/*
* finds rule which matches bandwidth.
* return value: number of matched rules
* rulearray contains its rule numbers.
*/
int find_asmrule_match(char *asmrule,int **matched,int bw)
{
int i;
int rules;
int matchedrules = 0;
rules = count_rules(asmrule);
*matched = (int *)xmalloc(sizeof(int) * rules);
for(i = 0; i < rules ;i++) {
/* copy one rule to string*/
if(asmrule_match(asmrule,bw)) { /* match!! */
display(MSDL_DBG,"rule[%d] = %d matched\n",matchedrules,i);
(*matched)[matchedrules] = i;
matchedrules++;
}
asmrule = next_rule(asmrule);
}
return matchedrules;
}
/*
* Algorithm:
* check that user is root
* check to see if program exists
* if so fork, child waits for parent
* parent clears audit rules, loads audit all syscalls with child's pid
* parent tells child to go & waits for sigchld
* child exec's program
* parent deletes rules after getting sigchld
*/
int main(int argc, char *argv[])
{
int fd[2];
int pid,cmd=1;
char buf[2];
if (argc < 2) {
usage();
return 1;
}
if (strcmp(argv[cmd], "-h") == 0) {
usage();
return 1;
}
if (strcmp(argv[cmd], "-r") == 0) {
threat = 1;
cmd++;
}
if (getuid() != 0) {
fprintf(stderr, "You must be root to run this program.\n");
return 1;
}
if (access(argv[cmd], X_OK)) {
if (errno == ENOENT)
fprintf(stderr, "Error - can't find: %s\n", argv[cmd]);
else
fprintf(stderr, "Error checking %s (%s)\n",
argv[cmd], strerror(errno));
return 1;
}
set_aumessage_mode(MSG_STDERR, DBG_NO);
switch (count_rules())
{
case -1:
if (errno == ECONNREFUSED)
fprintf(stderr,
"The audit system is disabled\n");
else
fprintf(stderr,
"Error - can't get rule count.\n");
return 1;
case 0:
break;
default:
fprintf(stderr,
"autrace cannot be run with rules loaded.\n"
"Please delete all rules using 'auditctl -D' if you "
"really wanted to\nrun this command.\n");
return 1;
}
if (pipe(fd) != 0) {
fprintf(stderr, "Error creating pipe.\n");
return 1;
}
switch ((pid=fork()))
{
case -1:
fprintf(stderr, "Error forking.\n");
return 1;
case 0: /* Child */
close(fd[1]);
printf("Waiting to execute: %s\n", argv[cmd]);
while (read(fd[0], buf, 1) == -1 && errno == EINTR)
/* blank */ ;
close(fd[0]);
execvp(argv[cmd], &argv[cmd]);
fprintf(stderr, "Failed to exec %s\n", argv[cmd]);
return 1;
default: /* Parent */
close(fd[0]);
fcntl(fd[1], F_SETFD, FD_CLOEXEC);
{
char field[16];
int audit_fd;
audit_fd = audit_open();
if (audit_fd < 0)
exit(1);
snprintf(field, sizeof(field), "pid=%d", pid);
if (insert_rule(audit_fd, field)) {
kill(pid,SIGTERM);
(void)delete_all_rules(audit_fd);
exit(1);
}
snprintf(field, sizeof(field), "ppid=%d", pid);
if (insert_rule(audit_fd, field)) {
kill(pid,SIGTERM);
(void)delete_all_rules(audit_fd);
exit(1);
}
sleep(1);
if (write(fd[1],"1", 1) != 1) {
kill(pid,SIGTERM);
(void)delete_all_rules(audit_fd);
exit(1);
}
waitpid(pid, NULL, 0);
close(fd[1]);
puts("Cleaning up...");
(void)delete_all_rules(audit_fd);
close(audit_fd);
}
printf("Trace complete. "
"You can locate the records with "
"\'ausearch -i -p %d\'\n",
pid);
break;
}
return 0;
}