Codebase list audit / 15af785
Imported Upstream version 2.6.4 Laurent Bigonville 7 years ago
30 changed file(s) with 272 addition(s) and 92 deletion(s). Raw diff Collapse all Expand all
+11
-0
ChangeLog less more
0 2.6.4
1 - Fix interpretation of saddr fields when using enriched events
2 - In netlink_handler of auditd, ensure ack_func is initialized to NULL
3 - Use full path to auditctl in augenrules
4 - Raise the number of log files auditd allows to 999
5 - In auditd reconfig, update use_libwrap setting
6 - Fix memory leak in reconfigure
7 - Add EHWPOISON definition for errno lookup table if missing (Thomas Petazzoni)
8 - Better detect struct audit_status existence (Thomas Petazzoni)
9 - Rework dispatcher protocol 1 to be what it used to be
10
011 2.6.3
112 - Fix NULL poiinter deref in auparse
213 - Optionally add dependency to libcap-ng in audit.pc
+9
-18
TODO less more
00 Things that need to be done:
11 ===========================
2 2.6.4
2 2.6.5
3 * When interpretting sockaddr, use syscall to determine remote vs local
34 * Look for more static variables in auparse and move to auparse_state_t
4 * Raise the number of files auditd allows
55
66 2.7
77 * Add metadata in auparse for subj,obj,action,results
88 * Formats for ausearch output
99 * Add ability to suppress types of records (drop_records)
10 * Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME
11 * Support mutiple time streams when searching
1012
1113 2.7.1
1214 * Look at pulling audispd into auditd
1315 * Consolidate linked lists and other functions
16 * Consolidate parsing code between libaudit and auditd-conf.c
17 * If relative file in cwd, need to build also (realpath). watch out for (null) and socket
1418
1519 3.0
1620 * Basic HIDS
1923 * Performance improvements for auparse
2024 * If auparse input is a pipe timeout events by wall clock
2125 * Add rule verify to detect mismatch between in-kernel and on-disk rules
26 * ausearch --op search
2227
2328 3.0.1
2429 * Fix auvirt to report AVC's and --proof for --all-events
2934
3035 3.0.2
3136 * When searching, build log time list & only read the ones that are in range
32 * Change ausearch-string to be AVL based
3337 * Look at adding the direction read/write to file report (threat modelling)
3438 * Changes in uid/gid, failed changes in credentials in aureport
35 * aureport get specific reports working
36 * Remove evil getopt cruft in auditctl
37 * Group message types in ausearch help.
39 * Group event types in ausearch help.
3840
3941 3.1
4042 * Allow -F path!=/var/my/app
4143 * Add ignore action for rules
4244 * Look at openat and why passed dir is not given
4345 * Add SYSLOG data source for auparse. This allows leading text before audit messages, missing type, any line with no = gets thrown away. iow, must have time and 1 field to be valid.
44 * Update auditctl so that if syscall is not found, it checks for socket call and suggests using it instead. Same for IPCcall.
4546 * Fix aureport accounting for avc in permissive mode
4647 * rework ausearch to use auparse
4748 * rework aureport to use auparse
4849
49 2.8
50 * Consolidate parsing code between libaudit and auditd-conf.c
50 3.1.1
5151 * Look at variadic avc logging patch
52 * If relative file in cwd, need to build also (realpath). watch out for (null) and socket
53 * Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME
5452 * add more libaudit man pages
55 * ausearch --op search
5653 * Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide
57
58 2.9
59 Add scheduling options: strict, relaxed, loose (determines user space queueing)
60 Allow users to specify message types to be kept for logging
6154 Allow users to specify fields to be kept for logging
62 Pretty Print ausearch messages (strace style?)
63 Look at modifying kernel rule matcher to do: first match & match all
+2
-1
audisp/plugins/builtins/syslog.conf less more
22 # arguments provided can be the default priority that you
33 # want the events written with. And optionally, you can give
44 # a second argument indicating the facility that you want events
5 # logged to. Valid options are LOG_LOCAL0 through 7.
5 # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
6 # LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.
