9:53 a.m.
This patch adds support to ausearch for searching for events related to a
guest, as proposed in the RFC:
https://www.redhat.com/archives/linux-audit/2011-November/msg00014.html
Two new options were added:
--uuid uuid
Search for an event with the given guest UUID. The given uuid is
compared to the value from the "uuid" field of a record.
--vmname name
Search for an event with the given guest name. The given name is
compared to the value from the "vm" field of a record.
Signed-off-by: Marcelo Cerri <mhcerri(a)linux.vnet.ibm.com>
---
docs/ausearch.8 | 6 ++++++
src/aureport-options.c | 4 ++++
src/ausearch-common.h | 4 ++++
src/ausearch-llist.c | 8 ++++++++
src/ausearch-llist.h | 8 ++++++--
src/ausearch-match.c | 18 ++++++++++++++++++
src/ausearch-options.c | 42 +++++++++++++++++++++++++++++++++++++++++-
src/ausearch-parse.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
8 files changed, 134 insertions(+), 3 deletions(-)
diff --git a/docs/ausearch.8 b/docs/ausearch.8
index 54018ae..704fb52 100644
--- a/docs/ausearch.8
+++ b/docs/ausearch.8
@@ -129,9 +129,15 @@ Search for an event with the given \fIuser ID\fP.
.BR \-ul ,\ \-\-loginuid \ \fIlogin-id\fP
Search for an event with the given \fIlogin user ID\fP. All entry point programs that are
pamified need to be configured with pam_loginuid required for the session for searching on
loginuid (auid) to be accurate.
.TP
+.BR \-uu ,\ \-\-uuid \ \fIguest-uuid\fP
+Search for an event with the given \fIguest UUID\fP.
+.TP
.BR \-v ,\ \-\-version
Print the version and exit
.TP
+.BR \-vm ,\ \-\-vm-name \ \fIguest-name\fP
+Search for an event with the given \fIguest name\fP.
+.TP
.BR \-w ,\ \-\-word
String based matches must match the whole word. This category of matches include:
filename, hostname, terminal, and SE Linux context.
.TP
diff --git a/src/aureport-options.c b/src/aureport-options.c
index 9786043..72a1d15 100644
--- a/src/aureport-options.c
+++ b/src/aureport-options.c
@@ -1,5 +1,6 @@
/* aureport-options.c - parse commandline options and configure aureport
* Copyright 2005-08,2010-11 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2011 IBM Corp.
* All Rights Reserved.
*
* This program is free software; you can redistribute it and/or modify
@@ -18,6 +19,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Marcelo Henrique Cerri <mhcerri(a)br.ibm.com>
*/
#include "config.h"
@@ -49,6 +51,8 @@ const char *event_hostname = NULL;
const char *event_terminal = NULL;
const char *event_subject = NULL;
const char *event_object = NULL;
+const char *event_uuid = NULL;
+const char *event_vmname = NULL;
int event_exit = 0, event_exit_is_set = 0;
int event_ppid = -1, event_session_id = -2;
diff --git a/src/ausearch-common.h b/src/ausearch-common.h
index f9d0d9b..2ee1f33 100644
--- a/src/ausearch-common.h
+++ b/src/ausearch-common.h
@@ -1,5 +1,6 @@
/* ausearch-common.h --
* Copyright 2006-08,2010 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2011 IBM Corp.
* All Rights Reserved.
