[RFC][PATCH] auditctl: add user anomoly type option

Monday, 20 March 2006

This patch adds -u <type> to auditctl.  It allows a userspace
message sender to specify the message type by number.  Manpage
update to follow if this proves OK.

diff -Narp audit-1.1.5.orig/src/auditctl.c audit-1.1.5/src/auditctl.c
*** audit-1.1.5.orig/src/auditctl.c	2006-03-05 07:40:35.000000000 -0600
--- audit-1.1.5/src/auditctl.c	2006-03-18 19:25:43.000000000 -0600
*************** static void usage(void)
*** 128,133 ****
--- 128,134 ----
       "    -R <file>    read rules from file\n"
       "    -s           Report status\n"
       "    -S syscall   Build rule: syscall name or number\n"
+      "    -u <type>    Specify the type of user-space anomaly message by
number\n"
       "    -v           Version\n"
       "    -w <path>    Insert watch at <path>\n"
       "    -W <path>    Remove watch at <path>\n"
*************** void audit_request_both_lists(int fd)
*** 326,337 ****
  static int setopt(int count, char *vars[])
  {
      int c;
      int retval = 0;

      optind = 0;
      opterr = 0;
      while ((retval >= 0) && (c = getopt(count, vars,
! 			"hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:")) != EOF) {
  	int flags = AUDIT_FILTER_UNSET;
          switch (c) {
          case 'h':
--- 327,340 ----
  static int setopt(int count, char *vars[])
  {
      int c;
+     int user_message_type = 0;
      int retval = 0;

      optind = 0;
      opterr = 0;
+ 
      while ((retval >= 0) && (c = getopt(count, vars,
! 			"hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:u:")) != EOF) {
  	int flags = AUDIT_FILTER_UNSET;
          switch (c) {
          case 'h':
*************** static int setopt(int count, char *vars[
*** 589,599 ****
  		}
  		break;
          case 'm':
! 		if (audit_log_user_message( fd, AUDIT_USER, optarg, NULL, 
! 				NULL, NULL, 1) <=0)
! 			retval = -1;
! 		else
! 			return -2;  // success - no reply for this
  		break;
  	case 'R':
  		fprintf(stderr, "Error - nested rule files not supported\n");
--- 592,608 ----
  		}
  		break;
          case 'm':
! 		if (user_message_type) {
! 			if (audit_log_user_message( fd, user_message_type, optarg,
! 					NULL, NULL, NULL, 1) <=0)
! 				retval = -1;
! 			else
! 				return -2;  // success - no reply for this
! 		} else {
! 			fprintf(stderr,
! 			    "Error - -u must be given before -m\n");
! 				retval = -1;
! 		}
  		break;
  	case 'R':
  		fprintf(stderr, "Error - nested rule files not supported\n");
*************** static int setopt(int count, char *vars[
*** 659,664 ****
--- 668,689 ----
  		else
  			retval = audit_setup_perms(&watch, optarg);
  		break;
+ 	case 'u':
+ 		if (optarg) {
+ 			user_message_type = atoi(optarg);
+ 			if (user_message_type >= AUDIT_FIRST_ANOM_MSG &&
+ 				user_message_type <= AUDIT_LAST_ANOM_MSG) {
+ 			} else {
+ 				fprintf(stderr,
+ 					"user message type must be a number from %d to %d\n",
+ 					AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG);
+ 				retval = -1;
+ 			}
+ 		} else {
+ 			fprintf(stderr, "user message type option needs a type number\n");	
+ 			retval = -1;
+ 		}
+ 		break;
  	case 'v':
  			printf("auditctl version %s\n", VERSION);
  			retval = -2;

-- 
George Wilson <ltcgcw(a)us.ibm.com&gt;
IBM Linux Technology Center

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[RFC][PATCH] auditctl: add user anomoly type option