67
78 active = no
89 direction = out
+2
-2
audit.spec less more
11
22 Summary: User space tools for 2.6 kernel auditing
33 Name: audit
4 Version: 2.6.3
4 Version: 2.6.4
55 Release: 1
66 License: GPLv2+
77 Group: System Environment/Daemons
262262
263263
264264 %changelog
265 * Tue Jul 05 2016 Steve Grubb <sgrubb@redhat.com> 2.6.3-1
265 * Fri Jul 08 2016 Steve Grubb <sgrubb@redhat.com> 2.6.4-1
266266 - New upstream release
267267
+37
-28
auparse/interpret.c less more
341341 int load_interpretation_list(const char *buffer)
342342 {
343343 char *saved = NULL, *ptr;
344 char *buf;
344 char *buf, *val;
345 nvnode n;
345346
346347 if (buffer == NULL)
347348 return 0;
348349
349350 buf = strdup(buffer);
350 ptr = audit_strsplit_r(buf, &saved);
351 if (ptr == NULL) {
351 if (strncmp(buf, "SADDR=", 6) == 0) {
352 // We have SOCKADDR record. It has no other values.
353 // Handle it by itself.
354 ptr = strchr(buf+6, '{');
355 if (ptr) {
356 val = ptr;
357 ptr = strchr(val, '}');
358 if (ptr) {
359 n.name = strdup("saddr");
360 n.val = strdup(val);
361 nvlist_append(&il, &n);
362 nvlist_interp_fixup(&il);
363 free(buf);
364 return 1;
365 }
366 }
352367 free(buf);
353368 return 0;
354 }
355
356 do {
357 nvnode n;
358 char tmp, *val;
359
360 if (*ptr == '{') {
361 val = ptr+1;
362 ptr = strchr(val, '}');
363 if (ptr) {
364 tmp = *ptr;
365 *ptr = 0;
366 } else
367 continue; // Malformed - skip
368 n.name = strdup("saddr");
369 } else {
369 } else {
370 // We handle everything else in this branch
371 ptr = audit_strsplit_r(buf, &saved);
372 if (ptr == NULL) {
373 free(buf);
374 return 0;
375 }
376
377 do {
378 char tmp;
379
370380 val = strchr(ptr, '=');
371381 if (val) {
372382 *val = 0;
385395 *ptr = 0;
386396 } else
387397 tmp = 0;
388 }
389
390 n.val = strdup(val);
391 nvlist_append(&il, &n);
392 nvlist_interp_fixup(&il);
393 if (ptr)
394 *ptr = tmp;
395 } while((ptr = audit_strsplit_r(NULL, &saved)));
396
398
399 n.val = strdup(val);
400 nvlist_append(&il, &n);
401 nvlist_interp_fixup(&il);
402 if (ptr)
403 *ptr = tmp;
404 } while((ptr = audit_strsplit_r(NULL, &saved)));
405 }
397406 free(buf);
398407 return 1;
399408 }
+4
-0
bindings/swig/python/audit.py less more
16251625 __swig_getmethods__["conf"] = _audit.audit_reply_conf_get
16261626 if _newclass:
16271627 conf = _swig_property(_audit.audit_reply_conf_get, _audit.audit_reply_conf_set)
1628 __swig_setmethods__["features"] = _audit.audit_reply_features_set
1629 __swig_getmethods__["features"] = _audit.audit_reply_features_get
1630 if _newclass:
1631 features = _swig_property(_audit.audit_reply_features_get, _audit.audit_reply_features_set)
16281632
16291633 def __init__(self):
16301634 this = _audit.new_audit_reply()
+1
-0
bindings/swig/python3/audit.py less more
14871487 error = _swig_property(_audit.audit_reply_error_get, _audit.audit_reply_error_set)
14881488 signal_info = _swig_property(_audit.audit_reply_signal_info_get, _audit.audit_reply_signal_info_set)
14891489 conf = _swig_property(_audit.audit_reply_conf_get, _audit.audit_reply_conf_set)
1490 features = _swig_property(_audit.audit_reply_features_get, _audit.audit_reply_features_set)
14901491
14911492 def __init__(self):
14921493 this = _audit.new_audit_reply()
+3
-0
config.h.in less more
8585
8686 /* Define to 1 if you have the <string.h> header file. */
8787 #undef HAVE_STRING_H
88
89 /* Define to 1 if `feature_bitmap' is a member of `struct audit_status'. */
90 #undef HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP
8891
8992 /* Define to 1 if you have the <sys/epoll.h> header file. */
9093 #undef HAVE_SYS_EPOLL_H
+78
-10
configure less more
00 #! /bin/sh
11 # From configure.ac Revision: 1.3 .
