TEST_F(AuditTests, test_valid_audit_state_exceptions) { AuditProcessEventState state = STATE_SYSCALL; validAuditState(STATE_SYSCALL, state); // Now allow for other acceptable transitions. EXPECT_TRUE(validAuditState(STATE_PATH, state)); EXPECT_EQ(state, STATE_SYSCALL); state = STATE_SYSCALL; validAuditState(STATE_SYSCALL, state); EXPECT_TRUE(validAuditState(STATE_PATH, state)); EXPECT_EQ(state, STATE_SYSCALL); }
Status ProcessEventSubscriber::Callback(const ECRef& ec, const SCRef& sc) { // Check and set the valid state change. // If this is an unacceptable change reset the state and clear row data. if (ec->fields.count("success") && ec->fields.at("success") == "no") { return Status(0, "OK"); } if (!validAuditState(ec->type, state_).ok()) { state_ = STATE_SYSCALL; Row().swap(row_); return Status(0, "OK"); } // Fill in row fields based on the event state. updateAuditRow(ec, row_); // Only add the event if finished (aka a PATH event was emitted). if (state_ == STATE_SYSCALL) { // If the EXECVE state was not used, decode the cmdline value. if (row_.at("cmdline_size").size() == 0) { // This allows at most 1 decode call per potentially-encoded item. row_["cmdline"] = decodeAuditValue(row_.at("cmdline")); row_["cmdline_size"] = "1"; } add(row_, getUnixTime()); Row().swap(row_); } return Status(0, "OK"); }
TEST_F(AuditTests, test_valid_audit_state) { AuditProcessEventState state = STATE_SYSCALL; // The first state must be a syscall. EXPECT_TRUE(validAuditState(STATE_SYSCALL, state)); EXPECT_EQ(state, STATE_EXECVE); // Followed by an EXECVE, CWD, or PATH EXPECT_TRUE(validAuditState(STATE_EXECVE, state)); EXPECT_EQ(state, STATE_CWD); EXPECT_TRUE(validAuditState(STATE_CWD, state)); EXPECT_EQ(state, STATE_PATH); EXPECT_TRUE(validAuditState(STATE_PATH, state)); // Finally, the state is reset to syscall. EXPECT_EQ(state, STATE_SYSCALL); }
TEST_F(AuditTests, test_valid_audit_state_failues) { // Now check invalid states. AuditProcessEventState state = STATE_SYSCALL; EXPECT_FALSE(validAuditState(STATE_EXECVE, state)); EXPECT_FALSE(validAuditState(STATE_CWD, state)); EXPECT_FALSE(validAuditState(STATE_PATH, state)); // Two syscalls in a row: invalid. state = STATE_SYSCALL; validAuditState(STATE_SYSCALL, state); EXPECT_FALSE(validAuditState(STATE_SYSCALL, state)); // A cwd must come after an exec. state = STATE_SYSCALL; validAuditState(STATE_SYSCALL, state); EXPECT_FALSE(validAuditState(STATE_CWD, state)); // Two execs in a row: invalid. state = STATE_SYSCALL; validAuditState(STATE_SYSCALL, state); validAuditState(STATE_EXECVE, state); EXPECT_FALSE(validAuditState(STATE_EXECVE, state)); }