Beispiel #1
0
/*
 * finds rule which matches bandwidth.
 *          return value:    number of matched rules
 * rulearray contains its rule numbers.
 */
int find_asmrule_match(char *asmrule,int **matched,int bw)
{
    int i;
    int rules;
    int matchedrules = 0;

    rules = count_rules(asmrule);
  
    *matched = (int *)xmalloc(sizeof(int) * rules);
  
    for(i = 0; i < rules ;i++) {
	/* copy one rule to string*/
	if(asmrule_match(asmrule,bw)) { /* match!! */
	    display(MSDL_DBG,"rule[%d] = %d matched\n",matchedrules,i);
	    (*matched)[matchedrules] = i;
	    matchedrules++;
	}
	asmrule = next_rule(asmrule);
    }
  
    return matchedrules;
}
Beispiel #2
0
/*
 * Algorithm:
 * check that user is root
 * check to see if program exists
 * if so fork, child waits for parent
 * parent clears audit rules, loads audit all syscalls with child's pid
 * parent tells child to go & waits for sigchld
 * child exec's program
 * parent deletes rules after getting sigchld
 */
int main(int argc, char *argv[])
{
	int fd[2];
	int pid,cmd=1;
	char buf[2];

	if (argc < 2) {
		usage();
		return 1;
	}
	if (strcmp(argv[cmd], "-h") == 0) {
		usage();
		return 1;
	}
	if (strcmp(argv[cmd], "-r") == 0) {
		threat = 1;
		cmd++;
	}
	if (getuid() != 0) {
		fprintf(stderr, "You must be root to run this program.\n");
		return 1;
	}
	if (access(argv[cmd], X_OK)) {
		if (errno == ENOENT)
			fprintf(stderr, "Error - can't find: %s\n", argv[cmd]); 
		else
			fprintf(stderr, "Error checking %s (%s)\n", 
				argv[cmd], strerror(errno));
		return 1;
	}
	set_aumessage_mode(MSG_STDERR, DBG_NO);
	switch (count_rules())
	{
		case -1:
			if (errno == ECONNREFUSED)
		                fprintf(stderr,
					"The audit system is disabled\n");
			else
				fprintf(stderr,
					"Error - can't get rule count.\n");
			return 1;
		case 0:
			break;
		default:
			fprintf(stderr, 
			"autrace cannot be run with rules loaded.\n"
			"Please delete all rules using 'auditctl -D' if you "
			"really wanted to\nrun this command.\n");
			return 1;
	}
	if (pipe(fd) != 0) {
		fprintf(stderr, "Error creating pipe.\n");
		return 1;
	}
	
	switch ((pid=fork()))
	{
		case -1:
			fprintf(stderr, "Error forking.\n");
			return 1;
		case 0: /* Child */
			close(fd[1]);
			printf("Waiting to execute: %s\n", argv[cmd]);
			while (read(fd[0], buf, 1) == -1 && errno == EINTR)
				/* blank */ ;
			close(fd[0]);
			execvp(argv[cmd], &argv[cmd]);
			fprintf(stderr, "Failed to exec %s\n", argv[cmd]);
			return 1;
		default: /* Parent */
			close(fd[0]);
			fcntl(fd[1], F_SETFD, FD_CLOEXEC);
			{
				char field[16];
				int audit_fd;
  				audit_fd = audit_open();
				if (audit_fd < 0)
					exit(1);
				snprintf(field, sizeof(field), "pid=%d", pid);
				if (insert_rule(audit_fd, field)) {
					kill(pid,SIGTERM);
					(void)delete_all_rules(audit_fd);
					exit(1);
				}
				snprintf(field, sizeof(field), "ppid=%d", pid);
				if (insert_rule(audit_fd, field)) {
					kill(pid,SIGTERM);
					(void)delete_all_rules(audit_fd);
					exit(1);
				}
				sleep(1);
				if (write(fd[1],"1", 1) != 1) {
					kill(pid,SIGTERM);
					(void)delete_all_rules(audit_fd);
					exit(1);
				}
				waitpid(pid, NULL, 0);
				close(fd[1]);
				puts("Cleaning up...");
				(void)delete_all_rules(audit_fd);
				close(audit_fd);
			}
			printf("Trace complete. "
				"You can locate the records with "
				"\'ausearch -i -p %d\'\n",
				pid);
			break;
	}

	return 0;
}