[PATCH 5/5] Delete some invalid code from auditctl.c
by Zhang Xiliang
Hello Steve,
I found some code is invalid in auditctl.
So I suggested to delete it.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
src/auditctl.c | 10 ++--------
1 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index b356faa..93e84a0 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -737,12 +737,7 @@ static int setopt(int count, char *vars[])
switch (rc)
{
case 0:
- if (which == OLD &&
- rule.fields[rule.field_count-1] ==
- AUDIT_PERM)
- audit_permadded = 1;
- else if (which == NEW &&
- rule_new->fields[rule_new->field_count-1] ==
+ if (rule_new->fields[rule_new->field_count-1] ==
AUDIT_PERM)
audit_permadded = 1;
break;
@@ -1385,8 +1380,7 @@ int key_match(struct audit_reply *rep)
}
if (((field >= AUDIT_SUBJ_USER && field <= AUDIT_OBJ_LEV_HIGH)
&& field != AUDIT_PPID) || field == AUDIT_WATCH ||
- field == AUDIT_WATCH || field == AUDIT_DIR ||
- field == AUDIT_FILTERKEY) {
+ field == AUDIT_DIR || field == AUDIT_FILTERKEY) {
boffset += rep->ruledata->values[i];
}
}
16 years, 10 months
[PATCH 1/5] Add the field checking for missing value after opration
by Zhang Xiliang
Hello Steve,
I think the missing value for -F should be checking.
For example,
auditctl -a exit,always -F pid=
No error message is output and "pid=0" is added to rule.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
lib/deprecated.c | 3 +++
lib/libaudit.c | 3 +++
src/auditctl.c | 5 +++++
3 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/lib/deprecated.c b/lib/deprecated.c
index e05e826..5a1c04f 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -230,6 +230,9 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
if (v == NULL || f == v)
return -1;
+ if (*v == NULL)
+ return -20;
+
audit_msg(LOG_DEBUG,"pair=%s\n", f);
if ((field = audit_name_to_field(f)) < 0)
return -2;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 4bedfaf..6ec15d8 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -823,6 +823,9 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (v == NULL || f == v)
return -1;
+ if (*v == NULL)
+ return -20;
+
if ((field = audit_name_to_field(f)) < 0)
return -2;
diff --git a/src/auditctl.c b/src/auditctl.c
index 48f1369..3958afb 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -847,6 +847,11 @@ static int setopt(int count, char *vars[])
"Key field needs a watch or syscall given prior to it\n");
retval = -1;
break;
+ case -20:
+ fprintf(stderr,
+ "-F missing value after opration for %s\n", optarg);
+ retval = -1;
+ break;
default:
retval = -1;
break;
16 years, 10 months
[PATCH 4/5] Fix the bug of AUDIT_PERM field added without a watch
by Zhang Xiliang
Hello Steve,
AUDIT_PERM field should used after a watch given.
For example,
auditctl -a exit,always -F perm=r
No error message is outputed.
I think we should add checking for it.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
lib/libaudit.c | 2 ++
src/auditctl.c | 5 +++++
2 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 3e2e28f..fd2c41b 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1046,6 +1046,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -7;
else if (op != AUDIT_EQUAL)
return -13;
+ else if (audit_permadded != 1)
+ return -22;
else {
unsigned int i, len, val = 0;
diff --git a/src/auditctl.c b/src/auditctl.c
index 1455ee6..b356faa 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -857,6 +857,11 @@ static int setopt(int count, char *vars[])
"-F value should be number for %s\n", optarg);
retval = -1;
break;
+ case -22:
+ fprintf(stderr,
+ "permission option needs a watch given prior to it\n");
+ retval = -1;
+ break;
default:
retval = -1;
break;
16 years, 10 months
[PATCH 2/5] The error message of "-1" in field checking isnot suit
by Zhang Xiliang
Hello Steve,
The error message of "-1" is "-F missing = for ...".
The opration isnot only "=".
So I think "F missing opration for" is better.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
src/auditctl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index 3958afb..a19bd14 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -747,7 +747,7 @@ static int setopt(int count, char *vars[])
audit_permadded = 1;
break;
case -1:
- fprintf(stderr, "-F missing = for %s\n",
+ fprintf(stderr, "-F missing opration for %s\n",
optarg);
retval = -1;
break;
16 years, 10 months
[PATCH 3/5] Add some field value checking for number
by Zhang Xiliang
Hello Steve,
Some fields don't support value which isnot number.
For example,
auditctl -a exit,always -F pid=a
No error message is output and "pid=0" is added to rule.
