Imported Upstream version 2.6.4
Laurent Bigonville
7 years ago
0 | 2.6.4 | |
1 | - Fix interpretation of saddr fields when using enriched events | |
2 | - In netlink_handler of auditd, ensure ack_func is initialized to NULL | |
3 | - Use full path to auditctl in augenrules | |
4 | - Raise the number of log files auditd allows to 999 | |
5 | - In auditd reconfig, update use_libwrap setting | |
6 | - Fix memory leak in reconfigure | |
7 | - Add EHWPOISON definition for errno lookup table if missing (Thomas Petazzoni) | |
8 | - Better detect struct audit_status existence (Thomas Petazzoni) | |
9 | - Rework dispatcher protocol 1 to be what it used to be | |
10 | ||
0 | 11 | 2.6.3 |
1 | 12 | - Fix NULL poiinter deref in auparse |
2 | 13 | - Optionally add dependency to libcap-ng in audit.pc |
0 | 0 | Things that need to be done: |
1 | 1 | =========================== |
2 | 2.6.4 | |
2 | 2.6.5 | |
3 | * When interpretting sockaddr, use syscall to determine remote vs local | |
3 | 4 | * Look for more static variables in auparse and move to auparse_state_t |
4 | * Raise the number of files auditd allows | |
5 | 5 | |
6 | 6 | 2.7 |
7 | 7 | * Add metadata in auparse for subj,obj,action,results |
8 | 8 | * Formats for ausearch output |
9 | 9 | * Add ability to suppress types of records (drop_records) |
10 | * Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME | |
11 | * Support mutiple time streams when searching | |
10 | 12 | |
11 | 13 | 2.7.1 |
12 | 14 | * Look at pulling audispd into auditd |
13 | 15 | * Consolidate linked lists and other functions |
16 | * Consolidate parsing code between libaudit and auditd-conf.c | |
17 | * If relative file in cwd, need to build also (realpath). watch out for (null) and socket | |
14 | 18 | |
15 | 19 | 3.0 |
16 | 20 | * Basic HIDS |
19 | 23 | * Performance improvements for auparse |
20 | 24 | * If auparse input is a pipe timeout events by wall clock |
21 | 25 | * Add rule verify to detect mismatch between in-kernel and on-disk rules |
26 | * ausearch --op search | |
22 | 27 | |
23 | 28 | 3.0.1 |
24 | 29 | * Fix auvirt to report AVC's and --proof for --all-events |
29 | 34 | |
30 | 35 | 3.0.2 |
31 | 36 | * When searching, build log time list & only read the ones that are in range |
32 | * Change ausearch-string to be AVL based | |
33 | 37 | * Look at adding the direction read/write to file report (threat modelling) |
34 | 38 | * Changes in uid/gid, failed changes in credentials in aureport |
35 | * aureport get specific reports working | |
36 | * Remove evil getopt cruft in auditctl | |
37 | * Group message types in ausearch help. | |
39 | * Group event types in ausearch help. | |
38 | 40 | |
39 | 41 | 3.1 |
40 | 42 | * Allow -F path!=/var/my/app |
41 | 43 | * Add ignore action for rules |
42 | 44 | * Look at openat and why passed dir is not given |
43 | 45 | * Add SYSLOG data source for auparse. This allows leading text before audit messages, missing type, any line with no = gets thrown away. iow, must have time and 1 field to be valid. |
44 | * Update auditctl so that if syscall is not found, it checks for socket call and suggests using it instead. Same for IPCcall. | |
45 | 46 | * Fix aureport accounting for avc in permissive mode |
46 | 47 | * rework ausearch to use auparse |
47 | 48 | * rework aureport to use auparse |
48 | 49 | |
49 | 2.8 | |
50 | * Consolidate parsing code between libaudit and auditd-conf.c | |
50 | 3.1.1 | |
51 | 51 | * Look at variadic avc logging patch |
52 | * If relative file in cwd, need to build also (realpath). watch out for (null) and socket | |
53 | * Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME | |
54 | 52 | * add more libaudit man pages |
55 | * ausearch --op search | |
56 | 53 | * Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide |
57 | ||
58 | 2.9 | |
59 | Add scheduling options: strict, relaxed, loose (determines user space queueing) | |
60 | Allow users to specify message types to be kept for logging | |
61 | 54 | Allow users to specify fields to be kept for logging |
62 | Pretty Print ausearch messages (strace style?) | |
63 | Look at modifying kernel rule matcher to do: first match & match all |