22 # Guess values for system-dependent variables and create Makefiles.
3 # Generated by GNU Autoconf 2.69 for audit 2.6.3.
3 # Generated by GNU Autoconf 2.69 for audit 2.6.4.
44 #
55 #
66 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
587587 # Identity of this package.
588588 PACKAGE_NAME='audit'
589589 PACKAGE_TARNAME='audit'
590 PACKAGE_VERSION='2.6.3'
591 PACKAGE_STRING='audit 2.6.3'
590 PACKAGE_VERSION='2.6.4'
591 PACKAGE_STRING='audit 2.6.4'
592592 PACKAGE_BUGREPORT=''
593593 PACKAGE_URL=''
594594
13911391 # Omit some internal or obsolete options to make the list less imposing.
13921392 # This message is too long to be a string in the A/UX 3.1 sh.
13931393 cat <<_ACEOF
1394 \`configure' configures audit 2.6.3 to adapt to many kinds of systems.
1394 \`configure' configures audit 2.6.4 to adapt to many kinds of systems.
13951395
13961396 Usage: $0 [OPTION]... [VAR=VALUE]...
13971397
14621462
14631463 if test -n "$ac_init_help"; then
14641464 case $ac_init_help in
1465 short | recursive ) echo "Configuration of audit 2.6.3:";;
1465 short | recursive ) echo "Configuration of audit 2.6.4:";;
14661466 esac
14671467 cat <<\_ACEOF
14681468
15891589 test -n "$ac_init_help" && exit $ac_status
15901590 if $ac_init_version; then
15911591 cat <<\_ACEOF
1592 audit configure 2.6.3
1592 audit configure 2.6.4
15931593 generated by GNU Autoconf 2.69
15941594
15951595 Copyright (C) 2012 Free Software Foundation, Inc.
21792179 eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
21802180
21812181 } # ac_fn_c_check_decl
2182
2183 # ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES
2184 # ----------------------------------------------------
2185 # Tries to find if the field MEMBER exists in type AGGR, after including
2186 # INCLUDES, setting cache variable VAR accordingly.
2187 ac_fn_c_check_member ()
2188 {
2189 as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
2190 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
2191 $as_echo_n "checking for $2.$3... " >&6; }
2192 if eval \${$4+:} false; then :
2193 $as_echo_n "(cached) " >&6
2194 else
2195 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
2196 /* end confdefs.h. */
2197 $5
2198 int
2199 main ()
2200 {
2201 static $2 ac_aggr;
2202 if (ac_aggr.$3)
2203 return 0;
2204 ;
2205 return 0;
2206 }
2207 _ACEOF
2208 if ac_fn_c_try_compile "$LINENO"; then :
2209 eval "$4=yes"
2210 else
2211 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
2212 /* end confdefs.h. */
2213 $5
2214 int
2215 main ()
2216 {
2217 static $2 ac_aggr;
2218 if (sizeof ac_aggr.$3)
2219 return 0;
2220 ;
2221 return 0;
2222 }
2223 _ACEOF
2224 if ac_fn_c_try_compile "$LINENO"; then :
2225 eval "$4=yes"
2226 else
2227 eval "$4=no"
2228 fi
2229 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
2230 fi
2231 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
2232 fi
2233 eval ac_res=\$$4
2234 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
2235 $as_echo "$ac_res" >&6; }
2236 eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
2237
2238 } # ac_fn_c_check_member
21822239 cat >config.log <<_ACEOF
21832240 This file contains any messages produced by compilers while
21842241 running configure, to aid debugging if configure makes a mistake.
21852242
2186 It was created by audit $as_me 2.6.3, which was
2243 It was created by audit $as_me 2.6.4, which was
21872244 generated by GNU Autoconf 2.69. Invocation command line was
21882245
21892246 $ $0 $@
31623219
31633220 # Define the identity of the package.
