Enable creation of rules to monitor for the execution of a path in the future. For example, to log occurances of touch(1)ing a file in /tmp, use: -a always,exit -F dir=/tmp -F exe=/usr/sbin/touch -F key=touch_tmp The command: touch /tmp/test should generate a log message that can be verified by: ausearch --start recent -k touch_tmp Similarly, use "exe_children=" in the place of "exe=" to detect the case for any descendent processes. Based-on-work-by: Peter Moody <pmoody(a)google.com&gt; Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- trunk/lib/errormsg.h | 2 +- trunk/lib/fieldtab.h | 2 ++ trunk/lib/libaudit.c | 5 +++++ trunk/lib/libaudit.h | 7 ++++++- trunk/src/auditctl-listing.c | 8 +++++++- 5 files changed, 21 insertions(+), 3 deletions(-) diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h index a4fea66..8d72bd8 100644 --- a/trunk/lib/errormsg.h +++ b/trunk/lib/errormsg.h @@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = { { -15, 2, "-F unknown errno -"}, { -16, 2, "-F unknown file type - " }, { -17, 1, "can only be used with exit and entry filter list" }, - { -18, 1, "" }, // Unused + { -18, 1, "only takes = operator" }, { -19, 0, "Key field needs a watch or syscall given prior to it" }, { -20, 2, "-F missing value after operation for" }, { -21, 2, "-F value should be number for" }, diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h index c0432cc..245b541 100644 --- a/trunk/lib/fieldtab.h +++ b/trunk/lib/fieldtab.h @@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" ) _S(AUDIT_FILTERKEY, "key" ) _S(AUDIT_FIELD_COMPARE, "field_compare" ) +_S(AUDIT_EXE, "exe" ) +_S(AUDIT_EXE_CHILDREN, "exe_children" ) diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c index 5936c86..509e4be 100644 --- a/trunk/lib/libaudit.c +++ b/trunk/lib/libaudit.c @@ -1312,6 +1312,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: case AUDIT_FILTERKEY: + case AUDIT_EXE_CHILDREN: + case AUDIT_EXE: + if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) && + op != AUDIT_EQUAL) + return -18; if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded)) return -19; vlen = strlen(v); diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h index 10e3cfc..0233cee 100644 --- a/trunk/lib/libaudit.h +++ b/trunk/lib/libaudit.h @@ -251,6 +251,12 @@ extern "C" { #ifndef AUDIT_FIELD_COMPARE #define AUDIT_FIELD_COMPARE 111 #endif +#ifndef AUDIT_EXE +#define AUDIT_EXE 112 +#endif +#ifndef AUDIT_EXE_CHILDREN +#define AUDIT_EXE_CHILDREN 113 +#endif #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 @@ -546,4 +552,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule); #endif #endif - diff --git a/trunk/src/auditctl-listing.c b/trunk/src/auditctl-listing.c index a4d5e20..b37d7b2 100644 --- a/trunk/src/auditctl-listing.c +++ b/trunk/src/auditctl-listing.c @@ -63,7 +63,8 @@ int key_match(const struct audit_rule_data *r) } if (((field >= AUDIT_SUBJ_USER && field <= AUDIT_OBJ_LEV_HIGH) && field != AUDIT_PPID) || field == AUDIT_WATCH || - field == AUDIT_DIR || field == AUDIT_FILTERKEY) { + field == AUDIT_DIR || field == AUDIT_FILTERKEY + || field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) { boffset += r->values[i]; } } @@ -347,6 +348,11 @@ static void print_rule(const struct audit_rule_data *r) &r->buf[boffset]); boffset += r->values[i]; + } else if (field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) { + printf(" -F exe%s=%.*s", + field == AUDIT_EXE_CHILDREN ? "_children" : "", + r->values[i], &r->buf[boffset]); + boffset += r->values[i]; } else if (field == AUDIT_FILTERKEY) { char *rkey, *ptr; if (asprintf(&rkey, "%.*s", r->values[i], -- 1.7.1