[PATCH 4/5] Add sessionid_set option to ausearch and aureport

Richard Guy Briggs rgb at redhat.com
Tue Aug 2 09:39:00 UTC 2016 

Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---
 trunk/src/aureport-options.c |    3 ++-
 trunk/src/ausearch-match.c   |    3 +++
 trunk/src/ausearch-options.c |   42 +++++++++++++++++++++++++++++++++++++++++-
 trunk/src/ausearch-options.h |    1 +
 trunk/src/ausearch-parse.c   |   14 +++++++-------
 5 files changed, 54 insertions(+), 9 deletions(-)

diff --git a/trunk/src/aureport-options.c b/trunk/src/aureport-options.c
index 9a0fc18..b15cbb5 100644
--- a/trunk/src/aureport-options.c
+++ b/trunk/src/aureport-options.c
@@ -59,7 +59,7 @@ const char *event_uuid = NULL;
 const char *event_vmname = NULL;
 long long event_exit = 0;
 int event_exit_is_set = 0;
-int event_ppid = -1, event_session_id = -2;
+int event_ppid = -1, event_session_id = -2, event_session_id_set = -1;
 int event_debug = 0, event_machine = -1;
 
 /* These are used by aureport */
@@ -565,6 +565,7 @@ int check_params(int count, char *vars[])
 			else {
 				set_detail(D_DETAILED);
 				event_session_id = 1;
+				event_session_id_set = 1;
 				event_loginuid = 1;
 				event_tauid = dummy;
 				event_terminal = dummy;
diff --git a/trunk/src/ausearch-match.c b/trunk/src/ausearch-match.c
index ec8a582..bff7e24 100644
--- a/trunk/src/ausearch-match.c
+++ b/trunk/src/ausearch-match.c
@@ -112,6 +112,9 @@ int match(llist *l)
 				if ((event_session_id != -2) &&
 					(event_session_id != l->s.session_id))
 					return 0;
+				if ((event_session_id_set != -1) &&
+					(event_session_id_set != (l->s.session_id != -1)))
+					return 0;
 				if (event_exit_is_set) {
 					if (l->s.exit_is_set == 0)
 						return 0;
diff --git a/trunk/src/ausearch-options.c b/trunk/src/ausearch-options.c
index 521748d..f970c76 100644
--- a/trunk/src/ausearch-options.c
+++ b/trunk/src/ausearch-options.c
@@ -54,6 +54,7 @@ int event_syscall = -1, event_machine = -1;
 int event_ua = 0, event_ga = 0, event_se = 0;
 int just_one = 0;
 uint32_t event_session_id = -2;
+uint32_t event_session_id_set = -1;
 long long event_exit = 0;
 int event_exit_is_set = 0;
 int line_buffered = 0;
@@ -85,7 +86,7 @@ enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
 S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
 S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
-S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
+S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_SESSIONID_SET, S_EXIT,
 S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
 
 static struct nv_pair optiontab[] = {
@@ -137,6 +138,7 @@ static struct nv_pair optiontab[] = {
 	{ S_CONTEXT, "-se" },
 	{ S_CONTEXT, "--context" },
 	{ S_SESSION, "--session" },
+	{ S_SESSIONID_SET, "--sessionid_set" },
 	{ S_SUBJECT, "-su" },
 	{ S_SUBJECT, "--subject" },
 	{ S_OSUCCESS, "-sv" },
@@ -209,6 +211,7 @@ static void usage(void)
 	"\t-sc,--syscall <SysCall name>\tsearch based on syscall name or number\n"
 	"\t-se,--context <SE Linux context> search based on either subject or\n\t\t\t\t\t object\n"
 	"\t--session <login session id>\tsearch based on login session id\n"
+	"\t--sessionid_set <0/1>\tsearch based on login session id set or unset\n"
 	"\t-su,--subject <SE Linux context> search based on context of the Subject\n"
 	"\t-sv,--success <Success Value>\tsearch based on syscall or event\n\t\t\t\t\tsuccess value\n"
 	"\t-te,--end [end date] [end time]\tending date & time for search\n"
@@ -767,6 +770,43 @@ int check_params(int count, char *vars[])
 			}
 			}
 			break;
+		case S_SESSIONID_SET:
+			if (!optarg) {
+				if ((c+1 < count) && vars[c+1])
+					optarg = vars[c+1];
+				else {
+					fprintf(stderr,
+						"Argument is required for %s\n",
+						vars[c]);
+					retval = -1;
+					break;
+				}
+			}
+			{ 
+			size_t len = strlen(optarg);
+			if (isdigit(optarg[0])) {
+				errno = 0;
+				event_session_id_set = strtoul(optarg,NULL,10);
+				if (errno) {
+					fprintf(stderr, "Error converting %s\n",
+						optarg);
+					retval = -1;
+				}
+				if (event_session_id_set > 1) {
+					fprintf(stderr, 
+					"Session id set must be a boolean value, was %s\n",
+						optarg);
+					retval = -1;
+				}
+				c++;
+                        } else {
+				fprintf(stderr, 
+				"Session id must be a boolean value, was %s\n",
+					optarg);
+				retval = -1;
+			}
+			}
+			break;
 		case S_EXIT:
 			if (!optarg) {
 				if ((c+1 < count) && vars[c+1])
diff --git a/trunk/src/ausearch-options.h b/trunk/src/ausearch-options.h
index 1372762..947f5d6 100644
--- a/trunk/src/ausearch-options.h
+++ b/trunk/src/ausearch-options.h
@@ -40,6 +40,7 @@ extern int line_buffered;
 extern int event_debug;
 extern pid_t event_ppid;
 extern uint32_t event_session_id;
+extern uint32_t event_session_id_set;
 extern ilist *event_type;
 
 /* Data type to govern output format */
diff --git a/trunk/src/ausearch-parse.c b/trunk/src/ausearch-parse.c
index 3047925..c45d54e 100644
--- a/trunk/src/ausearch-parse.c
+++ b/trunk/src/ausearch-parse.c
@@ -357,7 +357,7 @@ static int parse_task_info(lnode *n, search_items *s)
 		}
 	}
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -845,7 +845,7 @@ static int parse_user(const lnode *n, search_items *s)
 		s->tauid = lookup_uid("auid", s->loginuid);
 	}
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -1317,7 +1317,7 @@ static int parse_login(const lnode *n, search_items *s)
 			s->success = S_SUCCESS; 
 	}
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		if (term == NULL)
 			term = n->message;
 		str = strstr(term, "new ses=");
@@ -1631,7 +1631,7 @@ static int parse_integrity(const lnode *n, search_items *s)
 	}
 
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -1944,7 +1944,7 @@ static int parse_kernel_anom(const lnode *n, search_items *s)
 		}
 	}
 
-	if (event_session_id != -2) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -2100,7 +2100,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
 	}
 
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -2277,7 +2277,7 @@ static int parse_tty(const lnode *n, search_items *s)
 	}
 
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
-- 
1.7.1

More information about the Linux-audit mailing list