31643221 PACKAGE='audit'
3165 VERSION='2.6.3'
3222 VERSION='2.6.4'
31663223
31673224
31683225 cat >>confdefs.h <<_ACEOF
1457414631 #define HAVE_DECL_AUDIT_FEATURE_VERSION $ac_have_decl
1457514632 _ACEOF
1457614633
14634 ac_fn_c_check_member "$LINENO" "struct audit_status" "feature_bitmap" "ac_cv_member_struct_audit_status_feature_bitmap" "#include <linux/audit.h>
14635 "
14636 if test "x$ac_cv_member_struct_audit_status_feature_bitmap" = xyes; then :
14637
14638 cat >>confdefs.h <<_ACEOF
14639 #define HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP 1
14640 _ACEOF
14641
14642
14643 fi
14644
1457714645 ac_fn_c_check_decl "$LINENO" "AUDIT_VERSION_BACKLOG_WAIT_TIME" "ac_cv_have_decl_AUDIT_VERSION_BACKLOG_WAIT_TIME" "#include <linux/audit.h>
1457814646 "
1457914647 if test "x$ac_cv_have_decl_AUDIT_VERSION_BACKLOG_WAIT_TIME" = xyes; then :
1642916497 # report actual input values of CONFIG_FILES etc. instead of their
1643016498 # values after options handling.
1643116499 ac_log="
16432 This file was extended by audit $as_me 2.6.3, which was
16500 This file was extended by audit $as_me 2.6.4, which was
1643316501 generated by GNU Autoconf 2.69. Invocation command line was
1643416502
1643516503 CONFIG_FILES = $CONFIG_FILES
1649516563 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
1649616564 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
1649716565 ac_cs_version="\\
16498 audit config.status 2.6.3
16566 audit config.status 2.6.4
1649916567 configured by $0, generated by GNU Autoconf 2.69,
1650016568 with options \\"\$ac_cs_config\\"
1650116569
+2
-1
configure.ac less more
2828 ])
2929
3030 AC_REVISION($Revision: 1.3 $)dnl
31 AC_INIT(audit,2.6.3)
31 AC_INIT(audit,2.6.4)
3232 AC_PREREQ(2.12)dnl
3333 AM_CONFIG_HEADER(config.h)
3434
6363 AC_CHECK_SIZEOF([unsigned long])
6464 AM_PROG_CC_C_O
6565 AC_CHECK_DECLS([AUDIT_FEATURE_VERSION], [], [], [[#include <linux/audit.h>]])
66 AC_CHECK_MEMBERS([struct audit_status.feature_bitmap], [], [], [[#include <linux/audit.h>]])
6667 AC_CHECK_DECLS([AUDIT_VERSION_BACKLOG_WAIT_TIME], [], [], [[#include <linux/audit.h>]])
6768 AC_CHECK_DECLS([ADDR_NO_RANDOMIZE],,, [#include <sys/personality.h>])
6869 dnl; posix_fallocate is used in audisp-remote
+2
-2
docs/Makefile.am less more
4747 auparse_get_type.3 auparse_get_type_name.3 auparse_init.3 \
4848 auparse_interpret_field.3 \
4949 auparse_next_event.3 auparse_next_field.3 auparse_next_record.3 \
50 auparse_node_compare.3 auparse_reset.3 auparse_timestamp_compare.3 \
51 ausearch-expression.5 \
50 auparse_node_compare.3 auparse_reset.3 auparse_set_escape_mode.3 \
51 auparse_timestamp_compare.3 ausearch-expression.5 \
5252 aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_interpreted_item.3 \
5353 ausearch_add_expression.3 ausearch_add_timestamp_item.3 ausearch_add_regex.3 \
5454 ausearch_add_timestamp_item_ex.3 ausearch_clear.3 \
+2
-2
docs/Makefile.in less more
361361 auparse_get_type.3 auparse_get_type_name.3 auparse_init.3 \
362362 auparse_interpret_field.3 \
363363 auparse_next_event.3 auparse_next_field.3 auparse_next_record.3 \
364 auparse_node_compare.3 auparse_reset.3 auparse_timestamp_compare.3 \
365 ausearch-expression.5 \
364 auparse_node_compare.3 auparse_reset.3 auparse_set_escape_mode.3 \
365 auparse_timestamp_compare.3 ausearch-expression.5 \
366366 aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_interpreted_item.3 \
367367 ausearch_add_expression.3 ausearch_add_timestamp_item.3 ausearch_add_regex.3 \
368368 ausearch_add_timestamp_item_ex.3 ausearch_clear.3 \
+1
-1
docs/auditd.conf.5 less more
7474 This keyword specifies the number of log files to keep if rotate is given
7575 as the
7676 .I max_log_file_action.
