgrubb at redhat.com>
+*   Marcelo Henrique Cerri <mhcerri at br.ibm.com>
 */
 
 #include <stdlib.h>
@@ -55,6 +57,8 @@ void list_create(llist *l)
 	l->s.arch = 0;
 	l->s.syscall = 0;
 	l->s.session_id = -2;
+	l->s.uuid = NULL;
+	l->s.vmname = NULL;
 	l->s.exit = 0;
 	l->s.exit_is_set = 0;
 }
@@ -197,6 +201,10 @@ void list_clear(llist* l)
 	l->s.arch = 0;
 	l->s.syscall = 0;
 	l->s.session_id = -2;
+	free(l->s.uuid);
+	l->s.uuid = NULL;
+	free(l->s.vmname);
+	l->s.vmname = NULL;
 	l->s.exit = 0;
 	l->s.exit_is_set = 0;
 }
diff --git a/src/ausearch-llist.h b/src/ausearch-llist.h
index a77d800..4ab6f14 100644
--- a/src/ausearch-llist.h
+++ b/src/ausearch-llist.h
@@ -1,6 +1,7 @@
 /*
 * ausearch-llist.h - Header file for ausearch-llist.c
 * Copyright (c) 2005-2008 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2011 IBM Corp.
 * All Rights Reserved.
 *
 * This software may be freely redistributed and/or modified under the
@@ -19,6 +20,7 @@
 *
 * Authors:
 *   Steve Grubb <sgrubb at redhat.com>
+*   Marcelo Henrique Cerri <mhcerri at br.ibm.com>
 */
 
 #ifndef AULIST_HEADER
@@ -62,8 +64,10 @@ typedef struct
   slist *key;           // key field
   char *terminal;       // terminal
   char *comm;           // comm name
-  alist *avc;		// avcs for the event
-  char *acct;		// account used when uid is invalid
+  alist *avc;           // avcs for the event
+  char *acct;           // account used when uid is invalid
+  char *uuid;           // virtual machine unique universal identifier
+  char *vmname;         // virtual machine name
 } search_items;
 
 /* This is the node of the linked list. Any data elements that are per
diff --git a/src/ausearch-match.c b/src/ausearch-match.c
index 24b9320..18e52cb 100644
--- a/src/ausearch-match.c
+++ b/src/ausearch-match.c
@@ -1,6 +1,7 @@
 /*
 * ausearch-match.c - Extract interesting fields and check for match
 * Copyright (c) 2005-08, 2011 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2011 IBM Corp.
 * All Rights Reserved. 
 *
 * This software may be freely redistributed and/or modified under the
@@ -19,6 +20,7 @@
 *
 * Authors:
 *   Steve Grubb <sgrubb at redhat.com>
+*   Marcelo Henrique Cerri <mhcerri at br.ibm.com>
 */
 
 #include "config.h"
@@ -201,6 +203,22 @@ int match(llist *l)
 							return 0;
 					}
 				}				
+				if (event_vmname) {
+					if (l->s.vmname == NULL) {
+						return 0;
+					}
+					if (strmatch(event_vmname, l->s.vmname) == 0) {
+						return 0;
+					}
+				}
+				if (event_uuid) {
+					if (l->s.uuid == NULL) {
+						return 0;
+					}
+					if (strmatch(event_uuid, l->s.uuid) == 0) {
+						return 0;
+					}
+				}
 				if (context_match(l) == 0)
 					return 0;
 				return 1;
diff --git a/src/ausearch-options.c b/src/ausearch-options.c
index 8f4b64e..a92e23f 100644
--- a/src/ausearch-options.c
+++ b/src/ausearch-options.c
@@ -1,5 +1,6 @@
 /* ausearch-options.c - parse commandline options and configure ausearch
  * Copyright 2005-08,2010-11 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2011 IBM Corp.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
@@ -19,6 +20,7 @@
  * Authors:
  *     Debora Velarde <dvelarde at us.ibm.com>
  *     Steve Grubb <sgrubb at redhat.com>
+ *     Marcelo Henrique Cerri <mhcerri at br.ibm.com>
  */
 
 #include "config.h"
@@ -61,6 +63,8 @@ const char *event_hostname = NULL;
 const char *event_terminal = NULL;
 const char *event_subject = NULL;
 const char *event_object = NULL;
+const char *event_uuid = NULL;
+const char *event_vmname = NULL;
 report_t report_format = RPT_DEFAULT;
 ilist *event_type;
 
