int main(int argc, char *argv[]) { struct daemon_conf config; struct rlimit limit; int rc; /* Check params and build regexpr */ setlocale (LC_ALL, ""); if (check_params(argc, argv)) return 1; /* Raise the rlimits in case we're being started from a shell * with restrictions. Not a fatal error. */ limit.rlim_cur = RLIM_INFINITY; limit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_FSIZE, &limit); setrlimit(RLIMIT_CPU, &limit); set_aumessage_mode(MSG_STDERR, DBG_NO); (void) umask( umask( 077 ) | 027 ); very_first_event.sec = 0; reset_counters(); if (user_file == NULL) { /* Load config so we know where logs are */ if (load_config(&config, TEST_SEARCH)) fprintf(stderr, "NOTE - using built-in logs: %s\n", config.log_file); } else { config.sender_ctx = NULL; config.log_file = NULL; config.dispatcher = NULL; config.node_name = NULL; config.space_left_exe = NULL; config.action_mail_acct = NULL; config.admin_space_left_exe = NULL; config.disk_full_exe = NULL; config.disk_error_exe = NULL; config.krb5_principal = NULL; config.krb5_key_file = NULL; } print_title(); lol_create(&lo); if (user_file) rc = process_file(user_file); else if (force_logs) rc = process_logs(&config); else if (is_pipe(0)) rc = process_stdin(); else rc = process_logs(&config); lol_clear(&lo); if (rc) { free_config(&config); return rc; } if (!found && report_detail == D_DETAILED && report_type != RPT_TIME) { printf("<no events of interest were found>\n\n"); destroy_counters(); aulookup_destroy_uid_list(); aulookup_destroy_gid_list(); free_config(&config); return 1; } else print_wrap_up(); destroy_counters(); aulookup_destroy_uid_list(); aulookup_destroy_gid_list(); free_config(&config); free(user_file); return 0; }
int main(int argc, char *argv[]) { lnode *conf; struct sigaction sa; int i; #ifndef DEBUG /* Make sure we are root */ if (getuid() != 0) { fprintf(stderr, "You must be root to run this program.\n"); return 4; } #endif set_aumessage_mode(MSG_SYSLOG, DBG_YES); /* Register sighandlers */ sa.sa_flags = 0; sigemptyset(&sa.sa_mask); /* Ignore all signals by default */ sa.sa_handler = SIG_IGN; for (i=1; i<NSIG; i++) sigaction(i, &sa, NULL); /* Set handler for the ones we care about */ sa.sa_handler = term_handler; sigaction(SIGTERM, &sa, NULL); sa.sa_handler = hup_handler; sigaction(SIGHUP, &sa, NULL); sa.sa_handler = alarm_handler; sigaction(SIGALRM, &sa, NULL); sa.sa_handler = child_handler; sigaction(SIGCHLD, &sa, NULL); /* move stdin to its own fd */ if (argc == 3 && strcmp(argv[1], "--input") == 0) audit_fd = open(argv[2], O_RDONLY); else audit_fd = dup(0); if (audit_fd < 0) { syslog(LOG_ERR, "Failed setting up input, exiting"); return 1; } /* Make all descriptors point to dev null */ i = open("/dev/null", O_RDWR); if (i >= 0) { if (dup2(0, i) < 0 || dup2(1, i) < 0 || dup2(2, i) < 0) { syslog(LOG_ERR, "Failed duping /dev/null %s, exiting", strerror(errno)); return 1; } close(i); } else { syslog(LOG_ERR, "Failed opening /dev/null %s, exiting", strerror(errno)); return 1; } if (fcntl(audit_fd, F_SETFD, FD_CLOEXEC) < 0) { syslog(LOG_ERR, "Failed protecting input %s, exiting", strerror(errno)); return 1; } /* init the daemon's config */ if (load_config(&daemon_config, config_file)) return 6; load_plugin_conf(&plugin_conf); /* if no plugins - exit */ if (plist_count(&plugin_conf) == 0) { syslog(LOG_ERR, "No plugins found, exiting"); return 0; } /* Plugins are started with the auditd priority */ i = start_plugins(&plugin_conf); /* Now boost priority to make sure we are getting time slices */ if (daemon_config.priority_boost != 0) { errno = 0; (void) nice((int)-daemon_config.priority_boost); if (errno) { syslog(LOG_ERR, "Cannot change priority (%s)", strerror(errno)); /* Stay alive as this is better than stopping */ } } /* Let the queue initialize */ init_queue(daemon_config.q_depth); syslog(LOG_NOTICE, "audispd initialized with q_depth=%d and %d active plugins", daemon_config.q_depth, i); /* Tell it to poll the audit fd */ if (add_event(audit_fd, process_inbound_event) < 0) { syslog(LOG_ERR, "Cannot add event, exiting"); return 1; } /* Create inbound thread */ pthread_create(&inbound_thread, NULL, inbound_thread_main, NULL); /* Start event loop */ while (event_loop()) { hup = 0; reconfigure(); } /* Tell plugins we are going down */ signal_plugins(SIGTERM); /* Cleanup builtin plugins */ destroy_af_unix(); destroy_syslog(); /* Give it 5 seconds to clear the queue */ alarm(5); pthread_join(inbound_thread, NULL); /* Release configs */ plist_first(&plugin_conf); conf = plist_get_cur(&plugin_conf); while (conf) { free_pconfig(conf->p); conf = plist_next(&plugin_conf); } plist_clear(&plugin_conf); /* Cleanup the queue */ destroy_queue(); free_config(&daemon_config); return 0; }
