Ejemplo n.º 1
0
TEST_F(AuditTests, test_valid_audit_state_exceptions) {
  AuditProcessEventState state = STATE_SYSCALL;
  validAuditState(STATE_SYSCALL, state);

  // Now allow for other acceptable transitions.
  EXPECT_TRUE(validAuditState(STATE_PATH, state));
  EXPECT_EQ(state, STATE_SYSCALL);

  state = STATE_SYSCALL;
  validAuditState(STATE_SYSCALL, state);
  EXPECT_TRUE(validAuditState(STATE_PATH, state));
  EXPECT_EQ(state, STATE_SYSCALL);
}
Ejemplo n.º 2
0
Status ProcessEventSubscriber::Callback(const ECRef& ec, const SCRef& sc) {
  // Check and set the valid state change.
  // If this is an unacceptable change reset the state and clear row data.
  if (ec->fields.count("success") && ec->fields.at("success") == "no") {
    return Status(0, "OK");
  }

  if (!validAuditState(ec->type, state_).ok()) {
    state_ = STATE_SYSCALL;
    Row().swap(row_);
    return Status(0, "OK");
  }

  // Fill in row fields based on the event state.
  updateAuditRow(ec, row_);

  // Only add the event if finished (aka a PATH event was emitted).
  if (state_ == STATE_SYSCALL) {
    // If the EXECVE state was not used, decode the cmdline value.
    if (row_.at("cmdline_size").size() == 0) {
      // This allows at most 1 decode call per potentially-encoded item.
      row_["cmdline"] = decodeAuditValue(row_.at("cmdline"));
      row_["cmdline_size"] = "1";
    }

    add(row_, getUnixTime());
    Row().swap(row_);
  }

  return Status(0, "OK");
}
Ejemplo n.º 3
0
TEST_F(AuditTests, test_valid_audit_state) {
  AuditProcessEventState state = STATE_SYSCALL;

  // The first state must be a syscall.
  EXPECT_TRUE(validAuditState(STATE_SYSCALL, state));
  EXPECT_EQ(state, STATE_EXECVE);

  // Followed by an EXECVE, CWD, or PATH
  EXPECT_TRUE(validAuditState(STATE_EXECVE, state));
  EXPECT_EQ(state, STATE_CWD);
  EXPECT_TRUE(validAuditState(STATE_CWD, state));
  EXPECT_EQ(state, STATE_PATH);
  EXPECT_TRUE(validAuditState(STATE_PATH, state));
  // Finally, the state is reset to syscall.
  EXPECT_EQ(state, STATE_SYSCALL);
}
Ejemplo n.º 4
0
TEST_F(AuditTests, test_valid_audit_state_failues) {
  // Now check invalid states.
  AuditProcessEventState state = STATE_SYSCALL;
  EXPECT_FALSE(validAuditState(STATE_EXECVE, state));
  EXPECT_FALSE(validAuditState(STATE_CWD, state));
  EXPECT_FALSE(validAuditState(STATE_PATH, state));

  // Two syscalls in a row: invalid.
  state = STATE_SYSCALL;
  validAuditState(STATE_SYSCALL, state);
  EXPECT_FALSE(validAuditState(STATE_SYSCALL, state));

  // A cwd must come after an exec.
  state = STATE_SYSCALL;
  validAuditState(STATE_SYSCALL, state);
  EXPECT_FALSE(validAuditState(STATE_CWD, state));

  // Two execs in a row: invalid.
  state = STATE_SYSCALL;
  validAuditState(STATE_SYSCALL, state);
  validAuditState(STATE_EXECVE, state);
  EXPECT_FALSE(validAuditState(STATE_EXECVE, state));
}