[PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs
by Peng Haitao
Hello Steve,
Executing command "echo 'type=CONFIG_CHANGE msg=audit(1214114026.152:1641): op=updated rules specifying path="/home/pht/source/sys_temp" with dev=4294967295 ino=4294967295 list=-672208416 res=1' | ausearch -r", the output is NULL.
The log is from /var/log/audit/audit.log and not modified.
Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com>
---
src/ausearch-parse.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 141fdee..0c38be1 100755
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1403,7 +1403,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
// get loginuid
str = strstr(n->message, "auid=");
if (str == NULL)
- return 1;
+ return 0;
ptr = str + 5;
term = strchr(ptr, ' ');
if (term)
--
1.5.4.2
--
Regards
Peng Haitao
16 years, 4 months
[Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported.
by chuli
Hi Steve,
When I use "-a user,always -S open", errors will be reported. But when I use
"-S open -a user,always", no errors will report. There is no corresponding
codes to deal with the later format.
Here is my patch. Hope for your opinion about such modification.
(I move the code for checking "task" list to the handle_request().)
Signed-off-by: Chu Li <chul(a)cn.fujitsu.com>
---
diff --git a/src/auditctl.c b/src/auditctl.c
index d740509..9cc3df0 100755
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -532,52 +532,40 @@ static int setopt(int count, char *vars[])
retval = -2;
break;
case 'a':
- if (strstr(optarg, "task") && audit_syscalladded) {
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
+ retval = -1;
+ } else if (rc == 2) {
fprintf(stderr,
- "Syscall auditing requested for task list\n");
+ "Append rule - bad keyword %s\n",
+ optarg);
retval = -1;
- } else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Append rule - bad keyword %s\n",
- optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else
- retval = 1; /* success - please send */
- }
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
+ } else
+ retval = 1; /* success - please send */
break;
case 'A':
- if (strstr(optarg, "task") && audit_syscalladded) {
- fprintf(stderr,
- "Error: syscall auditing requested for task list\n");
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
retval = -1;
+ } else if (rc == 2) {
+ fprintf(stderr,
+ "Add rule - bad keyword %s\n", optarg);
+ retval = -1;
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
} else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Add rule - bad keyword %s\n", optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else {
- add |= AUDIT_FILTER_PREPEND;
- retval = 1; /* success - please send */
- }
+ add |= AUDIT_FILTER_PREPEND;
+ retval = 1; /* success - please send */
}
break;
case 'd':
@@ -1167,6 +1155,27 @@ static int handle_request(int status)
audit_rule_syscallbyname_data(
rule_new, "all");
}
+ if(audit_syscalladded == 1){
+ if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_TASK || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_TASK)) {
+ fprintf(stderr,
+ "Error: syscall auditing being added to task list\n");
+ return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_USER || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_USER)) {
+ fprintf(stderr,
+ "Error: syscall auditing being added to user list\n");
+ return -1;
+ } else if (exclude) {
+ fprintf(stderr,
+ "Error: syscall auditing cannot be put on exclude list\n");
+ return -1;
+ }
+ }
if (which == OLD) {
rc = audit_add_rule(fd, &rule, add, action);
} else {
Regards
Chu Li
16 years, 4 months
Question about max syscall number
by chuli
Hi,
When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can be
added.
But I thought it would report error since there is not such syscall number "1000"
in x86, the max is 318. If I use "auditctl -a exit,always -S 2016" in x86 system,
it will report " Syscall name unknown: 2016". And it is the same with x86_64 and
ia64.
(syscalls in S390 and ppc syscall table is 1-318)
Is there any special reason to set the limitation as "2015"?
Regards
Chu Li
16 years, 4 months
[PATCH] make it match explicitly when use option '-a', '-A' and '-d' to specify "list,action"
by Yu Zhiguo
Hello Steve,
I know "list" and "action" can be changed, this is convenient.
But wildcard match maybe make user confused, for example "auditctl -a noentry,noalways"
will add a rule same with "auditctl -a entry,always".
furthermore, comma must be used to seperate list and action according to manpage:
"Please note the comma separating the two values. Omitting it will cause errors."
but now, "auditctl -a entryalways" will add the same rule.
So we'd better make it match explicitly. This is a patch for latest audit-1.7.4.