2 | 2 | # arguments provided can be the default priority that you |
3 | 3 | # want the events written with. And optionally, you can give |
4 | 4 | # a second argument indicating the facility that you want events |
5 | # logged to. Valid options are LOG_LOCAL0 through 7. | |
5 | # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH, | |
6 | # LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER. | |
6 | 7 | |
7 | 8 | active = no |
8 | 9 | direction = out |
1 | 1 | |
2 | 2 | Summary: User space tools for 2.6 kernel auditing |
3 | 3 | Name: audit |
4 | Version: 2.6.3 | |
4 | Version: 2.6.4 | |
5 | 5 | Release: 1 |
6 | 6 | License: GPLv2+ |
7 | 7 | Group: System Environment/Daemons |
262 | 262 | |
263 | 263 | |
264 | 264 | %changelog |
265 | * Tue Jul 05 2016 Steve Grubb <sgrubb@redhat.com> 2.6.3-1 | |
265 | * Fri Jul 08 2016 Steve Grubb <sgrubb@redhat.com> 2.6.4-1 | |
266 | 266 | - New upstream release |
267 | 267 |
341 | 341 | int load_interpretation_list(const char *buffer) |
342 | 342 | { |
343 | 343 | char *saved = NULL, *ptr; |
344 | char *buf; | |
344 | char *buf, *val; | |
345 | nvnode n; | |
345 | 346 | |
346 | 347 | if (buffer == NULL) |
347 | 348 | return 0; |
348 | 349 | |
349 | 350 | buf = strdup(buffer); |
350 | ptr = audit_strsplit_r(buf, &saved); | |
351 | if (ptr == NULL) { | |
351 | if (strncmp(buf, "SADDR=", 6) == 0) { | |
352 | // We have SOCKADDR record. It has no other values. | |
353 | // Handle it by itself. | |
354 | ptr = strchr(buf+6, '{'); | |
355 | if (ptr) { | |
356 | val = ptr; | |
357 | ptr = strchr(val, '}'); | |
358 | if (ptr) { | |
359 | n.name = strdup("saddr"); | |
360 | n.val = strdup(val); | |
361 | nvlist_append(&il, &n); | |
362 | nvlist_interp_fixup(&il); | |
363 | free(buf); | |
364 | return 1; | |
365 | } | |
366 | } | |
352 | 367 | free(buf); |
353 | 368 | return 0; |
354 | } | |
355 | ||
356 | do { | |
357 | nvnode n; | |
358 | char tmp, *val; | |
359 | ||
360 | if (*ptr == '{') { | |
361 | val = ptr+1; | |
362 | ptr = strchr(val, '}'); | |
363 | if (ptr) { | |
364 | tmp = *ptr; | |
365 | *ptr = 0; | |
366 | } else | |
367 | continue; // Malformed - skip | |
368 | n.name = strdup("saddr"); | |
369 | } else { | |
369 | } else { | |
370 | // We handle everything else in this branch | |
371 | ptr = audit_strsplit_r(buf, &saved); | |
372 | if (ptr == NULL) { | |
373 | free(buf); | |
374 | return 0; | |
375 | } | |
376 | ||
377 | do { | |
378 | char tmp; | |
379 | ||
370 | 380 | val = strchr(ptr, '='); |
371 | 381 | if (val) { |
372 | 382 | *val = 0; |
385 | 395 | *ptr = 0; |
386 | 396 | } else |
387 | 397 | tmp = 0; |
388 | } | |
389 | ||
390 | n.val = strdup(val); | |
391 | nvlist_append(&il, &n); | |
392 | nvlist_interp_fixup(&il); | |
393 | if (ptr) | |
394 | *ptr = tmp; | |
395 | } while((ptr = audit_strsplit_r(NULL, &saved))); | |
396 | ||
398 | ||
399 | n.val = strdup(val); | |
400 | nvlist_append(&il, &n); | |
401 | nvlist_interp_fixup(&il); | |
402 | if (ptr) | |
403 | *ptr = tmp; | |
404 | } while((ptr = audit_strsplit_r(NULL, &saved))); | |
405 | } | |
397 | 406 | free(buf); |
398 | 407 | return 1; |
399 | 408 | } |
1625 | 1625 | __swig_getmethods__["conf"] = _audit.audit_reply_conf_get |
1626 | 1626 | if _newclass: |
1627 | 1627 | conf = _swig_property(_audit.audit_reply_conf_get, _audit.audit_reply_conf_set) |
1628 | __swig_setmethods__["features"] = _audit.audit_reply_features_set | |
1629 | __swig_getmethods__["features"] = _audit.audit_reply_features_get | |
1630 | if _newclass: | |
1631 | features = _swig_property(_audit.audit_reply_features_get, _audit.audit_reply_features_set) | |
1628 | 1632 | |
1629 | 1633 | def __init__(self): |
1630 | 1634 | this = _audit.new_audit_reply() |
1487 | 1487 | error = _swig_property(_audit.audit_reply_error_get, _audit.audit_reply_error_set) |
1488 | 1488 | signal_info = _swig_property(_audit.audit_reply_signal_info_get, _audit.audit_reply_signal_info_set) |
1489 | 1489 | conf = _swig_property(_audit.audit_reply_conf_get, _audit.audit_reply_conf_set) |
1490 | features = _swig_property(_audit.audit_reply_features_get, _audit.audit_reply_features_set) | |
