* [PATCH ghak28/ghak25 user 0/2] parse EVENT_LISTENER and NETFILTER_CFG
@ 2020-05-19 15:31 Richard Guy Briggs
2020-05-19 15:31 ` [PATCH ghak28/ghak25 user 1/2] ausearch-parse: add parser for YAASAO Richard Guy Briggs
2020-05-19 15:31 ` [PATCH ghak28/ghak25 user 2/2] ausearch-parse: mod parser for YAASAO for NETFILTER_CFG Richard Guy Briggs
0 siblings, 2 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2020-05-19 15:31 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Add a parser to parse subject attributes from EVENT_LISTENER and
NETFILTER_CFG record types.
This is a new order for subject attributes for two record types that
usually occur in user context and therefore would be informed by a
SYSCALL record, but occasionally stand alone and need the subject
attributes added. In the case of the NETFILTER_CFG event, since it is
kernel-initiated, several of the subject attributes are unset and
meaningless in the kernel context and duplicates in user context, hence
removed.
Please see the upstream issues
https://github.com/linux-audit/audit-kernel/issues/28 and
https://github.com/linux-audit/audit-kernel/issues/25 .
Richard Guy Briggs (2):
ausearch-parse: add parser for YAASAO
ausearch-parse: mod parser for YAASAO for NETFILTER_CFG
src/ausearch-parse.c | 170 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 169 insertions(+), 1 deletion(-)
--
1.8.3.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH ghak28/ghak25 user 1/2] ausearch-parse: add parser for YAASAO
2020-05-19 15:31 [PATCH ghak28/ghak25 user 0/2] parse EVENT_LISTENER and NETFILTER_CFG Richard Guy Briggs
@ 2020-05-19 15:31 ` Richard Guy Briggs
2020-05-19 15:31 ` [PATCH ghak28/ghak25 user 2/2] ausearch-parse: mod parser for YAASAO for NETFILTER_CFG Richard Guy Briggs
1 sibling, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2020-05-19 15:31 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Add a parser for Yet Another Audit Subject Attributes Order that was
introduced with ghak28 for the AUDIT_EVENT_LISTENER.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
src/ausearch-parse.c | 166 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 166 insertions(+)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index a2cdb1fb5c60..147b1fa7acaf 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -62,6 +62,7 @@ static int parse_kernel_anom(const lnode *n, search_items *s);
static int parse_simple_message(const lnode *n, search_items *s);
static int parse_tty(const lnode *n, search_items *s);
static int parse_pkt(const lnode *n, search_items *s);
+static int parse_yaasao(lnode *n, search_items *s);
static int audit_avc_init(search_items *s)
@@ -177,6 +178,9 @@ int extract_search_items(llist *l)
case AUDIT_REPLACE...AUDIT_BPF:
// Nothing to parse
break;
+ case AUDIT_EVENT_LISTENER:
+ ret = parse_yaasao(n, s);
+ break;
case AUDIT_TTY:
ret = parse_tty(n, s);
break;
@@ -2568,3 +2572,165 @@ static int parse_pkt(const lnode *n, search_items *s)
return 0;
}
+// parse Yet Another Audit Subject Attributes Order
+// /pid.*uid.*auid.*tty.*ses.*subj.*comm.*exe
+static int parse_yaasao(lnode *n, search_items *s)
+{
+ char *ptr, *str, *term;
+ term = n->message;
+
+ // get pid if not already filled
+ if (event_pid != -1 && s->pid == -1) {
+ str = strstr(term, " pid=");
+ if (str == NULL)
+ return 52;
+ ptr = str + 5;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 53;
+ *term = 0;
+ errno = 0;
+ s->pid = strtoul(ptr, NULL, 10);
+ if (errno)
+ return 54;
+ *term = ' ';
+ }
+ // get uid if not already filled
+ if ((s->uid == -1 && !s->tuid) && (event_uid != -1 || event_tuid)) {
+ str = strstr(term, "uid=");
+ if (str == NULL)
+ return 55;
+ // This could hit auid instead of uid. If so, fail.
