static void log_it(unsigned int num, decision_t results, event_t *e) { subject_attr_t *subj, *subj2, *subj3; object_attr_t *obj; subj = get_subj_attr(e, EXE); subj2 = get_subj_attr(e, AUID); subj3 = get_subj_attr(e, PID); obj = get_obj_attr(e, PATH); msg(LOG_DEBUG, "rule:%u dec=%s auid=%d pid=%d exe=%s file=%s", num+1, dec_val_to_name(results), subj2->val, subj3->val, subj->str, obj->o); }
// Returns 0 if no match, 1 if a match static int check_subject(lnode *r, event_t *e) { unsigned int cnt = 0; while (cnt < r->s_count) { if (r->s[cnt].type != ALL_SUBJ) { subject_attr_t *subj = get_subj_attr(e, r->s[cnt].type); if (subj == NULL) continue; // If mismatch, we don't care if (r->s[cnt].type >= COMM) { if (subj->str == NULL) continue; // For directories we only do a partial // match. Any child dir would also match. if (r->s[cnt].type == EXE_DIR) { int rc = subj_dir_test(&(r->s[cnt]), subj); if (rc == 0) return 0; } else if (r->s[cnt].type == EXE && strcasecmp(r->s[cnt].str, "unpackaged")==0) { if (check_packaged_from_file(subj->str)) return 0; } else if (strcmp(subj->str, r->s[cnt].str)) return 0; } else if (subj->val != r->s[cnt].val) return 0; } cnt++; } return 1; }