1490 | 1491 | |
1491 | 1492 | def __init__(self): |
1492 | 1493 | this = _audit.new_audit_reply() |
85 | 85 | |
86 | 86 | /* Define to 1 if you have the <string.h> header file. */ |
87 | 87 | #undef HAVE_STRING_H |
88 | ||
89 | /* Define to 1 if `feature_bitmap' is a member of `struct audit_status'. */ | |
90 | #undef HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP | |
88 | 91 | |
89 | 92 | /* Define to 1 if you have the <sys/epoll.h> header file. */ |
90 | 93 | #undef HAVE_SYS_EPOLL_H |
0 | 0 | #! /bin/sh |
1 | 1 | # From configure.ac Revision: 1.3 . |
2 | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for audit 2.6.3. | |
3 | # Generated by GNU Autoconf 2.69 for audit 2.6.4. | |
4 | 4 | # |
5 | 5 | # |
6 | 6 | # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. |
587 | 587 | # Identity of this package. |
588 | 588 | PACKAGE_NAME='audit' |
589 | 589 | PACKAGE_TARNAME='audit' |
590 | PACKAGE_VERSION='2.6.3' | |
591 | PACKAGE_STRING='audit 2.6.3' | |
590 | PACKAGE_VERSION='2.6.4' | |
591 | PACKAGE_STRING='audit 2.6.4' | |
592 | 592 | PACKAGE_BUGREPORT='' |
593 | 593 | PACKAGE_URL='' |
594 | 594 | |
1391 | 1391 | # Omit some internal or obsolete options to make the list less imposing. |
1392 | 1392 | # This message is too long to be a string in the A/UX 3.1 sh. |
1393 | 1393 | cat <<_ACEOF |
1394 | \`configure' configures audit 2.6.3 to adapt to many kinds of systems. | |
1394 | \`configure' configures audit 2.6.4 to adapt to many kinds of systems. | |
1395 | 1395 | |
1396 | 1396 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1397 | 1397 | |
1462 | 1462 | |
1463 | 1463 | if test -n "$ac_init_help"; then |
1464 | 1464 | case $ac_init_help in |
1465 | short | recursive ) echo "Configuration of audit 2.6.3:";; | |
1465 | short | recursive ) echo "Configuration of audit 2.6.4:";; | |
1466 | 1466 | esac |
1467 | 1467 | cat <<\_ACEOF |
1468 | 1468 | |
1589 | 1589 | test -n "$ac_init_help" && exit $ac_status |
1590 | 1590 | if $ac_init_version; then |
1591 | 1591 | cat <<\_ACEOF |
1592 | audit configure 2.6.3 | |
1592 | audit configure 2.6.4 | |
1593 | 1593 | generated by GNU Autoconf 2.69 |
1594 | 1594 | |
1595 | 1595 | Copyright (C) 2012 Free Software Foundation, Inc. |
2179 | 2179 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno |
2180 | 2180 | |
2181 | 2181 | } # ac_fn_c_check_decl |
2182 | ||
2183 | # ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES | |
2184 | # ---------------------------------------------------- | |
2185 | # Tries to find if the field MEMBER exists in type AGGR, after including | |
2186 | # INCLUDES, setting cache variable VAR accordingly. | |
2187 | ac_fn_c_check_member () | |
2188 | { | |
2189 | as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | |
2190 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5 | |
2191 | $as_echo_n "checking for $2.$3... " >&6; } | |
2192 | if eval \${$4+:} false; then : | |
2193 | $as_echo_n "(cached) " >&6 | |
2194 | else | |
2195 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2196 | /* end confdefs.h. */ | |
2197 | $5 | |
2198 | int | |
2199 | main () | |
2200 | { | |
2201 | static $2 ac_aggr; | |
2202 | if (ac_aggr.$3) | |
2203 | return 0; | |
2204 | ; | |
2205 | return 0; | |
2206 | } | |
2207 | _ACEOF | |
2208 | if ac_fn_c_try_compile "$LINENO"; then : | |
2209 | eval "$4=yes" | |
2210 | else | |
2211 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2212 | /* end confdefs.h. */ | |
2213 | $5 | |
2214 | int | |
2215 | main () | |
2216 | { | |
2217 | static $2 ac_aggr; | |
2218 | if (sizeof ac_aggr.$3) | |
2219 | return 0; | |
2220 | ; | |
2221 | return 0; | |
2222 | } | |
2223 | _ACEOF | |
2224 | if ac_fn_c_try_compile "$LINENO"; then : | |
2225 | eval "$4=yes" | |
2226 | else | |
2227 | eval "$4=no" | |
2228 | fi | |
2229 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2230 | fi | |
2231 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2232 | fi | |
2233 | eval ac_res=\$$4 | |
2234 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 | |
2235 | $as_echo "$ac_res" >&6; } | |
2236 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno | |
2237 | ||
