[[PATCH V2] 1/2] userspace: audit: log on the future execution of a path
Richard Guy Briggs
rgb at redhat.com
Tue Jul 14 15:46:48 UTC 2015
Enable creation of rules to monitor for the execution of a path in the future.
For example, to log occurances of touch(1)ing a file in /tmp, use:
-a always,exit -F dir=/tmp -F exe=/usr/sbin/touch -F key=touch_tmp
The command:
touch /tmp/test
should generate a log message that can be verified by:
ausearch --start recent -k touch_tmp
Similarly, use "exe_children=" in the place of "exe=" to detect the case for
any descendent processes.
Based-on-work-by: Peter Moody <pmoody at google.com>
Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 5 +++++
trunk/lib/libaudit.h | 7 ++++++-
trunk/src/auditctl-listing.c | 8 +++++++-
5 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index a4fea66..8d72bd8 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
{ -15, 2, "-F unknown errno -"},
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
- { -18, 1, "" }, // Unused
+ { -18, 1, "only takes = operator" },
{ -19, 0, "Key field needs a watch or syscall given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index dd7474c..c458c32 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" )
_S(AUDIT_FILTERKEY, "key" )
+_S(AUDIT_EXE, "exe" )
+_S(AUDIT_EXE_CHILDREN, "exe_children" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index dddfd0b..d7da4ec 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1395,6 +1395,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
case AUDIT_FILTERKEY:
+ case AUDIT_EXE_CHILDREN:
+ case AUDIT_EXE:
+ if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) &&
+ op != AUDIT_EQUAL)
+ return -18;
if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded))
return -19;
vlen = strlen(v);
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 05ee91e..1d3a697 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -274,6 +274,12 @@ extern "C" {
#ifndef AUDIT_FIELD_COMPARE
#define AUDIT_FIELD_COMPARE 111
#endif
+#ifndef AUDIT_EXE
+#define AUDIT_EXE 112
+#endif
+#ifndef AUDIT_EXE_CHILDREN
+#define AUDIT_EXE_CHILDREN 113
+#endif
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
@@ -580,4 +586,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
#endif
#endif
-
diff --git a/trunk/src/auditctl-listing.c b/trunk/src/auditctl-listing.c
index 1dc9729..339dec7 100644
--- a/trunk/src/auditctl-listing.c
+++ b/trunk/src/auditctl-listing.c
@@ -63,7 +63,8 @@ int key_match(const struct audit_rule_data *r)
}
if (((field >= AUDIT_SUBJ_USER && field <= AUDIT_OBJ_LEV_HIGH)
&& field != AUDIT_PPID) || field == AUDIT_WATCH ||
- field == AUDIT_DIR || field == AUDIT_FILTERKEY) {
+ field == AUDIT_DIR || field == AUDIT_FILTERKEY
+ || field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) {
boffset += r->values[i];
}
}
@@ -357,6 +358,11 @@ static void print_rule(const struct audit_rule_data *r)
&r->buf[boffset]);
boffset += r->values[i];
+ } else if (field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) {
+ printf(" -F exe%s=%.*s",
+ field == AUDIT_EXE_CHILDREN ? "_children" : "",
+ r->values[i], &r->buf[boffset]);
+ boffset += r->values[i];
} else if (field == AUDIT_FILTERKEY) {
char *rkey, *ptr, *saved=NULL;
if (asprintf(&rkey, "%.*s", r->values[i],
--
1.7.1
More information about the Linux-audit
mailing list