I think we should add checking for it.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
lib/deprecated.c | 3 +++
lib/libaudit.c | 3 +++
src/auditctl.c | 5 +++++
3 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/lib/deprecated.c b/lib/deprecated.c
index 5a1c04f..d6cdbe4 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -446,6 +446,9 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
if (flags == AUDIT_FILTER_EXCLUDE)
return -18;
+
+ if (!isdigit((char)*(v)))
+ return -21;
rule->values[rule->field_count] = strtol(v, NULL, 0);
break;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 6ec15d8..3e2e28f 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1101,6 +1101,9 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (flags == AUDIT_FILTER_EXCLUDE)
return -18;
+ if (!isdigit((char)*(v)))
+ return -21;
+
rule->values[rule->field_count] = strtol(v, NULL, 0);
break;
}
diff --git a/src/auditctl.c b/src/auditctl.c
index a19bd14..1455ee6 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -852,6 +852,11 @@ static int setopt(int count, char *vars[])
"-F missing value after opration for %s\n", optarg);
retval = -1;
break;
+ case -21:
+ fprintf(stderr,
+ "-F value should be number for %s\n", optarg);
+ retval = -1;
+ break;
default:
retval = -1;
break;
16 years, 10 months
[Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported.
by chuli
Hi Steve,
When I use "-a user,always -S open", errors will be reported. But when I use
"-S open -a user,always", no errors will report. There is no corresponding
codes to deal with the later format.
Here is my patch. Hope for your opinion about such modification.
(I move the code for checking "task" list to the handle_request().)
Signed-off-by: Chu Li <chul(a)cn.fujitsu.com>
---
diff --git a/src/auditctl.c b/src/auditctl.c
index d740509..9cc3df0 100755
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -532,52 +532,40 @@ static int setopt(int count, char *vars[])
retval = -2;
break;
case 'a':
- if (strstr(optarg, "task") && audit_syscalladded) {
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
+ retval = -1;
+ } else if (rc == 2) {
fprintf(stderr,
- "Syscall auditing requested for task list\n");
+ "Append rule - bad keyword %s\n",
+ optarg);
retval = -1;
- } else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Append rule - bad keyword %s\n",
- optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else
- retval = 1; /* success - please send */
- }
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
+ } else
+ retval = 1; /* success - please send */
break;
case 'A':
- if (strstr(optarg, "task") && audit_syscalladded) {
- fprintf(stderr,
- "Error: syscall auditing requested for task list\n");
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
retval = -1;
+ } else if (rc == 2) {
+ fprintf(stderr,
+ "Add rule - bad keyword %s\n", optarg);
+ retval = -1;
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
} else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Add rule - bad keyword %s\n", optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else {
- add |= AUDIT_FILTER_PREPEND;
- retval = 1; /* success - please send */
- }
+ add |= AUDIT_FILTER_PREPEND;
+ retval = 1; /* success - please send */
}
break;
case 'd':
@@ -1167,6 +1155,27 @@ static int handle_request(int status)
audit_rule_syscallbyname_data(
rule_new, "all");
}
+ if(audit_syscalladded == 1){
+ if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_TASK || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_TASK)) {
+ fprintf(stderr,
+ "Error: syscall auditing being added to task list\n");
+ return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_USER || (del &
+ (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ AUDIT_FILTER_USER)) {
+ fprintf(stderr,
+ "Error: syscall auditing being added to user list\n");
+ return -1;
+ } else if (exclude) {
+ fprintf(stderr,
+ "Error: syscall auditing cannot be put on exclude list\n");
+ return -1;
+ }
+ }
if (which == OLD) {
rc = audit_add_rule(fd, &rule, add, action);
} else {
Regards
Chu Li
16 years, 10 months
RHEL5 FS Watches
by Kevin Boyce
How does one enable file system watches on RHEL5 update 0?
When I run auditctl -l It says "File system watches not supported." I
have reverted back to audit-1.0.15 and upgraded the kernel to 2.6.18-52.
Anyone have any suggestions?
Thanks,
Kevin
16 years, 10 months
Question about max syscall number
by chuli
Hi,
When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can be
added.
But I thought it would report error since there is not such syscall number "1000"
in x86, the max is 318. If I use "auditctl -a exit,always -S 2016" in x86 system,
it will report " Syscall name unknown: 2016". And it is the same with x86_64 and
ia64.
(syscalls in S390 and ppc syscall table is 1-318)
Is there any special reason to set the limitation as "2015"?
Regards
Chu Li
16 years, 10 months
[PATCH 4/4] Add the checking of key field for a watch or syscall given
by zhangxiliang
Hello Steve,
When field is AUDIT_FILTERKEY, it should need a watch or syscall given prior to it.
So I add checking and error message "-19" to realize it.