2238 | } # ac_fn_c_check_member | |
2182 | 2239 | cat >config.log <<_ACEOF |
2183 | 2240 | This file contains any messages produced by compilers while |
2184 | 2241 | running configure, to aid debugging if configure makes a mistake. |
2185 | 2242 | |
2186 | It was created by audit $as_me 2.6.3, which was | |
2243 | It was created by audit $as_me 2.6.4, which was | |
2187 | 2244 | generated by GNU Autoconf 2.69. Invocation command line was |
2188 | 2245 | |
2189 | 2246 | $ $0 $@ |
3162 | 3219 | |
3163 | 3220 | # Define the identity of the package. |
3164 | 3221 | PACKAGE='audit' |
3165 | VERSION='2.6.3' | |
3222 | VERSION='2.6.4' | |
3166 | 3223 | |
3167 | 3224 | |
3168 | 3225 | cat >>confdefs.h <<_ACEOF |
14574 | 14631 | #define HAVE_DECL_AUDIT_FEATURE_VERSION $ac_have_decl |
14575 | 14632 | _ACEOF |
14576 | 14633 | |
14634 | ac_fn_c_check_member "$LINENO" "struct audit_status" "feature_bitmap" "ac_cv_member_struct_audit_status_feature_bitmap" "#include <linux/audit.h> | |
14635 | " | |
14636 | if test "x$ac_cv_member_struct_audit_status_feature_bitmap" = xyes; then : | |
14637 | ||
14638 | cat >>confdefs.h <<_ACEOF | |
14639 | #define HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP 1 | |
14640 | _ACEOF | |
14641 | ||
14642 | ||
14643 | fi | |
14644 | ||
14577 | 14645 | ac_fn_c_check_decl "$LINENO" "AUDIT_VERSION_BACKLOG_WAIT_TIME" "ac_cv_have_decl_AUDIT_VERSION_BACKLOG_WAIT_TIME" "#include <linux/audit.h> |
14578 | 14646 | " |
14579 | 14647 | if test "x$ac_cv_have_decl_AUDIT_VERSION_BACKLOG_WAIT_TIME" = xyes; then : |
16429 | 16497 | # report actual input values of CONFIG_FILES etc. instead of their |
16430 | 16498 | # values after options handling. |
16431 | 16499 | ac_log=" |
16432 | This file was extended by audit $as_me 2.6.3, which was | |
16500 | This file was extended by audit $as_me 2.6.4, which was | |
16433 | 16501 | generated by GNU Autoconf 2.69. Invocation command line was |
16434 | 16502 | |
16435 | 16503 | CONFIG_FILES = $CONFIG_FILES |
16495 | 16563 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
16496 | 16564 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
16497 | 16565 | ac_cs_version="\\ |
16498 | audit config.status 2.6.3 | |
16566 | audit config.status 2.6.4 | |
16499 | 16567 | configured by $0, generated by GNU Autoconf 2.69, |
16500 | 16568 | with options \\"\$ac_cs_config\\" |
16501 | 16569 |
28 | 28 | ]) |
29 | 29 | |
30 | 30 | AC_REVISION($Revision: 1.3 $)dnl |
31 | AC_INIT(audit,2.6.3) | |
31 | AC_INIT(audit,2.6.4) | |
32 | 32 | AC_PREREQ(2.12)dnl |
33 | 33 | AM_CONFIG_HEADER(config.h) |
34 | 34 | |
63 | 63 | AC_CHECK_SIZEOF([unsigned long]) |
64 | 64 | AM_PROG_CC_C_O |
65 | 65 | AC_CHECK_DECLS([AUDIT_FEATURE_VERSION], [], [], [[#include <linux/audit.h>]]) |
66 | AC_CHECK_MEMBERS([struct audit_status.feature_bitmap], [], [], [[#include <linux/audit.h>]]) | |
66 | 67 | AC_CHECK_DECLS([AUDIT_VERSION_BACKLOG_WAIT_TIME], [], [], [[#include <linux/audit.h>]]) |
67 | 68 | AC_CHECK_DECLS([ADDR_NO_RANDOMIZE],,, [#include <sys/personality.h>]) |
68 | 69 | dnl; posix_fallocate is used in audisp-remote |
47 | 47 | auparse_get_type.3 auparse_get_type_name.3 auparse_init.3 \ |
48 | 48 | auparse_interpret_field.3 \ |
49 | 49 | auparse_next_event.3 auparse_next_field.3 auparse_next_record.3 \ |
50 | auparse_node_compare.3 auparse_reset.3 auparse_timestamp_compare.3 \ | |
51 | ausearch-expression.5 \ | |
50 | auparse_node_compare.3 auparse_reset.3 auparse_set_escape_mode.3 \ | |
51 | auparse_timestamp_compare.3 ausearch-expression.5 \ | |
52 | 52 | aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_interpreted_item.3 \ |
53 | 53 | ausearch_add_expression.3 ausearch_add_timestamp_item.3 ausearch_add_regex.3 \ |
54 | 54 | ausearch_add_timestamp_item_ex.3 ausearch_clear.3 \ |
361 | 361 | auparse_get_type.3 auparse_get_type_name.3 auparse_init.3 \ |
362 | 362 | auparse_interpret_field.3 \ |
363 | 363 | auparse_next_event.3 auparse_next_field.3 auparse_next_record.3 \ |
364 | auparse_node_compare.3 auparse_reset.3 auparse_timestamp_compare.3 \ | |
365 | ausearch-expression.5 \ | |
364 | auparse_node_compare.3 auparse_reset.3 auparse_set_escape_mode.3 \ | |
