[[PATCH V2] 2/2] Allow monitoring of any activity on an executable with a specific path.
Richard Guy Briggs
rgb at redhat.com
Tue Jul 14 15:46:49 UTC 2015
Allow rules to be created that are not accompanied by a file or directory
watch, nor by a syscall specification.
Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/libaudit.c | 12 ++++++++----
trunk/lib/private.h | 1 +
trunk/src/auditctl.c | 8 +++++++-
4 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 8d72bd8..2624567 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -52,7 +52,7 @@ static const struct msg_tab err_msgtab[] = {
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
{ -18, 1, "only takes = operator" },
- { -19, 0, "Key field needs a watch or syscall given prior to it" },
+ { -19, 0, "Key field needs a watch, syscall or exe path given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
{ -22, 2, "-F missing field name before operator for" },
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index d7da4ec..b06c76b 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -82,6 +82,7 @@ static const struct nv_list failure_actions[] =
int _audit_permadded = 0;
int _audit_archadded = 0;
int _audit_syscalladded = 0;
+int _audit_exeadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1397,10 +1398,13 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_FILTERKEY:
case AUDIT_EXE_CHILDREN:
case AUDIT_EXE:
- if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) &&
- op != AUDIT_EQUAL)
- return -18;
- if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded))
+ if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE)) {
+ if (op != AUDIT_EQUAL)
+ return -18;
+ _audit_exeadded = 1;
+ }
+ if (field == AUDIT_FILTERKEY
+ && !(_audit_syscalladded || _audit_permadded || _audit_exeadded))
return -19;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
diff --git a/trunk/lib/private.h b/trunk/lib/private.h
index a0e3e35..7d7fd13 100644
--- a/trunk/lib/private.h
+++ b/trunk/lib/private.h
@@ -131,6 +131,7 @@ extern int audit_send_user_message(int fd, int type, hide_t hide_err,
extern int _audit_permadded;
extern int _audit_archadded;
extern int _audit_syscalladded;
+extern int _audit_exeadded;
extern unsigned int _audit_elf;
hidden_proto(audit_send_user_message);
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index b084b1a..40e9812 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -73,6 +73,7 @@ static int reset_vars(void)
_audit_syscalladded = 0;
_audit_permadded = 0;
_audit_archadded = 0;
+ _audit_exeadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -821,6 +822,11 @@ static int setopt(int count, int lineno, char *vars[])
if (rule_new->fields[rule_new->field_count-1] ==
AUDIT_PERM)
_audit_permadded = 1;
+ if ((rule_new->fields[rule_new->field_count-1] ==
+ AUDIT_EXE) ||
+ (rule_new->fields[rule_new->field_count-1] ==
+ AUDIT_EXE_CHILDREN))
+ _audit_exeadded = 1;
}
break;
@@ -908,7 +914,7 @@ static int setopt(int count, int lineno, char *vars[])
}
break;
case 'k':
- if (!(_audit_syscalladded || _audit_permadded ) ||
+ if (!(_audit_syscalladded || _audit_permadded || _audit_exeadded) ||
(add==AUDIT_FILTER_UNSET &&
del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
--
1.7.1
More information about the Linux-audit
mailing list