3:51 a.m.
Hi Steve,
> > When I use "-a user,always -S open", errors
will be reported. But when I
> > use "-S open -a user,always", no errors will report. There is no
> > corresponding codes to deal with the later format.
>
> I'm still thinking about this patch. I'll look at it again tomorrow.
>
I modified the original patch. (I moved the judgment codes for list and
syscall
in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".)
Then when using "-S open -a user,always" or "-S open -d
user,always" will
report
error to users.
There is another method, that is the format of "-S xx -a list,action"
and "-S
xx -a list,action " are not allowed. Only "-a list,action -S xx" and
"-d
list,action -S xx" can be allowed. The users have to add "list" before
"syscall".
Here is the patch for such method. Hope your opinion.
Signed-off-by: Chu Li <chul(a)cn.fujitsu.com>
---
diff --git a/src/auditctl.c b/src/auditctl.c
index 48f1369..0906369 100755
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -575,53 +575,42 @@ static int setopt(int count, char *vars[])
retval = -2;
break;
case 'a':
- if (strstr(optarg, "task") && audit_syscalladded) {
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
+ retval = -1;
+ } else if (rc == 2) {
fprintf(stderr,
- "Syscall auditing requested for task list\n");
+ "Append rule - bad keyword %s\n",
+ optarg);
retval = -1;
- } else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Append rule - bad keyword %s\n",
- optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else
- retval = 1; /* success - please send */
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
+ } else
+ retval = 1; /* success - please send */
}
break;
case 'A':
- if (strstr(optarg, "task") && audit_syscalladded) {
- fprintf(stderr,
- "Error: syscall auditing requested for task list\n");
+ rc = audit_rule_setup(optarg, &add, &action);
+ if (rc == 3) {
+ fprintf(stderr,
+ "Multiple rule insert/delete operations are not allowed\n");
+ retval = -1;
+ } else if (rc == 2) {
+ fprintf(stderr,
+ "Add rule - bad keyword %s\n", optarg);
retval = -1;
+ } else if (rc == 1) {
+ fprintf(stderr,
+ "Append rule - possible is deprecated\n");
+ return -3; /* deprecated - eat it */
} else {
- rc = audit_rule_setup(optarg, &add, &action);
- if (rc == 3) {
- fprintf(stderr,
- "Multiple rule insert/delete operations are not allowed\n");
- retval = -1;
- } else if (rc == 2) {
- fprintf(stderr,
- "Add rule - bad keyword %s\n", optarg);
- retval = -1;
- } else if (rc == 1) {
- fprintf(stderr,
- "Append rule - possible is deprecated\n");
- return -3; /* deprecated - eat it */
- } else {
- add |= AUDIT_FILTER_PREPEND;
- retval = 1; /* success - please send */
- }
- }
+ add |= AUDIT_FILTER_PREPEND;
+ retval = 1; /* success - please send */
+ } break;
case 'd':
rc = audit_rule_setup(optarg, &del, &action);
@@ -643,7 +632,12 @@ static int setopt(int count, char *vars[])
case 'S':
/* Do some checking to make sure that we are not adding a
* syscall rule to a list that does not make sense. */
- if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
+ if ((add == AUDIT_FILTER_UNSET || del == AUDIT_FILTER_UNSET )
+ && !exclude){
+ fprintf(stderr,
+ "Error: list should be first added to rule\n");
+ return -1;
+ } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
AUDIT_FILTER_TASK || (del &
(AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
AUDIT_FILTER_TASK)) {
@@ -1206,10 +1200,6 @@ int main(int argc, char *argv[])
static int handle_request(int status)
{
if (status == 0) {
- if (audit_syscalladded) {
- fprintf(stderr, "Error - no list specified\n");
- return -1;
- }
get_reply();
} else if (status == -2)
status = 0; // report success
> -----Original Message-----
> From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On
> Behalf Of Chu Li
> Sent: Wednesday, August 06, 2008 3:27 PM
> To: 'Steve Grubb'
> Cc: 'linux-audit'
> Subject: RE: [Patch]Fix the bug of using "-S syscall -a list, action",no
errors
> will be reported.
>
> Hi Steve,
> > When I use "-a user,always -S open", errors
will be reported. But when I
> > use "-S open -a user,always", no errors will report. There is no
> > corresponding codes to deal with the later format.
>
> I'm still thinking about this patch. I'll look at it again tomorrow.
>
I modified the original patch. (I moved the judgment codes for list and
syscall
in handle_request() before the line "if (add != AUDIT_FILTER_UNSET)".)
Then when using "-S open -a user,always" or "-S open -d
user,always" will
report
error to users.
> And I found another problem, when using "-a
'list','action' -w /mnt", it will
> always
> add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa". I found
"-w"
> will
> use the "exit" list automatically. I think it's better to add something
about it
> in
> manual.