Do you agree with me? This is the patches for latest code in
audit SVN project.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
lib/libaudit.c | 3 +++
src/auditctl.c | 7 ++++++-
2 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 4d20261..8dd5baa 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -75,6 +75,7 @@ static const struct nv_list failure_actions[] =
{ NULL, 0 }
};
+int audit_permadded hidden = 0;
int audit_archadded hidden = 0;
int audit_syscalladded hidden = 0;
unsigned int audit_elf hidden = 0U;
@@ -920,6 +921,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
case AUDIT_FILTERKEY:
+ if (field == AUDIT_FILTERKEY && !(audit_syscalladded || audit_permadded))
+ return -19;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
vlen > AUDIT_MAX_KEY_LEN)
diff --git a/src/auditctl.c b/src/auditctl.c
index 0d38ac1..2c99e09 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -67,7 +67,6 @@ enum { OLD, NEW };
int which;
static struct audit_rule rule;
static struct audit_rule_data *rule_new = NULL;
-int audit_permadded;
static char key[AUDIT_MAX_KEY_LEN+1];
static int keylen;
static int printed;
@@ -77,6 +76,7 @@ static const char key_sep[2] = { AUDIT_KEY_SEPARATOR, 0 };
extern int audit_archadded;
extern int audit_syscalladded;
extern unsigned int audit_elf;
+extern int audit_permadded;
/*
* This function will reset everything used for each loop when loading
@@ -799,6 +799,11 @@ static int setopt(int count, char *vars[])
"Field %s can not be used with exclude filter list\n", optarg);
retval = -1;
break;
+ case -19:
+ fprintf(stderr,
+ "Key field needs a watch or syscall given prior to it\n");
+ retval = -1;
+ break;
default:
retval = -1;
break;
--
Regards
Zhang Xiliang
16 years, 10 months
[PATCH] make it match explicitly when use option '-a', '-A' and '-d' to specify "list,action"
by Yu Zhiguo
Hello Steve,
I know "list" and "action" can be changed, this is convenient.
But wildcard match maybe make user confused, for example "auditctl -a noentry,noalways"
will add a rule same with "auditctl -a entry,always".
furthermore, comma must be used to seperate list and action according to manpage:
"Please note the comma separating the two values. Omitting it will cause errors."
but now, "auditctl -a entryalways" will add the same rule.
So we'd better make it match explicitly. This is a patch for latest audit-1.7.4.
Signed-off-by: Yu Zhiguo<yuzg(a)cn.fujitsu.com>
---
src/auditctl.c | 25 ++++++++++++++++---------
1 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index 2c136ea..1aba437 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -168,27 +168,34 @@ static void usage(void)
/* Returns 0 ok, 1 deprecated action, 2 error */
static int audit_rule_setup(const char *opt, int *flags, int *act)
{
- if (strstr(opt, "task"))
+ char *p;
+ if ((strchr(opt, ',') != strrchr(opt, ',')) || !strchr(opt, ','))
+ return 2;
+
+ p = strchr(opt, ',');
+ if (!strncmp(opt, "task,", p - opt + 1) || !strcmp(p, ",task"))
*flags = AUDIT_FILTER_TASK;
- else if (strstr(opt, "entry"))
+ else if (!strncmp(opt, "entry,", p - opt + 1) || !strcmp(p, ",entry"))
*flags = AUDIT_FILTER_ENTRY;
- else if (strstr(opt, "exit"))
+ else if (!strncmp(opt, "exit,", p - opt + 1) || !strcmp(p, ",exit"))
*flags = AUDIT_FILTER_EXIT;
- else if (strstr(opt, "user"))
+ else if (!strncmp(opt, "user,", p - opt + 1) || !strcmp(p, ",user"))
*flags = AUDIT_FILTER_USER;
- else if (strstr(opt, "exclude")) {
+ else if (!strncmp(opt, "exclude,", p - opt + 1) || !strcmp(p, ",exclude")) {
*flags = AUDIT_FILTER_EXCLUDE;
exclude = 1;
} else
return 2;
- if (strstr(opt, "never"))
+
+ if (!strncmp(opt, "always,", p - opt + 1) || !strcmp(p, ",always"))
+ *act = AUDIT_ALWAYS;
+ else if (!strncmp(opt, "never,", p - opt + 1) || !strcmp(p, ",never"))
*act = AUDIT_NEVER;
- else if (strstr(opt, "possible"))
+ else if (!strncmp(opt, "possible,", p - opt + 1) || !strcmp(p, ",possible"))
return 1;
- else if (strstr(opt, "always"))
- *act = AUDIT_ALWAYS;
else
return 2;
+
return 0;
}
16 years, 10 months