77 If the number is < 2, logs are not rotated. This number must be 99 or less.
77 If the number is < 2, logs are not rotated. This number must be 999 or less.
7878 The default is 0 - which means no rotation. As you increase the number of log files being rotated, you may need to adjust the kernel backlog setting upwards since it takes more time to rotate the files. This is typically done in /etc/audit/audit.rules. If log rotation is configured to occur, the daemon will check for excess logs and remove them in effort to keep disk space available. The excess log check is only done on startup and when a reconfigure results in a space check.
7979 .TP
8080 .I disp_qos
+3
-3
docs/auparse_interpret_field.3 less more
0 .TH "AUPARSE_INTERPRET_FIELD" "3" "Feb 2007" "Red Hat" "Linux Audit API"
0 .TH "AUPARSE_INTERPRET_FIELD" "3" "July 2016" "Red Hat" "Linux Audit API"
11 .SH NAME
22 auparse_interpret_field \- get current field's value interpreted
33 .SH "SYNOPSIS"
77
88 .SH "DESCRIPTION"
99
10 auparse_interpret_field allows access to the interpreted value in the current field of the current record in the current event. The returned value will be destroyed if you call this function again. If you need to interpret another field and keep this value, you will have to copy it for later use.
10 auparse_interpret_field allows access to the interpreted value in the current field of the current record in the current event. The returned string is escaped using the chosen method. The returned value will be destroyed if you call this function again. If you need to interpret another field and keep this value, you will have to copy it for later use.
1111
1212 Examples of things that could be interpreted are: uid, gid, syscall numbers, exit codes, file paths, socket addresses, permissions, modes, and capabilities. There are likely to be more in the future. If a value cannot be interpreted, its original value is returned.
1313
1717
1818 .SH "SEE ALSO"
1919
20 .BR auparse_get_field_str (3).
20 .BR auparse_get_field_str (3), auparse_set_escape_mode (3).
2121
2222 .SH AUTHOR
2323 Steve Grubb
+40
-0
docs/auparse_set_escape_mode.3 less more
0 .TH "AUPARSE_SET_ESCAPE_MODE" "3" "July 2016" "Red Hat" "Linux Audit API"
1 .SH NAME
2 auparse_set_escape_mode \- choose escape method
3 .SH "SYNOPSIS"
4 .B #include <auparse.h>
5 .sp
6 void auparse_set_escape_mode(auparse_state_t *au, auparse_esc_t mode);
7
8 .SH "DESCRIPTION"
9
10 auparse_set_escape_mode is used to set the escaping method that will be used to output interpretted text. The choices for the mode variable are:
11
12 .RS
13 .TP
14 .B AUPARSE_ESC_RAW
15 No escaping of any kind is done.
16 .TP
17 .B AUPARSE_ESC_TTY
18 Escape TTY control characters so that they are harmless to display on a terminal. When any control character is found, they are displayed as octal numbers. This is the default mode that the auparse library is initialized with.
19 .TP
20 .B AUPARSE_ESC_SHELL
21 Besides escaping control characters, this will escape some characters that can cause problems when used with shell scripting. Any escaped control characters are displayed as octal numbers. Other escaped characters are proceeded with a backslash. The additional characters it escapes are: " ' ` $ \\
22 .TP
23 .B AUPARSE_ESC_SHELL_QUOTE
24 Similar to
25 .I AUPARSE_ESC_SHELL
26 but expands the character set to include shell operators. Any escaped control characters are displayed as octal numbers. Other escaped characters are proceeded with a backslash. The additional characters it escapes include: ; ' \ " ` # $ & * ? [ ] < > { } \\
27 .RE
28
29
30 .SH "RETURN VALUE"
31
32 None
33
34 .SH "SEE ALSO"
35
36 .BR auparse_interpret_field (3).