>
> How about your opinion?
>
> Signed-off-by: Chu Li <chul(a)cn.fujitsu.com>
> ---
> diff --git a/src/auditctl.c b/src/auditctl.c
> index 48f1369..f4f9553 100755
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -575,52 +575,41 @@ static int setopt(int count, char *vars[])
> retval = -2;
> break;
> case 'a':
> - if (strstr(optarg, "task") && audit_syscalladded) {
> + rc = audit_rule_setup(optarg, &add, &action);
> + if (rc == 3) {
> + fprintf(stderr,
> + "Multiple rule insert/delete operations are not allowed\n");
> + retval = -1;
> + } else if (rc == 2) {
> fprintf(stderr,
> - "Syscall auditing requested for task list\n");
> + "Append rule - bad keyword %s\n",
> + optarg);
> retval = -1;
> - } else {
> - rc = audit_rule_setup(optarg, &add, &action);
> - if (rc == 3) {
> - fprintf(stderr,
> - "Multiple rule insert/delete operations are not allowed\n");
> - retval = -1;
> - } else if (rc == 2) {
> - fprintf(stderr,
> - "Append rule - bad keyword %s\n",
> - optarg);
> - retval = -1;
> - } else if (rc == 1) {
> - fprintf(stderr,
> - "Append rule - possible is deprecated\n");
> - return -3; /* deprecated - eat it */
> - } else
> - retval = 1; /* success - please send */
> + } else if (rc == 1) {
> + fprintf(stderr,
> + "Append rule - possible is deprecated\n");
> + return -3; /* deprecated - eat it */
> + } else
> + retval = 1; /* success - please send */
> }
> break;
> case 'A':
> - if (strstr(optarg, "task") && audit_syscalladded) {
> - fprintf(stderr,
> - "Error: syscall auditing requested for task list\n");
> + rc = audit_rule_setup(optarg, &add, &action);
> + if (rc == 3) {
> + fprintf(stderr,
> + "Multiple rule insert/delete operations are not allowed\n");
> retval = -1;
> + } else if (rc == 2) {
> + fprintf(stderr,
> + "Add rule - bad keyword %s\n", optarg);
> + retval = -1;
> + } else if (rc == 1) {
> + fprintf(stderr,
> + "Append rule - possible is deprecated\n");
> + return -3; /* deprecated - eat it */
> } else {
> - rc = audit_rule_setup(optarg, &add, &action);
> - if (rc == 3) {
> - fprintf(stderr,
> - "Multiple rule insert/delete operations are not allowed\n");
> - retval = -1;
> - } else if (rc == 2) {
> - fprintf(stderr,
> - "Add rule - bad keyword %s\n", optarg);
> - retval = -1;
> - } else if (rc == 1) {
> - fprintf(stderr,
> - "Append rule - possible is deprecated\n");
> - return -3; /* deprecated - eat it */
> - } else {
> - add |= AUDIT_FILTER_PREPEND;
> - retval = 1; /* success - please send */
> - }
> + add |= AUDIT_FILTER_PREPEND;
> + retval = 1; /* success - please send */
> }
> break;
> case 'd':
> @@ -1215,6 +1204,27 @@ static int handle_request(int status)
> status = 0; // report success
> else if (status > 0) {
> int rc;
> + if(audit_syscalladded == 1){
> + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_TASK || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_TASK)) {
> + fprintf(stderr,
> + "Error: syscall auditing being added to task list\n");
> + return -1;
> + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_USER || (del &
> + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> + AUDIT_FILTER_USER)) {
> + fprintf(stderr,
> + "Error: syscall auditing being added to user list\n");
> + return -1;
> + } else if (exclude) {
> + fprintf(stderr,
> + "Error: syscall auditing cannot be put on exclude list\n");
> + return -1;
> + }
> + }
> if (add != AUDIT_FILTER_UNSET) {
> // if !task add syscall any if not specified
> if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK &&
>
> > -----Original Message-----
> > From: Steve Grubb [mailto:sgrubb@redhat.com]
> > Sent: Tuesday, August 05, 2008 8:19 AM
> > To: chuli
> > Cc: 'linux-audit'
> > Subject: Re: [Patch]Fix the bug of using "-S syscall -a list,action",
no
> > errors
> > will be reported.
> >
> > Hi,
> >
> > On Wednesday 30 July 2008 21:38:26 chuli wrote:
> > > When I use "-a user,always -S open", errors will be reported.
But when I
> > > use "-S open -a user,always", no errors will report. There is no
> > > corresponding codes to deal with the later format.
> >
> > I'm still thinking about this patch. I'll look at it again tomorrow.
> >
> > Thanks,
> > -Steve
> >
> >
> > > Here is my patch. Hope for your opinion about such modification.