Signed-off-by: Yu Zhiguo<yuzg(a)cn.fujitsu.com>
---
src/auditctl.c | 25 ++++++++++++++++---------
1 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index 2c136ea..1aba437 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -168,27 +168,34 @@ static void usage(void)
/* Returns 0 ok, 1 deprecated action, 2 error */
static int audit_rule_setup(const char *opt, int *flags, int *act)
{
- if (strstr(opt, "task"))
+ char *p;
+ if ((strchr(opt, ',') != strrchr(opt, ',')) || !strchr(opt, ','))
+ return 2;
+
+ p = strchr(opt, ',');
+ if (!strncmp(opt, "task,", p - opt + 1) || !strcmp(p, ",task"))
*flags = AUDIT_FILTER_TASK;
- else if (strstr(opt, "entry"))
+ else if (!strncmp(opt, "entry,", p - opt + 1) || !strcmp(p, ",entry"))
*flags = AUDIT_FILTER_ENTRY;
- else if (strstr(opt, "exit"))
+ else if (!strncmp(opt, "exit,", p - opt + 1) || !strcmp(p, ",exit"))
*flags = AUDIT_FILTER_EXIT;
- else if (strstr(opt, "user"))
+ else if (!strncmp(opt, "user,", p - opt + 1) || !strcmp(p, ",user"))
*flags = AUDIT_FILTER_USER;
- else if (strstr(opt, "exclude")) {
+ else if (!strncmp(opt, "exclude,", p - opt + 1) || !strcmp(p, ",exclude")) {
*flags = AUDIT_FILTER_EXCLUDE;
exclude = 1;
} else
return 2;
- if (strstr(opt, "never"))
+
+ if (!strncmp(opt, "always,", p - opt + 1) || !strcmp(p, ",always"))
+ *act = AUDIT_ALWAYS;
+ else if (!strncmp(opt, "never,", p - opt + 1) || !strcmp(p, ",never"))
*act = AUDIT_NEVER;
- else if (strstr(opt, "possible"))
+ else if (!strncmp(opt, "possible,", p - opt + 1) || !strcmp(p, ",possible"))
return 1;
- else if (strstr(opt, "always"))
- *act = AUDIT_ALWAYS;
else
return 2;
+
return 0;
}
16 years, 4 months
possible "comm"
by LC Bruzenak
While looking through some audit events in the audit-viewer I saw what I
thought might be a display error (see below "comm="), however when I
look at the event using ausearch I see the same thing:
# ausearch -ts recent -i -a 50457
----
type=SOCKADDR msg=audit(07/31/2008 15:37:43.602:50457) : saddr=inet
host:127.0.0.1 serv:16001
type=SYSCALL msg=audit(07/31/2008 15:37:43.602:50457) : arch=x86_64
syscall=connect success=no exit=-111(Connection refused) a0=10
a1=2f96d30 a2=10 a3=7fff13ee75dc items=0 ppid=22794 pid=23014 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts3 ses=818 comm=/usr/share/audi exe=/usr/bin/python
subj=root:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(07/31/2008 15:37:43.602:50457) : avc: denied
{ recvfrom } for pid=23014 comm=/usr/share/audi saddr=127.0.0.1
src=16001 daddr=127.0.0.1 dest=58356 netif=lo
scontext=root:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=root:auditadm_r:auditadm_t:s15:c0.c1023 tclass=association
The
exe=/usr/bin/python.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 4 months
the format string of printf to print audit status is wrong
by Yu Zhiguo
Hello Steve,
all audit status's type is __u32, so '%u' should be used
in format string of printf rather than '%d', otherwise the
value outputted to user will be wraparound.
For example:
# auditctl -r 4294967295
AUDIT_STATUS: enabled=1 flag=1 pid=8999 rate_limit=-1 backlog_limit=320
lost=2241 backlog=0
but it should be
# auditctl -r 4294967295
AUDIT_STATUS: enabled=1 flag=1 pid=8999 rate_limit=4294967295
backlog_limit=320 lost=2270 backlog=0
This is the patch. Can you apply it?
Signed-off-by: Yu Zhiguo<yuzg(a)cn.fujitsu.com>
---
src/auditctl.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index d740509..5416e9b 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -1349,8 +1349,8 @@ static int audit_print_reply(struct audit_reply *rep)
printed = 1;
return 0;
case AUDIT_GET:
- printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d"
- " rate_limit=%d backlog_limit=%d lost=%d backlog=%d\n",
+ printf("AUDIT_STATUS: enabled=%u flag=%u pid=%u"
+ " rate_limit=%u backlog_limit=%u lost=%u backlog=%u\n",
rep->status->enabled, rep->status->failure,
rep->status->pid, rep->status->rate_limit,
rep->status->backlog_limit, rep->status->lost,
16 years, 4 months
[PATCH] the loginuid field should be output in all AUDIT_CONFIG_CHANGE audit messages
by zhangxiliang
In the audit message which type is "AUDIT_CONFIG_CHANGE", the output format should contain "auid" field.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
kernel/auditfilter.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 98c50cc..8a184f5 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1022,8 +1022,9 @@ static void audit_update_watch(struct audit_parent *parent,
struct audit_buffer *ab;
ab = audit_log_start(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab, "auid=%u", current->loginuid);
audit_log_format(ab,
- "op=updated rules specifying path=");
+ " op=updated rules specifying path=");
audit_log_untrustedstring(ab, owatch->path);
audit_log_format(ab, " with dev=%u ino=%lu\n",
dev, ino);
@@ -1058,7 +1059,8 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
struct audit_buffer *ab;
ab = audit_log_start(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "op=remove rule path=");
+ audit_log_format(ab, "auid=%u", current->loginuid);
+ audit_log_format(ab, " op=remove rule path=");
audit_log_untrustedstring(ab, w->path);
if (r->filterkey) {
audit_log_format(ab, " key=");
--
1.5.4.2
--
Regards
Zhang Xiliang
16 years, 4 months
Re: [PATCH] Fix the bug of using AUDIT_STATUS_RATE_LIMIT when set fail, no error output.