37
38 .SH AUTHOR
39 Steve Grubb
+1
-0
init.d/auditd.conf less more
2323 admin_space_left_action = SUSPEND
2424 disk_full_action = SUSPEND
2525 disk_error_action = SUSPEND
26 use_libwrap = yes
2627 ##tcp_listen_port =
2728 tcp_listen_queue = 5
2829 tcp_max_per_addr = 1
+1
-1
init.d/augenrules less more
3838
3939 try_load() {
4040 if [ $LoadRules -eq 1 ] ; then
41 auditctl -R ${DestinationFile}
41 /sbin/auditctl -R ${DestinationFile}
4242 RETVAL=$?
4343 fi
4444 }
+8
-0
lib/gen_tables.c less more
5353 #define SHMDT 22
5454 #define SHMGET 23
5555 #define SHMCTL 24
56
57 /*
58 * Defines EHWPOISON to the value found in uapi/asm-generic/errno.h,
59 * which is correct for most (but not all architectures).
60 */
61 #ifndef EHWPOISON
62 #define EHWPOISON 133
63 #endif
5664
5765
5866 /* The ratio of table size to number of non-empty elements allowed for a
+8
-4
lib/libaudit.c less more
514514
515515 int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock)
516516 {
517 #if HAVE_DECL_AUDIT_FEATURE_VERSION
517 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
518 defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
518519 int rc;
519520 struct audit_features f;
520521
538539
539540 int audit_request_features(int fd)
540541 {
541 #if HAVE_DECL_AUDIT_FEATURE_VERSION
542 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
543 defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
542544 int rc;
543545 struct audit_features f;
544546
557559
558560 extern int audit_set_loginuid_immutable(int fd)
559561 {
560 #if HAVE_DECL_AUDIT_FEATURE_VERSION
562 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
563 defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
561564 return audit_set_feature(fd, AUDIT_FEATURE_LOGINUID_IMMUTABLE, 1, 1);
562565 #else
563566 errno = EINVAL;
578581 return;
579582 }
580583
581 #if HAVE_DECL_AUDIT_FEATURE_VERSION
584 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
585 defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
582586 if ((rc = audit_request_status(fd)) > 0) {
583587 struct audit_reply rep;
584588 int i;
+1
-1
lib/libaudit.h less more
425425 struct nlmsgerr *error;
426426 struct audit_sig_info *signal_info;
427427 struct daemon_conf *conf;
428 #if HAVE_DECL_AUDIT_FEATURE_VERSION
428 #ifdef AUDIT_FEATURE_BITMAP_ALL
429429 struct audit_features *features;
430430 #endif
431431 };
+4
-2
lib/netlink.c less more
146146 rep->error = NULL;
147147 rep->signal_info = NULL;
148148 rep->conf = NULL;
149 #if HAVE_DECL_AUDIT_FEATURE_VERSION
149 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
150 defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
150151 rep->features = NULL;
151152 #endif
152153 if (!NLMSG_OK(rep->nlh, (unsigned int)len)) {
171172 case AUDIT_GET:
172173 rep->status = NLMSG_DATA(rep->nlh);
173174 break;
174 #if HAVE_DECL_AUDIT_FEATURE_VERSION
175 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
176 defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
175177 case AUDIT_GET_FEATURE:
176178 rep->features = NLMSG_DATA(rep->nlh);
177179 break;
+2
-1
src/auditctl-listing.c less more
549549 #endif
550550 printed = 1;
551551 break;
552 #if HAVE_DECL_AUDIT_FEATURE_VERSION
552 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
553 defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
553554 case AUDIT_GET_FEATURE:
554555 {
555556 uint32_t mask = AUDIT_FEATURE_TO_MASK(AUDIT_FEATURE_LOGINUID_IMMUTABLE);
+4
-2
src/auditctl.c less more
128128 " -v Version\n"
129129 " -w <path> Insert watch at <path>\n"
130130 " -W <path> Remove watch at <path>\n"
131 #if HAVE_DECL_AUDIT_FEATURE_VERSION