365 | auparse_timestamp_compare.3 ausearch-expression.5 \ | |
366 | 366 | aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_interpreted_item.3 \ |
367 | 367 | ausearch_add_expression.3 ausearch_add_timestamp_item.3 ausearch_add_regex.3 \ |
368 | 368 | ausearch_add_timestamp_item_ex.3 ausearch_clear.3 \ |
74 | 74 | This keyword specifies the number of log files to keep if rotate is given |
75 | 75 | as the |
76 | 76 | .I max_log_file_action. |
77 | If the number is < 2, logs are not rotated. This number must be 99 or less. | |
77 | If the number is < 2, logs are not rotated. This number must be 999 or less. | |
78 | 78 | The default is 0 - which means no rotation. As you increase the number of log files being rotated, you may need to adjust the kernel backlog setting upwards since it takes more time to rotate the files. This is typically done in /etc/audit/audit.rules. If log rotation is configured to occur, the daemon will check for excess logs and remove them in effort to keep disk space available. The excess log check is only done on startup and when a reconfigure results in a space check. |
79 | 79 | .TP |
80 | 80 | .I disp_qos |
0 | .TH "AUPARSE_INTERPRET_FIELD" "3" "Feb 2007" "Red Hat" "Linux Audit API" | |
0 | .TH "AUPARSE_INTERPRET_FIELD" "3" "July 2016" "Red Hat" "Linux Audit API" | |
1 | 1 | .SH NAME |
2 | 2 | auparse_interpret_field \- get current field's value interpreted |
3 | 3 | .SH "SYNOPSIS" |
7 | 7 | |
8 | 8 | .SH "DESCRIPTION" |
9 | 9 | |
10 | auparse_interpret_field allows access to the interpreted value in the current field of the current record in the current event. The returned value will be destroyed if you call this function again. If you need to interpret another field and keep this value, you will have to copy it for later use. | |
10 | auparse_interpret_field allows access to the interpreted value in the current field of the current record in the current event. The returned string is escaped using the chosen method. The returned value will be destroyed if you call this function again. If you need to interpret another field and keep this value, you will have to copy it for later use. | |
11 | 11 | |
12 | 12 | Examples of things that could be interpreted are: uid, gid, syscall numbers, exit codes, file paths, socket addresses, permissions, modes, and capabilities. There are likely to be more in the future. If a value cannot be interpreted, its original value is returned. |
13 | 13 | |
17 | 17 | |
18 | 18 | .SH "SEE ALSO" |
19 | 19 | |
20 | .BR auparse_get_field_str (3). | |
20 | .BR auparse_get_field_str (3), auparse_set_escape_mode (3). | |
21 | 21 | |
22 | 22 | .SH AUTHOR |
23 | 23 | Steve Grubb |
0 | .TH "AUPARSE_SET_ESCAPE_MODE" "3" "July 2016" "Red Hat" "Linux Audit API" | |
1 | .SH NAME | |
2 | auparse_set_escape_mode \- choose escape method | |
3 | .SH "SYNOPSIS" | |
4 | .B #include <auparse.h> | |
5 | .sp | |
6 | void auparse_set_escape_mode(auparse_state_t *au, auparse_esc_t mode); | |
7 | ||
8 | .SH "DESCRIPTION" | |
9 | ||
10 | auparse_set_escape_mode is used to set the escaping method that will be used to output interpretted text. The choices for the mode variable are: | |
11 | ||
12 | .RS | |
13 | .TP | |
14 | .B AUPARSE_ESC_RAW | |
15 | No escaping of any kind is done. | |
16 | .TP | |
17 | .B AUPARSE_ESC_TTY | |
18 | Escape TTY control characters so that they are harmless to display on a terminal. When any control character is found, they are displayed as octal numbers. This is the default mode that the auparse library is initialized with. | |
19 | .TP | |
20 | .B AUPARSE_ESC_SHELL | |
21 | Besides escaping control characters, this will escape some characters that can cause problems when used with shell scripting. Any escaped control characters are displayed as octal numbers. Other escaped characters are proceeded with a backslash. The additional characters it escapes are: " ' ` $ \\ | |
22 | .TP | |
23 | .B AUPARSE_ESC_SHELL_QUOTE | |
24 | Similar to | |
25 | .I AUPARSE_ESC_SHELL | |