by Andrew Morton
On Thu, 31 Jul 2008 17:04:38 +0100
Al Viro <viro(a)ZenIV.linux.org.uk> wrote:
> On Wed, Jul 30, 2008 at 11:15:50PM -0400, Eric Paris wrote:
> > On Thu, 2008-07-31 at 10:11 +0800, zhangxiliang wrote:
> > > When the "status_get->mask" is "AUDIT_STATUS_RATE_LIMIT || AUDIT_STATUS_BACKLOG_LIMIT".
> > > If "audit_set_rate_limit" fails and "audit_set_backlog_limit" succeeds, the "err" value will be greater than or equal to 0. It will miss the failure of rate set.
> > >
> > > Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
> >
> > man, it gives me the heebee jeebies with the coding style but it follows
> > everything else
>
> Sanitized, applied, pushed to audit-current (audit.b53)
That tree doesn't appear to be in the linux-next lineup. Fixable, please?
16 years, 4 months
[PATCH 2/2] fix a bug that use option '-k key-string' cannot search out all matched logs
by Peng Haitao
Hello Steve,
Use option '-k key-string' cannot search out the log which contains the given key-string and message type is CONFIG_CHANGE.
For example:
echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha" list=4 res=1' | ausearch -k haha
The output is: <no matches>
Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com>
---
src/ausearch-parse.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 52 insertions(+), 3 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 0c38be1..fd00013 100755
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1411,7 +1411,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
errno = 0;
s->loginuid = strtoul(ptr, NULL, 10);
if (errno)
- return 2;
+ return 1;
if (term)
*term = ' ';
else
@@ -1437,7 +1437,56 @@ static int parse_simple_message(const lnode *n, search_items *s)
else // Set it back to something sane
term = str;
} else
- return 3;
+ return 2;
+ }
+ }
+
+ if (event_key) {
+ str = strstr(term, "key=");
+ if (str != NULL) {
+ if (!s->key) {
+ //create
+ s->key = malloc(sizeof(slist));
+ if (s->key == NULL)
+ return 3;
+ slist_create(s->key);
+ }
+ ptr = str + 4;
+ if (*ptr == '"') {
+ ptr++;
+ term = strchr(ptr, '"');
+ if (term != NULL) {
+ *term = 0;
+ if (s->key) {
+ // append
+ snode sn;
+ sn.str = strdup(ptr);
+ sn.key = NULL;
+ sn.hits = 1;
+ slist_append(s->key, &sn);
+ }
+ *term = '"';
+ } else
+ return 4;
+ } else {
+ if (s->key) {
+ char *saved=NULL;
+ char *keyptr = unescape(ptr);
+ char *kptr = strtok_r(keyptr,
+ key_sep, &saved);
+ while (kptr) {
+ snode sn;
+ // append
+ sn.str = strdup(kptr);
+ sn.key = NULL;
+ sn.hits = 1;
+ slist_append(s->key, &sn);
+ kptr = strtok_r(NULL,
+ key_sep, &saved);
+ }
+ free(keyptr);
+ }
+ }
}
}
@@ -1457,7 +1506,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
errno = 0;
s->success = strtoul(ptr, NULL, 10);
if (errno)
- return 4;
+ return 5;
if (term)
*term = ' ';
}
--
1.5.4.2
--
Regards
Peng Haitao
16 years, 4 months
[PATCH] Fix the bug of using AUDIT_STATUS_RATE_LIMIT when set fail, no error output.
by zhangxiliang
When the "status_get->mask" is "AUDIT_STATUS_RATE_LIMIT || AUDIT_STATUS_BACKLOG_LIMIT".
If "audit_set_rate_limit" fails and "audit_set_backlog_limit" succeeds, the "err" value will be greater than or equal to 0. It will miss the failure of rate set.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
kernel/audit.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index e092f1c..38a4080 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -725,9 +725,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
audit_pid = new_pid;
audit_nlk_pid = NETLINK_CB(skb).pid;
}
- if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
+ if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
err = audit_set_rate_limit(status_get->rate_limit,
loginuid, sessionid, sid);
+ if (err < 0) return err;
+ }
if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
err = audit_set_backlog_limit(status_get->backlog_limit,
loginuid, sessionid, sid);
--
1.5.4.2
--
Regards
Zhang Xiliang
16 years, 4 months