131 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
132 defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
132133 " --loginuid-immutable Make loginuids unchangeable once set\n"
133134 #endif
134135 #if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME
515516
516517 struct option long_opts[] =
517518 {
518 #if HAVE_DECL_AUDIT_FEATURE_VERSION
519 #if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
520 defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
519521 {"loginuid-immutable", 0, NULL, 1},
520522 #endif
521523 #if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME
+2
-2
src/auditd-config.c less more
657657 strerror(errno), line);
658658 return 1;
659659 }
660 if (i > 99) {
661 audit_msg(LOG_ERR, "num_logs must be 99 or less");
660 if (i > 999) {
661 audit_msg(LOG_ERR, "num_logs must be 999 or less");
662662 return 1;
663663 }
664664 config->num_logs = i;
+12
-2
src/auditd-dispatch.c less more
157157 kill(pid, SIGHUP);
158158 else
159159 init_dispatcher(config);
160
161 if (config->log_format == LF_ENRICHED)
162 protocol_ver = AUDISP_PROTOCOL_VER2;
163 else
164 protocol_ver = AUDISP_PROTOCOL_VER;
160165 }
161166
162167 /* Returns -1 on err, 0 on success, and 1 if eagain occurred and not an err */
181186
182187 vec[0].iov_base = (void*)&hdr;
183188 vec[0].iov_len = sizeof(hdr);
184 vec[1].iov_base = (void*)rep->msg.data;
185 vec[1].iov_len = rep->len;
189 if (protocol_ver == AUDISP_PROTOCOL_VER) {
190 vec[1].iov_base = (void*)rep->message;
191 vec[1].iov_len = rep->msg.nlh.nlmsg_len;
192 } else {
193 vec[1].iov_base = (void*)rep->msg.data;
194 vec[1].iov_len = rep->len;
195 }
186196
187197 do {
188198 rc = writev(disp_pipe[1], vec, 2);
+3
-1
src/auditd-event.c less more
201201 e->reply.msg.data[MAX_AUDIT_MESSAGE_LENGTH-1] = 0;
202202 len = MAX_AUDIT_MESSAGE_LENGTH;
203203 }
204 e->reply.msg.nlh.nlmsg_len = e->reply.len;
204205 e->reply.len = len;
205206 }
206207 }
448449 free(e);
449450 }
450451
451 /* This function takes a local event and sends it to the handler */
452 /* This function takes a reconfig event and sends it to the handler */
452453 void enqueue_event(struct auditd_event *e)
453454 {
454455 e->ack_func = NULL;
456457 e->sequence_id = 0;
457458
458459 handle_event(e);
460 cleanup_event(e);
459461 }
460462
461463 /* This function allocates memory and fills the event fields with
+10
-3
src/auditd-listen.c less more
00 /* auditd-listen.c --
1 * Copyright 2008,2009,2011 Red Hat Inc., Durham, North Carolina.
1 * Copyright 2008,2009,2011,2016 Red Hat Inc., Durham, North Carolina.
22 * All Rights Reserved.
33 *
44 * This program is free software; you can redistribute it and/or modify
1717 *
1818 * Authors:
1919 * DJ Delorie <dj@redhat.com>
20 * Steve Grubb <sgrubb@redhat.com>
2021 *
2122 */
2223
108109 return buf;
109110 }
110111
111 static void set_close_on_exec (int fd)
112 static void set_close_on_exec(int fd)
112113 {
113114 int flags = fcntl (fd, F_GETFD);
114115 if (flags == -1)
10401041 void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf,
10411042 struct daemon_conf *oconf )
10421043 {
1044 use_libwrap = nconf->use_libwrap;
1045
10431046 /* Look at network things that do not need restarting */
10441047 if (oconf->tcp_client_min_port != nconf->tcp_client_min_port ||
10451048 oconf->tcp_client_max_port != nconf->tcp_client_max_port ||
10611064 oconf->tcp_listen_queue = nconf->tcp_listen_queue;
10621065 // FIXME: need to restart the network stuff
10631066 }
1064 }
1067 free(oconf->krb5_principal);
1068 // Copying the config for now. Should compare if the same
1069 // and recredential if needed.
