11:26 a.m.
This patch is a slight cleanup to the original patch. It also has
manpage changes. I couldn't resist correcting typos in the original
manpage but was bad and didn't break them out into a separate patch.
You may want to fix them manually even if you don't accept this
patch as a whole.
Thanks,
George
diff -Naurp audit-1.1.5.orig/docs/auditctl.8 audit-1.1.5/docs/auditctl.8
--- audit-1.1.5.orig/docs/auditctl.8 2006-01-04 16:30:16.000000000 -0600
+++ audit-1.1.5/docs/auditctl.8 2006-03-20 22:11:24.000000000 -0600
@@ -29,17 +29,20 @@ List all rules 1 per line.
\fB\-k\fR <key>
Set a filter key on a filesystem watch. The filterkey is an arbitrary string of text that
can be up to 31 bytes long. It can uniquely identify the audit records produced by the
watch.
.TP
+\fB\-u\fR <type>
+Set userspace message type. <type> is an integer from 2100 to 2199 that corresponds
to one of the anomaly constants defined in libaudit.h. It is used in conjunction with the
-m option, which it must precede.
+.TP
\fB\-m\fR text
-Send a user-space message into the audit system. This can only be done by the root user.
+Send a userspace message into the audit system. This can only be done by the root user.
This option must follow the -u option.
.TP
\fB\-p\fR [r|w|x|a]
Set permissions filter for a file system watch. r=read, w=write, x=execute, a=append.
.TP
\fB\-r\fR <rate>
-Set limit in messages/sec (0=none) If this rate is non-zero and is exceeded, the failure
flag is consulted by the kernel for action. The default value is 0.
+Set limit in messages/sec (0=none). If this rate is non-zero and is exceeded, the failure
flag is consulted by the kernel for action. The default value is 0.
.TP
\fB\-R\fR <file>
-Read rules from a file. The rules must be 1 per line and in the order that they are to be
executed in. The rule file must be owned by root and not readable by other users or it
will be rejected. The rule file may have comments embedded by starting the line with a
'#' character. Rules that are read from a file are identical to what you would
type on a command line except they are not preceeded by auditctl (since auditctl is the
one executing the file).
+Read rules from a file. The rules must be 1 per line and in the order that they are to be
executed in. The rule file must be owned by root and not readable by other users or it
will be rejected. The rule file may have comments embedded by starting the line with a
'#' character. Rules that are read from a file are identical to what you would
type on a command line except they are not preceded by auditctl (since auditctl is the one
executing the file).
.TP
\fB\-s\fR
Report status
@@ -58,7 +61,7 @@ Add a rule to the syscall entry list. Th
Add a rule to the syscall exit list. This list is used upon exit from a system call to
determine if an audit event should be created.
.TP
.B user
-Add a rule to the user message filter list. This list is used by the kernel to filter
events originating in user space before relaying them to the audit daemon. It should be
noted that the only fields that are valid are: uid, auid, gid, and pid. All other fileds
will be treated as non-matching.
+Add a rule to the user message filter list. This list is used by the kernel to filter
events originating in user space before relaying them to the audit daemon. It should be
noted that the only fields that are valid are: uid, auid, gid, and pid. All other fields
will be treated as non-matching.
.TP
.B watch
Add a rule to the file system watch filter list. This list is used to filter events that
originate from file system watches. You can use syscall matching with this list, but the
only syscalls that are meaningful are I/O related.
@@ -154,7 +157,7 @@ Exit value from a syscall
If the exit value is >= 0 this is true/yes otherwise its false/no. When writing a
rule, use a 1 for true/yes and a 0 for false/no
.TP
.B a0, a1, a2, a3
-Respectively, the first 4 arguments to a syscall. Note that string arguments are not
supported. This is because the kernel is passed a pointer to the string. Triggering on a
pointer address value is not likely to work. So, when using this, you should only use on
numeric values. This is most likely to be used on platforms that multiplex socket or ipc
operations.
+Respectively, the first 4 arguments to a syscall. Note that string arguments are not
supported. This is because the kernel is passed a pointer to the string. Triggering on a
pointer address value is not likely to work. So, when using this, you should only use on
numeric values. This is most likely to be used on platforms that multiplex socket or IPC
operations.
.RE
.TP
\fB\-w\fR <path>
@@ -175,5 +178,9 @@ To see unsuccessful open call's:
auditctl -a exit,always -S open -F success!=0
+To send a userspace RBAC anomaly message:
+
+auditctl -u 2108 -m "rbac failed"
+
.SH "SEE ALSO"
.B auditd(8)
diff -Naurp audit-1.1.5.orig/src/auditctl.c audit-1.1.5/src/auditctl.c
--- audit-1.1.5.orig/src/auditctl.c 2006-03-05 07:40:35.000000000 -0600
+++ audit-1.1.5/src/auditctl.c 2006-03-20 22:11:24.000000000 -0600
@@ -121,13 +121,14 @@ static void usage(void)
" -i Ignore errors when reading rules from file\n"
" -k <key> Set filterkey on watch\n"
" -l List rules\n"
- " -m text Send a user-space message\n"
+ " -m text Send a userspace message\n"
" -p [r|w|x|a] Set permissions filter on watch\n"
" r=read, w=write, x=execute, a=append\n"
" -r <rate> Set limit in messages/sec (0=none)\n"
" -R <file> read rules from file\n"
" -s Report status\n"
" -S syscall Build rule: syscall name or number\n"
+ " -u <type> Specify the type of userspace anomaly message by
number\n"
" -v Version\n"
" -w <path> Insert watch at <path>\n"
" -W <path> Remove watch at <path>\n"
@@ -326,12 +327,14 @@ void audit_request_both_lists(int fd)
static int setopt(int count, char *vars[])
{
int c;
+ int user_message_type = 0;
int retval = 0;
optind = 0;
opterr = 0;
+
while ((retval >= 0) && (c = getopt(count, vars,
- "hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:")) != EOF) {
+ "hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:u:")) != EOF) {
int flags = AUDIT_FILTER_UNSET;
switch (c) {
case 'h':
@@ -589,11 +592,17 @@ static int setopt(int count, char *vars[
}
break;
case 'm':
- if (audit_log_user_message( fd, AUDIT_USER, optarg, NULL,
- NULL, NULL, 1) <=0)
- retval = -1;
- else
- return -2; // success - no reply for this
+ if (user_message_type) {
+ if (audit_log_user_message( fd, user_message_type, optarg,
+ NULL, NULL, NULL, 1) <=0)
+ retval = -1;
+ else
+ return -2; // success - no reply for this
+ } else {
+ fprintf(stderr,
+ "Error - -u must be given before -m\n");
+ retval = -1;
+ }
break;
case 'R':
fprintf(stderr, "Error - nested rule files not supported\n");
@@ -659,6 +668,21 @@ static int setopt(int count, char *vars[
else
retval = audit_setup_perms(&watch, optarg);
break;
+ case 'u':
+ if (optarg) {
+ user_message_type = atoi(optarg);
+ if (user_message_type < AUDIT_FIRST_ANOM_MSG ||
+ user_message_type > AUDIT_LAST_ANOM_MSG) {
+ fprintf(stderr,
+ "user message type must be a number from %d to %d\n",
+ AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG);
+ retval = -1;
+ }
+ } else {
+ fprintf(stderr, "user message type option needs a type number\n");
+ retval = -1;
+ }
+ break;
case 'v':
printf("auditctl version %s\n", VERSION);
retval = -2;
--
George Wilson <ltcgcw(a)us.ibm.com>
IBM Linux Technology Center