26 | but expands the character set to include shell operators. Any escaped control characters are displayed as octal numbers. Other escaped characters are proceeded with a backslash. The additional characters it escapes include: ; ' \ " ` # $ & * ? [ ] < > { } \\ | |
27 | .RE | |
28 | ||
29 | ||
30 | .SH "RETURN VALUE" | |
31 | ||
32 | None | |
33 | ||
34 | .SH "SEE ALSO" | |
35 | ||
36 | .BR auparse_interpret_field (3). | |
37 | ||
38 | .SH AUTHOR | |
39 | Steve Grubb |
23 | 23 | admin_space_left_action = SUSPEND |
24 | 24 | disk_full_action = SUSPEND |
25 | 25 | disk_error_action = SUSPEND |
26 | use_libwrap = yes | |
26 | 27 | ##tcp_listen_port = |
27 | 28 | tcp_listen_queue = 5 |
28 | 29 | tcp_max_per_addr = 1 |
38 | 38 | |
39 | 39 | try_load() { |
40 | 40 | if [ $LoadRules -eq 1 ] ; then |
41 | auditctl -R ${DestinationFile} | |
41 | /sbin/auditctl -R ${DestinationFile} | |
42 | 42 | RETVAL=$? |
43 | 43 | fi |
44 | 44 | } |
53 | 53 | #define SHMDT 22 |
54 | 54 | #define SHMGET 23 |
55 | 55 | #define SHMCTL 24 |
56 | ||
57 | /* | |
58 | * Defines EHWPOISON to the value found in uapi/asm-generic/errno.h, | |
59 | * which is correct for most (but not all architectures). | |
60 | */ | |
61 | #ifndef EHWPOISON | |
62 | #define EHWPOISON 133 | |
63 | #endif | |
56 | 64 | |
57 | 65 | |
58 | 66 | /* The ratio of table size to number of non-empty elements allowed for a |
514 | 514 | |
515 | 515 | int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock) |
516 | 516 | { |
517 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
517 | #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ | |
518 | defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) | |
518 | 519 | int rc; |
519 | 520 | struct audit_features f; |
520 | 521 | |
538 | 539 | |
539 | 540 | int audit_request_features(int fd) |
540 | 541 | { |
541 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
542 | #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ | |
543 | defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) | |
542 | 544 | int rc; |
543 | 545 | struct audit_features f; |
544 | 546 | |
557 | 559 | |
558 | 560 | extern int audit_set_loginuid_immutable(int fd) |
559 | 561 | { |
560 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
562 | #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ | |
563 | defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) | |
561 | 564 | return audit_set_feature(fd, AUDIT_FEATURE_LOGINUID_IMMUTABLE, 1, 1); |
562 | 565 | #else |
563 | 566 | errno = EINVAL; |
578 | 581 | return; |
579 | 582 | } |
580 | 583 | |
581 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
584 | #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ | |
585 | defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) | |
582 | 586 | if ((rc = audit_request_status(fd)) > 0) { |
583 | 587 | struct audit_reply rep; |
584 | 588 | int i; |
425 | 425 | struct nlmsgerr *error; |
426 | 426 | struct audit_sig_info *signal_info; |
427 | 427 | struct daemon_conf *conf; |
428 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
428 | #ifdef AUDIT_FEATURE_BITMAP_ALL | |
429 | 429 | struct audit_features *features; |
430 | 430 | #endif |
431 | 431 | }; |
146 | 146 | rep->error = NULL; |
147 | 147 | rep->signal_info = NULL; |
148 | 148 | rep->conf = NULL; |
149 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
149 | #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ | |
150 | defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) | |
150 | 151 | rep->features = NULL; |
151 | 152 | #endif |
152 | 153 | if (!NLMSG_OK(rep->nlh, (unsigned int)len)) { |
171 | 172 | case AUDIT_GET: |
172 | 173 | rep->status = NLMSG_DATA(rep->nlh); |
173 | 174 | break; |
174 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
175 | #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ | |
176 | defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) | |
175 | 177 | case AUDIT_GET_FEATURE: |
176 | 178 | rep->features = NLMSG_DATA(rep->nlh); |
177 | 179 | break; |
549 | 549 | #endif |
550 | 550 | printed = 1; |
551 | 551 | break; |
552 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
552 | #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ | |
553 | defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) | |