1070 oconf->krb5_principal = nconf->krb5_principal;
1071 }
+15
-1
src/auditd.c less more
437437 shutdown_dispatcher();
438438 return;
439439 }
440 cur_event->ack_func = NULL;
440441 }
441442 if (audit_get_reply(fd, &cur_event->reply,
442443 GET_REPLY_NONBLOCKING, 0) > 0) {
623624 setrlimit(RLIMIT_CPU, &limit);
624625
625626 /* Load the Configuration File */
626 if (load_config(&config, TEST_AUDITD))
627 if (load_config(&config, TEST_AUDITD)) {
628 free_config(&config);
627629 return 6;
630 }
628631
629632 // This can only be set at start up
630633 opt_aggregate_only = !config.local_events;
635638 if (rc == -1 && errno) {
636639 audit_msg(LOG_ERR, "Cannot change priority (%s)",
637640 strerror(errno));
641 free_config(&config);
638642 return 1;
639643 }
640644 }
645649 audit_msg(LOG_ERR, "Cannot daemonize (%s)",
646650 strerror(errno));
647651 tell_parent(FAILURE);
652 free_config(&config);
648653 return 1;
649654 }
650655 openlog("auditd", LOG_PID, LOG_DAEMON);
654659 if ((fd = audit_open()) < 0) {
655660 audit_msg(LOG_ERR, "Cannot open netlink audit socket");
656661 tell_parent(FAILURE);
662 free_config(&config);
657663 return 1;
658664 }
659665
663669 if (pidfile)
664670 unlink(pidfile);
665671 tell_parent(FAILURE);
672 free_config(&config);
666673 return 1;
667674 }
668675
670677 if (pidfile)
671678 unlink(pidfile);
672679 tell_parent(FAILURE);
680 free_config(&config);
673681 return 1;
674682 }
675683
678686 if (pidfile)
679687 unlink(pidfile);
680688 tell_parent(FAILURE);
689 free_config(&config);
681690 return 1;
682691 }
683692
686695 if (pidfile)
687696 unlink(pidfile);
688697 tell_parent(FAILURE);
698 free_config(&config);
689699 return 1;
690700 }
691701 fcntl(pipefds[0], F_SETFD, FD_CLOEXEC);
703713 unlink(pidfile);
704714 tell_parent(FAILURE);
705715 close_pipes();
716 free_config(&config);
706717 return 1;
707718 }
708719 if (getsubj(subj))
724735 shutdown_dispatcher();
725736 tell_parent(FAILURE);
726737 close_pipes();
738 free_config(&config);
727739 return 1;
728740 }
729741 }
757769 shutdown_dispatcher();
758770 tell_parent(FAILURE);
759771 close_pipes();
772 free_config(&config);
760773 return 1;
761774 }
762775
780793 shutdown_dispatcher();
781794 tell_parent(FAILURE);
782795 close_pipes();
796 free_config(&config);
783797 return 1;
784798 }
785799
+3
-3
src/aureport.c less more
212212 {
213213 if (scan(entries)) {
214214 // If its a single event or SYSCALL load interpretations
215 if ((entries->cnt == 1) || (entries->head &&
216 entries->head->type == AUDIT_SYSCALL))
215 if ((entries->cnt == 1) ||
216 (entries->head->type == AUDIT_SYSCALL))
217217 _auparse_load_interpretations(entries->head->interp);
218218 // This is the per entry action item
219219 if (per_event_processing(entries))
235235 /* For each event in file */
236236 do {
237237 ret = get_event(&entries);
238 if ((ret != 0)||(entries->cnt == 0))
238 if ((ret != 0)||(entries->cnt == 0)||(entries->head == NULL))
239239 break;
240240 // If report is RPT_TIME or RPT_SUMMARY, get
241241 if (report_type <= RPT_SUMMARY) {
+1
-1
tools/auvirt/auvirt.c less more
370370 const char **p_user, time_t *p_time, const char **p_name,
371371 int *p_suc)
372372 {
373 const char *field;
373 const char *field = NULL;
374374 auparse_first_record(au);
375375
376376 /* Order matters */