*
* This program is free software; you can redistribute it and/or modify
@@ -18,6 +19,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+ * Marcelo Henrique Cerri <mhcerri(a)br.ibm.com>
*
*/
@@ -42,6 +44,8 @@ extern int event_syscall;
extern const char *event_exe;
extern int event_ua, event_ga;
extern int event_exit, event_exit_is_set;
+extern const char *event_uuid;
+extern const char *event_vmname;
typedef enum { F_BOTH, F_FAILED, F_SUCCESS } failed_t;
typedef enum { C_NEITHER, C_ADD, C_DEL } conf_act_t;
diff --git a/src/ausearch-llist.c b/src/ausearch-llist.c
index 32cda7e..5d25e7c 100644
--- a/src/ausearch-llist.c
+++ b/src/ausearch-llist.c
@@ -1,6 +1,7 @@
/*
* ausearch-llist.c - Minimal linked list library
* Copyright (c) 2005-2008, 2011 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2011 IBM Corp.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -19,6 +20,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+* Marcelo Henrique Cerri <mhcerri(a)br.ibm.com>
*/
#include <stdlib.h>
@@ -55,6 +57,8 @@ void list_create(llist *l)
l->s.arch = 0;
l->s.syscall = 0;
l->s.session_id = -2;
+ l->s.uuid = NULL;
+ l->s.vmname = NULL;
l->s.exit = 0;
l->s.exit_is_set = 0;
}
@@ -197,6 +201,10 @@ void list_clear(llist* l)
l->s.arch = 0;
l->s.syscall = 0;
l->s.session_id = -2;
+ free(l->s.uuid);
+ l->s.uuid = NULL;
+ free(l->s.vmname);
+ l->s.vmname = NULL;
l->s.exit = 0;
l->s.exit_is_set = 0;
}
diff --git a/src/ausearch-llist.h b/src/ausearch-llist.h
index a77d800..4ab6f14 100644
--- a/src/ausearch-llist.h
+++ b/src/ausearch-llist.h
@@ -1,6 +1,7 @@
/*
* ausearch-llist.h - Header file for ausearch-llist.c
* Copyright (c) 2005-2008 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2011 IBM Corp.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -19,6 +20,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+* Marcelo Henrique Cerri <mhcerri(a)br.ibm.com>
*/
#ifndef AULIST_HEADER
@@ -62,8 +64,10 @@ typedef struct
slist *key; // key field
char *terminal; // terminal
char *comm; // comm name
- alist *avc; // avcs for the event
- char *acct; // account used when uid is invalid
+ alist *avc; // avcs for the event
+ char *acct; // account used when uid is invalid
+ char *uuid; // virtual machine unique universal identifier
+ char *vmname; // virtual machine name
} search_items;
/* This is the node of the linked list. Any data elements that are per
diff --git a/src/ausearch-match.c b/src/ausearch-match.c
index 24b9320..18e52cb 100644
--- a/src/ausearch-match.c
+++ b/src/ausearch-match.c
@@ -1,6 +1,7 @@
/*
* ausearch-match.c - Extract interesting fields and check for match
* Copyright (c) 2005-08, 2011 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2011 IBM Corp.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -19,6 +20,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+* Marcelo Henrique Cerri <mhcerri(a)br.ibm.com>
*/
#include "config.h"
@@ -201,6 +203,22 @@ int match(llist *l)
return 0;
}
}
+ if (event_vmname) {
+ if (l->s.vmname == NULL) {
+ return 0;
+ }
+ if (strmatch(event_vmname, l->s.vmname) == 0) {
+ return 0;
+ }
+ }
+ if (event_uuid) {
+ if (l->s.uuid == NULL) {
+ return 0;
+ }
+ if (strmatch(event_uuid, l->s.uuid) == 0) {
+ return 0;
+ }
+ }
if (context_match(l) == 0)
return 0;
return 1;
diff --git a/src/ausearch-options.c b/src/ausearch-options.c
index 8f4b64e..a92e23f 100644
--- a/src/ausearch-options.c
+++ b/src/ausearch-options.c
@@ -1,5 +1,6 @@
/* ausearch-options.c - parse commandline options and configure ausearch
* Copyright 2005-08,2010-11 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2011 IBM Corp.
* All Rights Reserved.