553 | 554 | case AUDIT_GET_FEATURE: |
554 | 555 | { |
555 | 556 | uint32_t mask = AUDIT_FEATURE_TO_MASK(AUDIT_FEATURE_LOGINUID_IMMUTABLE); |
128 | 128 | " -v Version\n" |
129 | 129 | " -w <path> Insert watch at <path>\n" |
130 | 130 | " -W <path> Remove watch at <path>\n" |
131 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
131 | #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ | |
132 | defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) | |
132 | 133 | " --loginuid-immutable Make loginuids unchangeable once set\n" |
133 | 134 | #endif |
134 | 135 | #if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME |
515 | 516 | |
516 | 517 | struct option long_opts[] = |
517 | 518 | { |
518 | #if HAVE_DECL_AUDIT_FEATURE_VERSION | |
519 | #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ | |
520 | defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) | |
519 | 521 | {"loginuid-immutable", 0, NULL, 1}, |
520 | 522 | #endif |
521 | 523 | #if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME |
657 | 657 | strerror(errno), line); |
658 | 658 | return 1; |
659 | 659 | } |
660 | if (i > 99) { | |
661 | audit_msg(LOG_ERR, "num_logs must be 99 or less"); | |
660 | if (i > 999) { | |
661 | audit_msg(LOG_ERR, "num_logs must be 999 or less"); | |
662 | 662 | return 1; |
663 | 663 | } |
664 | 664 | config->num_logs = i; |
157 | 157 | kill(pid, SIGHUP); |
158 | 158 | else |
159 | 159 | init_dispatcher(config); |
160 | ||
161 | if (config->log_format == LF_ENRICHED) | |
162 | protocol_ver = AUDISP_PROTOCOL_VER2; | |
163 | else | |
164 | protocol_ver = AUDISP_PROTOCOL_VER; | |
160 | 165 | } |
161 | 166 | |
162 | 167 | /* Returns -1 on err, 0 on success, and 1 if eagain occurred and not an err */ |
181 | 186 | |
182 | 187 | vec[0].iov_base = (void*)&hdr; |
183 | 188 | vec[0].iov_len = sizeof(hdr); |
184 | vec[1].iov_base = (void*)rep->msg.data; | |
185 | vec[1].iov_len = rep->len; | |
189 | if (protocol_ver == AUDISP_PROTOCOL_VER) { | |
190 | vec[1].iov_base = (void*)rep->message; | |
191 | vec[1].iov_len = rep->msg.nlh.nlmsg_len; | |
192 | } else { | |
193 | vec[1].iov_base = (void*)rep->msg.data; | |
194 | vec[1].iov_len = rep->len; | |
195 | } | |
186 | 196 | |
187 | 197 | do { |
188 | 198 | rc = writev(disp_pipe[1], vec, 2); |
201 | 201 | e->reply.msg.data[MAX_AUDIT_MESSAGE_LENGTH-1] = 0; |
202 | 202 | len = MAX_AUDIT_MESSAGE_LENGTH; |
203 | 203 | } |
204 | e->reply.msg.nlh.nlmsg_len = e->reply.len; | |
204 | 205 | e->reply.len = len; |
205 | 206 | } |
206 | 207 | } |
448 | 449 | free(e); |
449 | 450 | } |
450 | 451 | |
451 | /* This function takes a local event and sends it to the handler */ | |
452 | /* This function takes a reconfig event and sends it to the handler */ | |
452 | 453 | void enqueue_event(struct auditd_event *e) |
453 | 454 | { |
454 | 455 | e->ack_func = NULL; |
456 | 457 | e->sequence_id = 0; |
457 | 458 | |
458 | 459 | handle_event(e); |
460 | cleanup_event(e); | |
459 | 461 | } |
460 | 462 | |
461 | 463 | /* This function allocates memory and fills the event fields with |
0 | 0 | /* auditd-listen.c -- |
1 | * Copyright 2008,2009,2011 Red Hat Inc., Durham, North Carolina. | |
1 | * Copyright 2008,2009,2011,2016 Red Hat Inc., Durham, North Carolina. | |
2 | 2 | * All Rights Reserved. |
3 | 3 | * |
4 | 4 | * This program is free software; you can redistribute it and/or modify |
17 | 17 | * |
18 | 18 | * Authors: |
19 | 19 | * DJ Delorie <dj@redhat.com> |
20 | * Steve Grubb <sgrubb@redhat.com> | |
20 | 21 | * |
21 | 22 | */ |
22 | 23 | |
108 | 109 | return buf; |
109 | 110 | } |
110 | 111 | |
111 | static void set_close_on_exec (int fd) | |
112 | static void set_close_on_exec(int fd) | |
112 | 113 | { |
113 | 114 | int flags = fcntl (fd, F_GETFD); |
114 | 115 | if (flags == -1) |
1040 | 1041 | void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, |
1041 | 1042 | struct daemon_conf *oconf ) |
1042 | 1043 | { |
1044 | use_libwrap = nconf->use_libwrap; | |
1045 | ||
1043 | 1046 | /* Look at network things that do not need restarting */ |
1044 | 1047 | if (oconf->tcp_client_min_port != nconf->tcp_client_min_port || |