@@ -77,7 +81,7 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
 S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
 S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
-S_LINEBUFFERED };
+S_LINEBUFFERED, S_UUID, S_VMNAME};
 
 static struct nv_pair optiontab[] = {
 	{ S_EVENT, "-a" },
@@ -141,10 +145,14 @@ static struct nv_pair optiontab[] = {
 	{ S_EFF_UID, "--uid-effective" },
 	{ S_UID, "-ui" },
 	{ S_UID, "--uid" },
+	{ S_UUID, "-uu" },
+	{ S_UUID, "--uuid" },
 	{ S_LOGINID, "-ul" },
 	{ S_LOGINID, "--loginuid" },
 	{ S_VERSION, "-v" },
 	{ S_VERSION, "--version" },
+	{ S_VMNAME, "-vm" },
+	{ S_VMNAME, "--vm-name" },
 	{ S_EXACT_MATCH, "-w" },
 	{ S_EXACT_MATCH, "--word" },
 	{ S_EXECUTABLE, "-x" },
@@ -199,7 +207,11 @@ static void usage(void)
 	"\t-ue,--uid-effective <effective User id>  search based on Effective\n\t\t\t\t\tuser id\n"
 	"\t-ui,--uid <User Id>\t\tsearch based on user id\n"
 	"\t-ul,--loginuid <login id>\tsearch based on the User's Login id\n"
+	"\t-uu,--uuid <guest UUID>\t\tsearch for events related to the virtual\n"
+	"\t\t\t\t\tmachine with the given UUID.\n"
 	"\t-v,--version\t\t\tversion\n"
+	"\t-vm,--vm-name <guest name>\tsearch for events related to the virtual\n"
+	"\t\t\t\t\tmachine with the name.\n"
 	"\t-w,--word\t\t\tstring matches are whole word\n"
 	"\t-x,--executable  <executable name>  search based on excutable name\n"
 	);
@@ -997,6 +1009,34 @@ int check_params(int count, char *vars[])
                         }
 			c++;
 			break;
+		case S_UUID:
+			if (!optarg) {
+				fprintf(stderr,
+					"Argument is required for %s\n",
+					vars[c]);
+				retval = -1;
+			} else {
+				event_uuid = strdup(optarg);
+				if (event_uuid == NULL) {
+					retval = -1;
+				}
+				c++;
+			}
+			break;
+		case S_VMNAME:
+			if (!optarg) {
+				fprintf(stderr,
+					"Argument is required for %s\n",
+					vars[c]);
+				retval = -1;
+			} else {
+				event_vmname= strdup(optarg);
+				if (event_vmname == NULL) {
+					retval = -1;
+				}
+				c++;
+			}
+			break;
 		case S_VERSION:
 	                printf("ausearch version %s\n", VERSION);
 			exit(0);
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index f7ec834..f9363d9 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1,6 +1,7 @@
 /*
 * ausearch-parse.c - Extract interesting fields and check for match
 * Copyright (c) 2005-08, 2011 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2011 IBM Corp. 
 * All Rights Reserved. 
 *
 * This software may be freely redistributed and/or modified under the
@@ -19,6 +20,7 @@
 *
 * Authors:
 *   Steve Grubb <sgrubb at redhat.com>
+*   Marcelo Henrique Cerri <mhcerri at br.ibm.com>
 */
 
 #include "config.h"
@@ -767,6 +769,50 @@ static int parse_user(const lnode *n, search_items *s)
 				return 13;
 		}
 	}
+	if (event_vmname) {
+		str = strstr(term, "vm=");
+		if (str) {
+			str += 3;
+			if (*str == '"') {
+				str++;
+			}
+			term = str;
+			while (*term != '"' && *term != ' ' &&
+			       *term != ':' && *term != ',' &&
+			       *term != 0) {
+				term++;
+			}
+			if (term == str) {
+				return 23;
+			}
+			saved = *term;
+			*term = 0;
+			s->vmname= strdup(str);
+			*term = saved;
+		}
+	}
+	if (event_uuid) {
+		str = strstr(term, "uuid=");
+		if (str) {
+			str += 5;
+			if (*str == '"') {
+				str++;
+			}
+			term = str;
+			while (*term != '"' && *term != ' ' &&
+			       *term != ':' && *term != ',' &&
+			       *term != 0) {
+				term++;
+			}
+			if (term == str) {
+				return 24;
+			}
+			saved = *term;
+			*term = 0;
+			s->uuid = strdup(str);
+			*term = saved;
+		}
+	}
 	// get uid - something has uid after auid ??
 	str = strstr(term, "uid=");
 	if (str != NULL) {
@@ -959,6 +1005,7 @@ static int parse_user(const lnode *n, search_items *s)
 			*term = ')';
 		}
 	}
+	/* last return code used = 24 */
 	return 0;
 }
 
-- 
1.7.1

More information about the Linux-audit mailing list