*
* This program is free software; you can redistribute it and/or modify
@@ -19,6 +20,7 @@
* Authors:
* Debora Velarde <dvelarde(a)us.ibm.com>
* Steve Grubb <sgrubb(a)redhat.com>
+ * Marcelo Henrique Cerri <mhcerri(a)br.ibm.com>
*/
#include "config.h"
@@ -61,6 +63,8 @@ const char *event_hostname = NULL;
const char *event_terminal = NULL;
const char *event_subject = NULL;
const char *event_object = NULL;
+const char *event_uuid = NULL;
+const char *event_vmname = NULL;
report_t report_format = RPT_DEFAULT;
ilist *event_type;
@@ -77,7 +81,7 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL,
S_OSUCCESS,
S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
-S_LINEBUFFERED };
+S_LINEBUFFERED, S_UUID, S_VMNAME};
static struct nv_pair optiontab[] = {
{ S_EVENT, "-a" },
@@ -141,10 +145,14 @@ static struct nv_pair optiontab[] = {
{ S_EFF_UID, "--uid-effective" },
{ S_UID, "-ui" },
{ S_UID, "--uid" },
+ { S_UUID, "-uu" },
+ { S_UUID, "--uuid" },
{ S_LOGINID, "-ul" },
{ S_LOGINID, "--loginuid" },
{ S_VERSION, "-v" },
{ S_VERSION, "--version" },
+ { S_VMNAME, "-vm" },
+ { S_VMNAME, "--vm-name" },
{ S_EXACT_MATCH, "-w" },
{ S_EXACT_MATCH, "--word" },
{ S_EXECUTABLE, "-x" },
@@ -199,7 +207,11 @@ static void usage(void)
"\t-ue,--uid-effective <effective User id> search based on
Effective\n\t\t\t\t\tuser id\n"
"\t-ui,--uid <User Id>\t\tsearch based on user id\n"
"\t-ul,--loginuid <login id>\tsearch based on the User's Login
id\n"
+ "\t-uu,--uuid <guest UUID>\t\tsearch for events related to the
virtual\n"
+ "\t\t\t\t\tmachine with the given UUID.\n"
"\t-v,--version\t\t\tversion\n"
+ "\t-vm,--vm-name <guest name>\tsearch for events related to the
virtual\n"
+ "\t\t\t\t\tmachine with the name.\n"
"\t-w,--word\t\t\tstring matches are whole word\n"
"\t-x,--executable <executable name> search based on excutable
name\n"
);
@@ -997,6 +1009,34 @@ int check_params(int count, char *vars[])
}
c++;
break;
+ case S_UUID:
+ if (!optarg) {
+ fprintf(stderr,
+ "Argument is required for %s\n",
+ vars[c]);
+ retval = -1;
+ } else {
+ event_uuid = strdup(optarg);
+ if (event_uuid == NULL) {
+ retval = -1;
+ }
+ c++;
+ }
+ break;
+ case S_VMNAME:
+ if (!optarg) {
+ fprintf(stderr,
+ "Argument is required for %s\n",
+ vars[c]);
+ retval = -1;
+ } else {
+ event_vmname= strdup(optarg);
+ if (event_vmname == NULL) {
+ retval = -1;
+ }
+ c++;
+ }
+ break;
case S_VERSION:
printf("ausearch version %s\n", VERSION);
exit(0);
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index f7ec834..f9363d9 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1,6 +1,7 @@
/*
* ausearch-parse.c - Extract interesting fields and check for match
* Copyright (c) 2005-08, 2011 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2011 IBM Corp.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -19,6 +20,7 @@
*
* Authors:
* Steve Grubb <sgrubb(a)redhat.com>
+* Marcelo Henrique Cerri <mhcerri(a)br.ibm.com>
*/
#include "config.h"
@@ -767,6 +769,50 @@ static int parse_user(const lnode *n, search_items *s)
return 13;
}
}
+ if (event_vmname) {
+ str = strstr(term, "vm=");
+ if (str) {
+ str += 3;
+ if (*str == '"') {
+ str++;
+ }
+ term = str;
+ while (*term != '"' && *term != ' ' &&
+ *term != ':' && *term != ',' &&
+ *term != 0) {
+ term++;
+ }
+ if (term == str) {
+ return 23;
+ }
+ saved = *term;
+ *term = 0;
+ s->vmname= strdup(str);
+ *term = saved;
+ }
+ }
+ if (event_uuid) {
+ str = strstr(term, "uuid=");
+ if (str) {
+ str += 5;
+ if (*str == '"') {
+ str++;
+ }
+ term = str;
+ while (*term != '"' && *term != ' ' &&
+ *term != ':' && *term != ',' &&
+ *term != 0) {
+ term++;
+ }
+ if (term == str) {
+ return 24;
+ }
+ saved = *term;
+ *term = 0;
+ s->uuid = strdup(str);
+ *term = saved;
+ }
+ }
// get uid - something has uid after auid ??
str = strstr(term, "uid=");
if (str != NULL) {
@@ -959,6 +1005,7 @@ static int parse_user(const lnode *n, search_items *s)
*term = ')';
}
}
+ /* last return code used = 24 */
return 0;
}
--
1.7.1
9:55 a.m.
On Thursday, December 15, 2011 10:53:11 AM Marcelo Cerri wrote:
This patch adds support to ausearch for searching for events related
to a
guest, as proposed in the RFC:
Applied with some changes.
https://fedorahosted.org/audit/changeset/609
Thanks,
-Steve
4759
days inactive
4764
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
participants (2)
-
Marcelo Cerri -
Steve Grubb