1045 | 1048 | oconf->tcp_client_max_port != nconf->tcp_client_max_port || |
1061 | 1064 | oconf->tcp_listen_queue = nconf->tcp_listen_queue; |
1062 | 1065 | // FIXME: need to restart the network stuff |
1063 | 1066 | } |
1064 | } | |
1067 | free(oconf->krb5_principal); | |
1068 | // Copying the config for now. Should compare if the same | |
1069 | // and recredential if needed. | |
1070 | oconf->krb5_principal = nconf->krb5_principal; | |
1071 | } |
437 | 437 | shutdown_dispatcher(); |
438 | 438 | return; |
439 | 439 | } |
440 | cur_event->ack_func = NULL; | |
440 | 441 | } |
441 | 442 | if (audit_get_reply(fd, &cur_event->reply, |
442 | 443 | GET_REPLY_NONBLOCKING, 0) > 0) { |
623 | 624 | setrlimit(RLIMIT_CPU, &limit); |
624 | 625 | |
625 | 626 | /* Load the Configuration File */ |
626 | if (load_config(&config, TEST_AUDITD)) | |
627 | if (load_config(&config, TEST_AUDITD)) { | |
628 | free_config(&config); | |
627 | 629 | return 6; |
630 | } | |
628 | 631 | |
629 | 632 | // This can only be set at start up |
630 | 633 | opt_aggregate_only = !config.local_events; |
635 | 638 | if (rc == -1 && errno) { |
636 | 639 | audit_msg(LOG_ERR, "Cannot change priority (%s)", |
637 | 640 | strerror(errno)); |
641 | free_config(&config); | |
638 | 642 | return 1; |
639 | 643 | } |
640 | 644 | } |
645 | 649 | audit_msg(LOG_ERR, "Cannot daemonize (%s)", |
646 | 650 | strerror(errno)); |
647 | 651 | tell_parent(FAILURE); |
652 | free_config(&config); | |
648 | 653 | return 1; |
649 | 654 | } |
650 | 655 | openlog("auditd", LOG_PID, LOG_DAEMON); |
654 | 659 | if ((fd = audit_open()) < 0) { |
655 | 660 | audit_msg(LOG_ERR, "Cannot open netlink audit socket"); |
656 | 661 | tell_parent(FAILURE); |
662 | free_config(&config); | |
657 | 663 | return 1; |
658 | 664 | } |
659 | 665 | |
663 | 669 | if (pidfile) |
664 | 670 | unlink(pidfile); |
665 | 671 | tell_parent(FAILURE); |
672 | free_config(&config); | |
666 | 673 | return 1; |
667 | 674 | } |
668 | 675 | |
670 | 677 | if (pidfile) |
671 | 678 | unlink(pidfile); |
672 | 679 | tell_parent(FAILURE); |
680 | free_config(&config); | |
673 | 681 | return 1; |
674 | 682 | } |
675 | 683 | |
678 | 686 | if (pidfile) |
679 | 687 | unlink(pidfile); |
680 | 688 | tell_parent(FAILURE); |
689 | free_config(&config); | |
681 | 690 | return 1; |
682 | 691 | } |
683 | 692 | |
686 | 695 | if (pidfile) |
687 | 696 | unlink(pidfile); |
688 | 697 | tell_parent(FAILURE); |
698 | free_config(&config); | |
689 | 699 | return 1; |
690 | 700 | } |
691 | 701 | fcntl(pipefds[0], F_SETFD, FD_CLOEXEC); |
703 | 713 | unlink(pidfile); |
704 | 714 | tell_parent(FAILURE); |
705 | 715 | close_pipes(); |
716 | free_config(&config); | |
706 | 717 | return 1; |
707 | 718 | } |
708 | 719 | if (getsubj(subj)) |
724 | 735 | shutdown_dispatcher(); |
725 | 736 | tell_parent(FAILURE); |
726 | 737 | close_pipes(); |
738 | free_config(&config); | |
727 | 739 | return 1; |
728 | 740 | } |
729 | 741 | } |
757 | 769 | shutdown_dispatcher(); |
758 | 770 | tell_parent(FAILURE); |
759 | 771 | close_pipes(); |
772 | free_config(&config); | |
760 | 773 | return 1; |
761 | 774 | } |
762 | 775 | |
780 | 793 | shutdown_dispatcher(); |
781 | 794 | tell_parent(FAILURE); |
782 | 795 | close_pipes(); |
796 | free_config(&config); | |
783 | 797 | return 1; |
784 | 798 | } |
785 | 799 |
212 | 212 | { |
213 | 213 | if (scan(entries)) { |
214 | 214 | // If its a single event or SYSCALL load interpretations |
215 | if ((entries->cnt == 1) || (entries->head && | |
216 | entries->head->type == AUDIT_SYSCALL)) | |
215 | if ((entries->cnt == 1) || | |
216 | (entries->head->type == AUDIT_SYSCALL)) | |
217 | 217 | _auparse_load_interpretations(entries->head->interp); |
218 | 218 | // This is the per entry action item |
219 | 219 | if (per_event_processing(entries)) |
235 | 235 | /* For each event in file */ |
236 | 236 | do { |
237 | 237 | ret = get_event(&entries); |
238 | if ((ret != 0)||(entries->cnt == 0)) | |
238 | if ((ret != 0)||(entries->cnt == 0)||(entries->head == NULL)) | |
239 | 239 | break; |
240 | 240 | // If report is RPT_TIME or RPT_SUMMARY, get |
241 | 241 | if (report_type <= RPT_SUMMARY) { |