Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 149949 Details for
Bug 231914
Laus doesn't audit detach event
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options and old kernel fix)
laus-0.1-auditctl.patch (text/plain), 7.49 KB, created by
Matthew Booth
on 2007-03-13 16:55:16 UTC
(
hide
)
Description:
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options and old kernel fix)
Filename:
MIME Type:
Creator:
Matthew Booth
Created:
2007-03-13 16:55:16 UTC
Size:
7.49 KB
patch
obsolete
>--- laus-0.1.auditctl/etc/filter.conf.auditctl 2007-03-12 18:30:16.000000000 +0000 >+++ laus-0.1.auditctl/etc/filter.conf 2007-03-12 18:30:30.000000000 +0000 >@@ -432,3 +432,4 @@ > event network-config = always; > event user-message = always; > event process-login = always; >+event audit-control = always; >--- laus-0.1.auditctl/docs/audit-filter.conf.5.auditctl 2007-03-12 18:31:37.000000000 +0000 >+++ laus-0.1.auditctl/docs/audit-filter.conf.5 2007-03-12 18:34:05.000000000 +0000 >@@ -465,6 +465,10 @@ > .B network-config > Generated when the audit subsystem receives a netlink message that > modifies the network configuration. >+.TP >+.B audit-control >+Generated whenever a process performs an audit control event, such as >+attach, detach and policy and filtering changes. > .SH TAGGING EVENTS > It is possible to attach an event name to a filter expression, or > event. These event names will be copied to the audit record, and >--- laus-0.1.auditctl/docs/laus-record.7.auditctl 2007-03-12 18:35:13.000000000 +0000 >+++ laus-0.1.auditctl/docs/laus-record.7 2007-03-12 18:41:13.000000000 +0000 >@@ -33,6 +33,7 @@ > .BR AUDIT_MSG_EXIT , > .BR AUDIT_MSG_NETLINK , > .BR AUDIT_MSG_TEXT , >+.BR AUDIT_MSG_CONTROL , > or a user-defined value above > .BR AUDIT_MSG_USERBASE . > .TP >@@ -259,6 +260,27 @@ > .BR length > field, and the data part starts at > .BR data . >+.SS The CONTROL Message >+This message is generated in response to an ioctl() call on >+/dev/audit. This comprises all operations which modify the audit >+system itself. The value of >+.BR msg_type " is " AUDIT_MSG_CONTROL . >+.PP >+The variable data part included in this message >+is laid out as follows: >+.PP >+.nf >+struct aud_msg_control { >+ int ioctl; >+ int result; >+}; >+.fi >+.PP >+The >+.BR ioctl >+field is the ioctl request which was performed. >+.BR result >+is the return code from performing the ioctl operation. > .SH SEE ALSO > .IR laus(7) > .SH AUTHORS >--- laus-0.1.auditctl/docs/augrep.1.auditctl 2007-03-12 23:31:34.000000000 +0000 >+++ laus-0.1.auditctl/docs/augrep.1 2007-03-12 23:36:52.000000000 +0000 >@@ -141,6 +141,8 @@ > tools (ex. cron & at) > .br > "EXIT" Find exit messages. >+.br >+ "CONTROL" Find audit control events. > .TP > .BR LOGIN " options": > .TP >--- laus-0.1.auditctl/utils/augrep.c.auditctl 2007-03-12 23:19:51.000000000 +0000 >+++ laus-0.1.auditctl/utils/augrep.c 2007-03-12 23:27:00.000000000 +0000 >@@ -360,6 +360,9 @@ > else if (!strcasecmp("EXIT",optarg)) { > event_type=AUDIT_MSG_EXIT; > } >+ else if (!strcasecmp("CONTROL",optarg)) { >+ event_type=AUDIT_MSG_CONTROL; >+ } > else { > fprintf(stderr,"%s is not a valid event type.\n", optarg); > exit(1); >@@ -693,6 +696,10 @@ > if (!grep_exit_opt(msg)) > tmp_grep &= ~EVENT_TYPE; > } >+ /* control */ >+ else if (event_type == AUDIT_MSG_CONTROL) { >+ tmp_grep &= ~EVENT_TYPE; >+ } > } > } > >--- laus-0.1.auditctl/auditd/main.c.auditctl 2007-03-12 12:08:07.000000000 +0000 >+++ laus-0.1.auditctl/auditd/main.c 2007-03-13 15:12:15.000000000 +0000 >@@ -46,7 +46,7 @@ > static int log_dest = LOG_DEST_STDERR | LOG_DEST_SYSLOG; > > static void configure_syscall(unsigned int, const char *); >-static void configure_event(unsigned int, const char *); >+static int configure_event(unsigned int, const char *); > > > static void usage(int exval); >@@ -176,11 +176,28 @@ > configure_syscall(n, syscall_code_to_name(n)); > > /* Push filters for other events */ >- configure_event(AUD_POLICY_FORK, "process-create"); >- configure_event(AUD_POLICY_EXIT, "process-exit"); >- configure_event(AUD_POLICY_LOGIN, "process-login"); >- configure_event(AUD_POLICY_NETLINK, "network-config"); >- configure_event(AUD_POLICY_USERMSG, "user-message"); >+ static const struct { >+ const int policy; >+ const char *evname; >+ const char exit_on_failure; >+ } events[] = { >+ { AUD_POLICY_FORK, "process-create", 1 }, >+ { AUD_POLICY_EXIT, "process-exit", 1 }, >+ { AUD_POLICY_LOGIN, "process-login", 1 }, >+ { AUD_POLICY_NETLINK, "network-config", 1 }, >+ { AUD_POLICY_USERMSG, "user-message", 1 }, >+ // We don't exit if control policy doesn't exist to prevent >+ // entirely breaking auditing on systems with an old kernel. >+ { AUD_POLICY_CONTROL, "audit-control", 0 } >+ }; >+ >+ int i; >+ for (i = 0; i < (sizeof(events) / sizeof(events[0])); i++) { >+ if((configure_event(events[i].policy, events[i].evname) != 0) >+ && events[i].exit_on_failure) { >+ exit(1); >+ } >+ } > > if (opt_reload) > return 0; >@@ -263,7 +280,7 @@ > } > } > >-void >+int > configure_event(unsigned int code, const char *name) > { > int err; >@@ -272,8 +289,9 @@ > log_err(LOG_ERR, > "Failed to export audit filter for event %s: %s", > name, laus_strerror(errno)); >- exit(1); > } >+ >+ return err; > } > > /* >--- laus-0.1.auditctl/liblaussrv/print.c.auditctl 2007-03-12 13:38:27.000000000 +0000 >+++ laus-0.1.auditctl/liblaussrv/print.c 2007-03-12 16:20:46.000000000 +0000 >@@ -21,11 +21,15 @@ > #include <laussrv.h> > #include "syscall.h" > >+#include <sys/ioctl.h> >+#include <linux/audit.h> >+ > static void print_syscall_msg(struct aud_message *msg); > static void print_login_msg(struct aud_message *msg); > static void print_text_msg(struct aud_message *msg); > static void print_netlink_msg(struct aud_message *msg); > static void print_exit_msg(struct aud_message *msg); >+static void print_control_msg(struct aud_message *msg); > > int > audit_print(struct aud_message *msg, int flags) >@@ -42,6 +46,8 @@ > print_netlink_msg(msg); break; > case AUDIT_MSG_EXIT: > print_exit_msg(msg); break; >+ case AUDIT_MSG_CONTROL: >+ print_control_msg(msg); break; > default: > printf("[unknown message type %u]", msg->msg_type); > } >@@ -255,3 +261,42 @@ > aud = (struct aud_msg_exit *) &msg->msg_data; > printf ("EXIT: %ld", aud->code); > } >+ >+void >+print_control_msg(struct aud_message *msg) >+{ >+ struct aud_msg_control *aud; >+ char *event; >+ >+ aud = (struct aud_msg_control *) &msg->msg_data; >+ switch (aud->ioctl) { >+ case AUIOCATTACH: >+ event = "attach"; break; >+ case AUIOCDETACH: >+ event = "detach"; break; >+ case AUIOCSUSPEND: >+ event = "suspend"; break; >+ case AUIOCRESUME: >+ event = "resume"; break; >+ case AUIOCCLRPOLICY: >+ event = "clrpolicy"; break; >+ case AUIOCSETPOLICY: >+ event = "setpolicy"; break; >+ case AUIOCIAMAUDITD: >+ event = "iamauditd"; break; >+ case AUIOCSETAUDITID: >+ event = "setauditid"; break; >+ case AUIOCLOGIN: >+ event = "login"; break; >+ case AUIOCUSERMESSAGE: >+ event = "usermessage"; break; >+ case AUIOCCLRFILTER: >+ event = "clrfilter"; break; >+ case AUIOCSETFILTER: >+ event = "setfilter"; break; >+ default: >+ event = "UNKNOWN EVENT"; break; >+ } >+ >+ printf ("event=%s, result=%i(%s)", event, -aud->result, strerror(-aud->result)); >+} >--- laus-0.1.auditctl/include/linux/audit.h.auditctl 2007-03-12 12:02:13.000000000 +0000 >+++ laus-0.1.auditctl/include/linux/audit.h 2007-03-12 16:20:17.000000000 +0000 >@@ -62,6 +62,7 @@ > AUD_POLICY_NETLINK, > AUD_POLICY_LOGIN, > AUD_POLICY_USERMSG, >+ AUD_POLICY_CONTROL, > > __AUD_MAX_POLICY > }; >@@ -197,6 +198,14 @@ > /* Pass as ioctl(fd, AUIOCIAMAUDITD, AUDIT_TRACE_ALL) */ > #define AUDIT_TRACE_ALL 1 > >+ /* >+ * This message is generated whenever there is an ioctl on the audit device >+ */ >+struct aud_msg_control { >+ int ioctl; >+ int result; >+}; >+ > /* > * This message is generated when a process forks > * or exits, to help auditd with book-keeping. >@@ -270,6 +279,7 @@ > #define AUDIT_MSG_SYSCALL 2 > #define AUDIT_MSG_EXIT 3 > #define AUDIT_MSG_NETLINK 4 >+#define AUDIT_MSG_CONTROL 5 > #define AUDIT_MSG_USERBASE 256 /* user land messages start here */ > > /* Values for msg_arch */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=149949">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 231914
:
149880
|
149884
|
149886
| 149949