> > > (I move the code for checking "task" list to the
handle_request().)
> > >
> > > Signed-off-by: Chu Li <chul(a)cn.fujitsu.com>
> > > ---
> > > diff --git a/src/auditctl.c b/src/auditctl.c
> > > index d740509..9cc3df0 100755
> > > --- a/src/auditctl.c
> > > +++ b/src/auditctl.c
> > > @@ -532,52 +532,40 @@ static int setopt(int count, char *vars[])
> > > retval = -2;
> > > break;
> > > case 'a':
> > > - if (strstr(optarg, "task") && audit_syscalladded) {
> > > + rc = audit_rule_setup(optarg, &add, &action);
> > > + if (rc == 3) {
> > > + fprintf(stderr,
> > > + "Multiple rule insert/delete operations are not allowed\n");
> > > + retval = -1;
> > > + } else if (rc == 2) {
> > > fprintf(stderr,
> > > - "Syscall auditing requested for task list\n");
> > > + "Append rule - bad keyword %s\n",
> > > + optarg);
> > > retval = -1;
> > > - } else {
> > > - rc = audit_rule_setup(optarg, &add, &action);
> > > - if (rc == 3) {
> > > - fprintf(stderr,
> > > - "Multiple rule insert/delete operations are not allowed\n");
> > > - retval = -1;
> > > - } else if (rc == 2) {
> > > - fprintf(stderr,
> > > - "Append rule - bad keyword %s\n",
> > > - optarg);
> > > - retval = -1;
> > > - } else if (rc == 1) {
> > > - fprintf(stderr,
> > > - "Append rule - possible is deprecated\n");
> > > - return -3; /* deprecated - eat it */
> > > - } else
> > > - retval = 1; /* success - please send */
> > > - }
> > > + } else if (rc == 1) {
> > > + fprintf(stderr,
> > > + "Append rule - possible is deprecated\n");
> > > + return -3; /* deprecated - eat it */
> > > + } else
> > > + retval = 1; /* success - please send */
> > > break;
> > > case 'A':
> > > - if (strstr(optarg, "task") && audit_syscalladded) {
> > > - fprintf(stderr,
> > > - "Error: syscall auditing requested for task list\n");
> > > + rc = audit_rule_setup(optarg, &add, &action);
> > > + if (rc == 3) {
> > > + fprintf(stderr,
> > > + "Multiple rule insert/delete operations are not allowed\n");
> > > retval = -1;
> > > + } else if (rc == 2) {
> > > + fprintf(stderr,
> > > + "Add rule - bad keyword %s\n", optarg);
> > > + retval = -1;
> > > + } else if (rc == 1) {
> > > + fprintf(stderr,
> > > + "Append rule - possible is deprecated\n");
> > > + return -3; /* deprecated - eat it */
> > > } else {
> > > - rc = audit_rule_setup(optarg, &add, &action);
> > > - if (rc == 3) {
> > > - fprintf(stderr,
> > > - "Multiple rule insert/delete operations are not allowed\n");
> > > - retval = -1;
> > > - } else if (rc == 2) {
> > > - fprintf(stderr,
> > > - "Add rule - bad keyword %s\n", optarg);
> > > - retval = -1;
> > > - } else if (rc == 1) {
> > > - fprintf(stderr,
> > > - "Append rule - possible is deprecated\n");
> > > - return -3; /* deprecated - eat it */
> > > - } else {
> > > - add |= AUDIT_FILTER_PREPEND;
> > > - retval = 1; /* success - please send */
> > > - }
> > > + add |= AUDIT_FILTER_PREPEND;
> > > + retval = 1; /* success - please send */
> > > }
> > > break;
> > > case 'd':
> > > @@ -1167,6 +1155,27 @@ static int handle_request(int status)
> > > audit_rule_syscallbyname_data(
> > > rule_new, "all");
> > > }
> > > + if(audit_syscalladded == 1){
> > > + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > > + AUDIT_FILTER_TASK || (del &
> > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > > + AUDIT_FILTER_TASK)) {
> > > + fprintf(stderr,
> > > + "Error: syscall auditing being added to task
> list\n");
> > > + return -1;
> > > + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET))
> ==
> > > + AUDIT_FILTER_USER || (del &
> > > + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) ==
> > > + AUDIT_FILTER_USER)) {
> > > + fprintf(stderr,
> > > + "Error: syscall auditing being added to user
> list\n");
> > > + return -1;
> > > + } else if (exclude) {
> > > + fprintf(stderr,
> > > + "Error: syscall auditing cannot be put on exclude
> > list\n");
> > > + return -1;
> > > + }
> > > + }
> > > if (which == OLD) {
> > > rc = audit_add_rule(fd, &rule, add, action);
> > > } else {
> > >
> > > Regards
> > > Chu Li
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit