5:39 a.m.
The exclude rules did not permit a filterkey to be added. This isn't as
important for the exclude filter compared to the others since no records are
generated with that key, but still helps identify rules in the rules list
configuration.
Allow filterkeys to be used with the exclude filter.
See: https://github.com/linux-audit/audit-userspace/issues/14
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/libaudit.c | 13 +++++++++++--
lib/private.h | 1 +
src/auditctl.c | 5 +++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b1f8f9c..028483d 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -85,6 +85,7 @@ int _audit_permadded = 0;
int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
+int _audit_filterexcladded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const
char *pair,
if (flags == AUDIT_FILTER_EXCLUDE) {
uint32_t features = audit_get_features();
if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
- if (field != AUDIT_MSGTYPE)
+ switch(field) {
+ case AUDIT_MSGTYPE:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
return -EAU_FIELDNOSUPPORT;
+ }
} else {
switch(field) {
case AUDIT_PID:
@@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const
char *pair,
case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
break;
default:
return -EAU_MSGTYPECREDEXCLUDE;
@@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const
char *pair,
}
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded))
+ _audit_exeadded || _audit_filterexcladded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
diff --git a/lib/private.h b/lib/private.h
index cde1906..855187b 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -139,6 +139,7 @@ extern int _audit_permadded;
extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
+extern int _audit_filterexcladded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl.c b/src/auditctl.c
index 04765f4..c785087 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -74,6 +74,7 @@ static int reset_vars(void)
_audit_permadded = 0;
_audit_archadded = 0;
_audit_exeadded = 0;
+ _audit_filterexcladded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
- del==AUDIT_FILTER_UNSET)) {
+ _audit_exeadded || _audit_filterexcladded) ||
+ (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
retval = -1;
--
1.7.1
7:05 p.m.
On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
The exclude rules did not permit a filterkey to be added. This
isn't as
important for the exclude filter compared to the others since no records are
generated with that key, but still helps identify rules in the rules list
configuration.
How long ago did thkernel start allowing this? I'm trying to decide if this is
generally applicable or needs some kind of versioning.
Thanks,
-Steve
Allow filterkeys to be used with the exclude filter.
See: https://github.com/linux-audit/audit-userspace/issues/14
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/libaudit.c | 13 +++++++++++--
lib/private.h | 1 +
src/auditctl.c | 5 +++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b1f8f9c..028483d 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -85,6 +85,7 @@ int _audit_permadded = 0;
int _audit_archadded = 0;
int _audit_syscalladded = 0;
int _audit_exeadded = 0;
+int _audit_filterexcladded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data
**rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) {
uint32_t features = audit_get_features();
if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
- if (field != AUDIT_MSGTYPE)
+ switch(field) {
+ case AUDIT_MSGTYPE:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
+ break;
+ default:
return -EAU_FIELDNOSUPPORT;
+ }
} else {
switch(field) {
case AUDIT_PID:
@@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
**rulep, const char *pair, case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
+ _audit_filterexcladded = 1;
+ case AUDIT_FILTERKEY:
break;
default:
return -EAU_MSGTYPECREDEXCLUDE;
@@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
**rulep, const char *pair, }
if (field == AUDIT_FILTERKEY &&
!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded))
+ _audit_exeadded || _audit_filterexcladded))
return -EAU_KEYDEP;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
diff --git a/lib/private.h b/lib/private.h
index cde1906..855187b 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -139,6 +139,7 @@ extern int _audit_permadded;
extern int _audit_archadded;
extern int _audit_syscalladded;
extern int _audit_exeadded;
+extern int _audit_filterexcladded;
extern unsigned int _audit_elf;
#ifdef __cplusplus
diff --git a/src/auditctl.c b/src/auditctl.c
index 04765f4..c785087 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -74,6 +74,7 @@ static int reset_vars(void)
_audit_permadded = 0;
_audit_archadded = 0;
_audit_exeadded = 0;
+ _audit_filterexcladded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
break;
case 'k':
if (!(_audit_syscalladded || _audit_permadded ||
- _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
- del==AUDIT_FILTER_UNSET)) {
+ _audit_exeadded || _audit_filterexcladded) ||
+ (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
"key option needs a watch or syscall given prior to it");
retval = -1;
9:47 p.m.
On 2017-06-12 20:05, Steve Grubb wrote:
On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> The exclude rules did not permit a filterkey to be added. This isn't as
> important for the exclude filter compared to the others since no records are
> generated with that key, but still helps identify rules in the rules list
> configuration.
How long ago did thkernel start allowing this? I'm trying to decide if this is
generally applicable or needs some kind of versioning.
I wasn't aware it was disallowed previously. I'll try to dig out if
that was previously refused.
Thanks,
-Steve
> Allow filterkeys to be used with the exclude filter.
>
> See: https://github.com/linux-audit/audit-userspace/issues/14
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> lib/libaudit.c | 13 +++++++++++--
> lib/private.h | 1 +
> src/auditctl.c | 5 +++--
> 3 files changed, 15 insertions(+), 4 deletions(-)
>
> diff --git a/lib/libaudit.c b/lib/libaudit.c
> index b1f8f9c..028483d 100644
> --- a/lib/libaudit.c
> +++ b/lib/libaudit.c
> @@ -85,6 +85,7 @@ int _audit_permadded = 0;
> int _audit_archadded = 0;
> int _audit_syscalladded = 0;
> int _audit_exeadded = 0;
> +int _audit_filterexcladded = 0;
> unsigned int _audit_elf = 0U;
> static struct libaudit_conf config;
>
> @@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) {
> uint32_t features = audit_get_features();
> if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
> - if (field != AUDIT_MSGTYPE)
> + switch(field) {
> + case AUDIT_MSGTYPE:
> + _audit_filterexcladded = 1;
> + case AUDIT_FILTERKEY:
> + break;
> + default:
> return -EAU_FIELDNOSUPPORT;
> + }
> } else {
> switch(field) {
> case AUDIT_PID:
> @@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, case AUDIT_SUBJ_TYPE:
> case AUDIT_SUBJ_SEN:
> case AUDIT_SUBJ_CLR:
> + _audit_filterexcladded = 1;
> + case AUDIT_FILTERKEY:
> break;
> default:
> return -EAU_MSGTYPECREDEXCLUDE;
> @@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, }
> if (field == AUDIT_FILTERKEY &&
> !(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded))
> + _audit_exeadded || _audit_filterexcladded))
> return -EAU_KEYDEP;
> vlen = strlen(v);
> if (field == AUDIT_FILTERKEY &&
> diff --git a/lib/private.h b/lib/private.h
> index cde1906..855187b 100644
> --- a/lib/private.h
> +++ b/lib/private.h
> @@ -139,6 +139,7 @@ extern int _audit_permadded;
> extern int _audit_archadded;
> extern int _audit_syscalladded;
> extern int _audit_exeadded;
> +extern int _audit_filterexcladded;
> extern unsigned int _audit_elf;
>
> #ifdef __cplusplus
> diff --git a/src/auditctl.c b/src/auditctl.c
> index 04765f4..c785087 100644
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -74,6 +74,7 @@ static int reset_vars(void)
> _audit_permadded = 0;
> _audit_archadded = 0;
> _audit_exeadded = 0;
> + _audit_filterexcladded = 0;
> _audit_elf = 0;
> add = AUDIT_FILTER_UNSET;
> del = AUDIT_FILTER_UNSET;
> @@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
> break;
> case 'k':
> if (!(_audit_syscalladded || _audit_permadded ||
> - _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
> - del==AUDIT_FILTER_UNSET)) {
> + _audit_exeadded || _audit_filterexcladded) ||
> + (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> audit_msg(LOG_ERR,
> "key option needs a watch or syscall given prior to it");
> retval = -1;
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
1:46 p.m.
On 2017-06-12 22:47, Richard Guy Briggs wrote:
On 2017-06-12 20:05, Steve Grubb wrote:
> On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > The exclude rules did not permit a filterkey to be added. This isn't as
> > important for the exclude filter compared to the others since no records are
> > generated with that key, but still helps identify rules in the rules list
> > configuration.
>
> How long ago did thkernel start allowing this? I'm trying to decide if this is
> generally applicable or needs some kind of versioning.
I wasn't aware it was disallowed previously. I'll try to dig out if
that was previously refused.
I see nothing obvious going back to its introduction:
5adc8a6adc91 <amy.griffis(a)hp.com> 2006-06-14 ("add rule filterkey")
> Thanks,
> -Steve
>
> > Allow filterkeys to be used with the exclude filter.
> >
> > See: https://github.com/linux-audit/audit-userspace/issues/14
> >
> > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> > ---
> > lib/libaudit.c | 13 +++++++++++--
> > lib/private.h | 1 +
> > src/auditctl.c | 5 +++--
> > 3 files changed, 15 insertions(+), 4 deletions(-)
> >
> > diff --git a/lib/libaudit.c b/lib/libaudit.c
> > index b1f8f9c..028483d 100644
> > --- a/lib/libaudit.c
> > +++ b/lib/libaudit.c
> > @@ -85,6 +85,7 @@ int _audit_permadded = 0;
> > int _audit_archadded = 0;
> > int _audit_syscalladded = 0;
> > int _audit_exeadded = 0;
> > +int _audit_filterexcladded = 0;
> > unsigned int _audit_elf = 0U;
> > static struct libaudit_conf config;
> >
> > @@ -1445,8 +1446,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, if (flags == AUDIT_FILTER_EXCLUDE) {
> > uint32_t features = audit_get_features();
> > if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
> > - if (field != AUDIT_MSGTYPE)
> > + switch(field) {
> > + case AUDIT_MSGTYPE:
> > + _audit_filterexcladded = 1;
> > + case AUDIT_FILTERKEY:
> > + break;
> > + default:
> > return -EAU_FIELDNOSUPPORT;
> > + }
> > } else {
> > switch(field) {
> > case AUDIT_PID:
> > @@ -1459,6 +1466,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, case AUDIT_SUBJ_TYPE:
> > case AUDIT_SUBJ_SEN:
> > case AUDIT_SUBJ_CLR:
> > + _audit_filterexcladded = 1;
> > + case AUDIT_FILTERKEY:
> > break;
> > default:
> > return -EAU_MSGTYPECREDEXCLUDE;
> > @@ -1580,7 +1589,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> > **rulep, const char *pair, }
> > if (field == AUDIT_FILTERKEY &&
> > !(_audit_syscalladded || _audit_permadded ||
> > - _audit_exeadded))
> > + _audit_exeadded || _audit_filterexcladded))
> > return -EAU_KEYDEP;
> > vlen = strlen(v);
> > if (field == AUDIT_FILTERKEY &&
> > diff --git a/lib/private.h b/lib/private.h
> > index cde1906..855187b 100644
> > --- a/lib/private.h
> > +++ b/lib/private.h
> > @@ -139,6 +139,7 @@ extern int _audit_permadded;
> > extern int _audit_archadded;
> > extern int _audit_syscalladded;
> > extern int _audit_exeadded;
> > +extern int _audit_filterexcladded;
> > extern unsigned int _audit_elf;
> >
> > #ifdef __cplusplus
> > diff --git a/src/auditctl.c b/src/auditctl.c
> > index 04765f4..c785087 100644
> > --- a/src/auditctl.c
> > +++ b/src/auditctl.c
> > @@ -74,6 +74,7 @@ static int reset_vars(void)
> > _audit_permadded = 0;
> > _audit_archadded = 0;
> > _audit_exeadded = 0;
> > + _audit_filterexcladded = 0;
> > _audit_elf = 0;
> > add = AUDIT_FILTER_UNSET;
> > del = AUDIT_FILTER_UNSET;
> > @@ -936,8 +937,8 @@ static int setopt(int count, int lineno, char *vars[])
> > break;
> > case 'k':
> > if (!(_audit_syscalladded || _audit_permadded ||
> > - _audit_exeadded) || (add==AUDIT_FILTER_UNSET &&
> > - del==AUDIT_FILTER_UNSET)) {
> > + _audit_exeadded || _audit_filterexcladded) ||
> > + (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) {
> > audit_msg(LOG_ERR,
> > "key option needs a watch or syscall given prior to it");
> > retval = -1;
- RGB
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
2:39 p.m.
On Tuesday, June 13, 2017 2:46:19 PM EDT Richard Guy Briggs wrote:
> On 2017-06-12 20:05, Steve Grubb wrote:
> > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > > The exclude rules did not permit a filterkey to be added. This isn't
> > > as
> > > important for the exclude filter compared to the others since no
> > > records are generated with that key, but still helps identify rules
> > > in the rules list configuration.
> >
> > How long ago did thkernel start allowing this? I'm trying to decide if
> > this is generally applicable or needs some kind of versioning.
>
> I wasn't aware it was disallowed previously. I'll try to dig out if
> that was previously refused.
I see nothing obvious going back to its introduction:
5adc8a6adc91 <amy.griffis(a)hp.com> 2006-06-14 ("add rule
filterkey")
I think I remember that it was never supported because it didn't make sense to
have a key that would never be used for anything. Exclude supresses records
just like a 'never' action. The key is rejected to catch someone's attention
that they might have made a copy and paste to the wrong filter.
-Steve
2:58 p.m.
On 2017-06-13 15:39, Steve Grubb wrote:
On Tuesday, June 13, 2017 2:46:19 PM EDT Richard Guy Briggs wrote:
> > On 2017-06-12 20:05, Steve Grubb wrote:
> > > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > > > The exclude rules did not permit a filterkey to be added. This
isn't
> > > > as
> > > > important for the exclude filter compared to the others since no
> > > > records are generated with that key, but still helps identify rules
> > > > in the rules list configuration.
> > >
> > > How long ago did thkernel start allowing this? I'm trying to decide
if
> > > this is generally applicable or needs some kind of versioning.
> >
> > I wasn't aware it was disallowed previously. I'll try to dig out if
> > that was previously refused.
>
> I see nothing obvious going back to its introduction:
> 5adc8a6adc91 <amy.griffis(a)hp.com> 2006-06-14 ("add rule
filterkey")
I think I remember that it was never supported because it didn't make sense to
have a key that would never be used for anything. Exclude supresses records
just like a 'never' action. The key is rejected to catch someone's attention
that they might have made a copy and paste to the wrong filter.
That issue was addressed somewhere in my correspondance about that
patch. It won't show up in the logs, but it is arguably useful for
sysadmins to be able to tag each rule in a systematic way.
-Steve
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
2748
days inactive
2818
days old
linux-audit@lists.linux-audit.osci.io
5 comments
2 participants
participants (2)
-
Richard Guy Briggs -
Steve Grubb