+ if (*(str-1) == 'a') {
+ return 56;
+ }
+ ptr = str + 4;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 57;
+ *term = 0;
+ errno = 0;
+ s->uid = strtoul(ptr, NULL, 10);
+ if (errno)
+ return 58;
+ *term = ' ';
+ if (s->tuid) free((void *)s->tuid);
+ s->tuid = lookup_uid("uid", s->uid);
+ }
+ // get loginuid if not already filled
+ if ((s->loginuid == -2 && !s->tauid) && (event_loginuid != -2 || event_tauid)) {
+ str = strstr(term, "auid=");
+ if (str == NULL) {
+ return 59;
+ } else
+ ptr = str + 5;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 60;
+ *term = 0;
+ errno = 0;
+ s->loginuid = strtoul(ptr, NULL, 10);
+ if (errno)
+ return 61;
+ *term = ' ';
+ if (s->tauid) free((void *)s->tauid);
+ s->tauid = lookup_uid("auid", s->loginuid);
+ }
+ // get tty if not already filled
+ if (!s->terminal && event_terminal) {
+ // dont do this search unless needed
+ str = strstr(term, "tty=");
+ if (str) {
+ str += 4;
+ term = strchr(str, ' ');
+ if (term == NULL)
+ return 62;
+ *term = 0;
+ if (s->terminal) // ANOM_NETLINK has one
+ free(s->terminal);
+ s->terminal = strdup(str);
+ *term = ' ';
+ }
+ }
+ // get ses if not already filled
+ if (s->session_id == -2 && event_session_id != -2 ) {
+ str = strstr(term, "ses=");
+ if (str) {
+ ptr = str + 4;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 63;
+ *term = 0;
+ errno = 0;
+ s->session_id = strtoul(ptr, NULL, 10);
+ if (errno)
+ return 64;
+ *term = ' ';
+ }
+ }
+ // get subject if not already filled
+ if (!s->avc && event_subject) {
+ // scontext
+ str = strstr(term, "subj=");
+ if (str != NULL) {
+ str += 5;
+ term = strchr(str, ' ');
+ if (term == NULL)
+ return 65;
+ *term = 0;
+ if (audit_avc_init(s) == 0) {
+ anode an;
+
+ anode_init(&an);
+ an.scontext = strdup(str);
+ alist_append(s->avc, &an);
+ *term = ' ';
+ } else
+ return 66;
+ } else
+ return 67;
+ }
+ // get command line if not already filled
+ if (!s->comm && event_comm) {
+ // dont do this search unless needed
+ str = strstr(term, "comm=");
+ if (str) {
+ /* Make the syscall one override */
+ if (s->comm)
+ free(s->comm);
+ str += 5;
+ if (*str == '"') {
+ str++;
+ term = strchr(str, '"');
+ if (term == NULL)
+ return 68;
+ *term = 0;
+ s->comm = strdup(str);
+ *term = '"';
+ } else
+ s->comm = unescape(str);
+ } else
+ return 69;
+ }
+ // get exe if not already filled
+ if (!s->exe && event_exe) {
+ // dont do this search unless needed
+ str = strstr(n->message, "exe=");
+ if (str) {
+ str += 4;
+ if (*str == '"') {
+ str++;
+ term = strchr(str, '"');
+ if (term == NULL)
+ return 70;
+ *term = 0;
+ s->exe = strdup(str);
+ *term = '"';
+ } else
+ s->exe = unescape(str);
+ } else
+ return 71;
+ }
+ return 0;
+}
+
--
1.8.3.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH ghak28/ghak25 user 2/2] ausearch-parse: mod parser for YAASAO for NETFILTER_CFG
2020-05-19 15:31 [PATCH ghak28/ghak25 user 0/2] parse EVENT_LISTENER and NETFILTER_CFG Richard Guy Briggs
2020-05-19 15:31 ` [PATCH ghak28/ghak25 user 1/2] ausearch-parse: add parser for YAASAO Richard Guy Briggs
@ 2020-05-19 15:31 ` Richard Guy Briggs
1 sibling, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2020-05-19 15:31 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis
Modify the YAASAO parser to accomodate the ghak25 NETFILTER_CFG record.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
src/ausearch-parse.c | 42 ++++++++++++++++++++++--------------------
1 file changed, 22 insertions(+), 20 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 147b1fa7acaf..7feabe40b6fa 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -173,11 +173,11 @@ int extract_search_items(llist *l)
case AUDIT_BPRM_FCAPS:
case AUDIT_CAPSET:
case AUDIT_MMAP:
- case AUDIT_NETFILTER_CFG:
case AUDIT_PROCTITLE:
case AUDIT_REPLACE...AUDIT_BPF:
// Nothing to parse
break;
+ case AUDIT_NETFILTER_CFG:
case AUDIT_EVENT_LISTENER:
ret = parse_yaasao(n, s);
break;
@@ -2620,23 +2620,23 @@ static int parse_yaasao(lnode *n, search_items *s)
// get loginuid if not already filled
if ((s->loginuid == -2 && !s->tauid) && (event_loginuid != -2 || event_tauid)) {
str = strstr(term, "auid=");
- if (str == NULL) {
- return 59;
- } else
+ if (str) {
ptr = str + 5;
- term = strchr(ptr, ' ');
- if (term == NULL)
- return 60;
- *term = 0;
- errno = 0;
- s->loginuid = strtoul(ptr, NULL, 10);
- if (errno)
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 59;
+ *term = 0;
+ errno = 0;
+ s->loginuid = strtoul(ptr, NULL, 10);
+ if (errno)
+ return 60;
+ *term = ' ';
+ if (s->tauid) free((void *)s->tauid);
+ s->tauid = lookup_uid("auid", s->loginuid);
+ } else
return 61;
- *term = ' ';
- if (s->tauid) free((void *)s->tauid);
- s->tauid = lookup_uid("auid", s->loginuid);
}
- // get tty if not already filled
+ // optionally get tty if not already filled
if (!s->terminal && event_terminal) {
// dont do this search unless needed
str = strstr(term, "tty=");
@@ -2650,9 +2650,10 @@ static int parse_yaasao(lnode *n, search_items *s)
free(s->terminal);
s->terminal = strdup(str);
*term = ' ';
- }
+ } else
+ s->terminal = strdup("(none)");
}
- // get ses if not already filled
+ // optionally get ses if not already filled
if (s->session_id == -2 && event_session_id != -2 ) {
str = strstr(term, "ses=");
if (str) {
@@ -2666,7 +2667,8 @@ static int parse_yaasao(lnode *n, search_items *s)
if (errno)
return 64;
*term = ' ';
- }
+ } else
+ s->session_id = (unsigned long)-1;
}
// get subject if not already filled
if (!s->avc && event_subject) {
@@ -2712,7 +2714,7 @@ static int parse_yaasao(lnode *n, search_items *s)
} else
return 69;
}
- // get exe if not already filled
+ // optionally get exe if not already filled
if (!s->exe && event_exe) {
// dont do this search unless needed
str = strstr(n->message, "exe=");
@@ -2729,7 +2731,7 @@ static int parse_yaasao(lnode *n, search_items *s)
} else
s->exe = unescape(str);
} else
- return 71;
+ s->exe = strdup("(null)");
}
return 0;
}
--
1.8.3.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-19 15:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-19 15:31 [PATCH ghak28/ghak25 user 0/2] parse EVENT_LISTENER and NETFILTER_CFG Richard Guy Briggs
2020-05-19 15:31 ` [PATCH ghak28/ghak25 user 1/2] ausearch-parse: add parser for YAASAO Richard Guy Briggs
2020-05-19 15:31 ` [PATCH ghak28/ghak25 user 2/2] ausearch-parse: mod parser for YAASAO for NETFILTER_CFG Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.