static int setup_log_file_array(auparse_state_t *au) { struct daemon_conf config; char *filename, **tmp; int len, num = 0, i = 0; /* Load config so we know where logs are */ set_aumessage_mode(au, MSG_STDERR, DBG_NO); aup_load_config(au, &config, TEST_SEARCH); /* for each file */ len = strlen(config.log_file) + 16; filename = malloc(len); if (!filename) { fprintf(stderr, "No memory\n"); free_config(&config); return 1; } /* Find oldest log file */ snprintf(filename, len, "%s", config.log_file); do { if (access(filename, R_OK) != 0) break; num++; snprintf(filename, len, "%s.%d", config.log_file, num); } while (1); if (num == 0) { fprintf(stderr, "No log file\n"); free_config(&config); free(filename); return 1; } num--; tmp = malloc((num+2)*sizeof(char *)); /* Got it, now process logs from last to first */ if (num > 0) snprintf(filename, len, "%s.%d", config.log_file, num); else snprintf(filename, len, "%s", config.log_file); do { tmp[i++] = strdup(filename); /* Get next log file */ num--; if (num > 0) snprintf(filename, len, "%s.%d", config.log_file, num); else if (num == 0) snprintf(filename, len, "%s", config.log_file); else break; } while (1); free_config(&config); free(filename); // Terminate the list tmp[i] = NULL; au->source_list = tmp; return 0; }
int main(int argc, char *argv[]) { struct rlimit limit; int rc; /* Check params and build regexpr */ setlocale (LC_ALL, ""); if (check_params(argc, argv)) return 1; /* Raise the rlimits in case we're being started from a shell * with restrictions. Not a fatal error. */ limit.rlim_cur = RLIM_INFINITY; limit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_FSIZE, &limit); setrlimit(RLIMIT_CPU, &limit); set_aumessage_mode(MSG_STDERR, DBG_NO); (void) umask( umask( 077 ) | 027 ); very_first_event.sec = 0; reset_counters(); print_title(); lol_create(&lo); if (user_file) { struct stat sb; if (stat(user_file, &sb) == -1) { perror("stat"); return 1; } else { switch (sb.st_mode & S_IFMT) { case S_IFDIR: userfile_is_dir = 1; rc = process_logs(); break; case S_IFREG: default: rc = process_file(user_file); break; } } } else if (force_logs) rc = process_logs(); else if (is_pipe(0)) rc = process_stdin(); else rc = process_logs(); lol_clear(&lo); if (rc) return rc; if (!found && report_detail == D_DETAILED && report_type != RPT_TIME) { printf("<no events of interest were found>\n\n"); destroy_counters(); aulookup_destroy_uid_list(); aulookup_destroy_gid_list(); return 1; } else print_wrap_up(); destroy_counters(); aulookup_destroy_uid_list(); aulookup_destroy_gid_list(); free(user_file); return 0; }
/* * This function is called after setopt to handle the return code. * On entry, status = 0 means just get the reply. Greater than 0 means we * are adding or deleting a rule or watch. -1 means an error occurred. * -2 means everything is OK and no reply needed. Even if there's an * error, we need to call this routine to close up the audit fd. * The return code from this function is 0 success and -1 error. */ static int handle_request(int status) { if (status == 0) { if (_audit_syscalladded) { fprintf(stderr, "Error - no list specified\n"); return -1; } get_reply(); } else if (status == -2) status = 0; // report success else if (status > 0) { int rc; if (add != AUDIT_FILTER_UNSET) { // if !task add syscall any if not specified if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK && _audit_syscalladded != 1) { audit_rule_syscallbyname_data( rule_new, "all"); } set_aumessage_mode(MSG_QUIET, DBG_NO); rc = audit_add_rule_data(fd, rule_new, add, action); set_aumessage_mode(MSG_STDERR, DBG_NO); /* Retry for legacy kernels */ if (rc < 0) { if (errno == EINVAL && rule_new->fields[0] == AUDIT_DIR) { rule_new->fields[0] = AUDIT_WATCH; rc = audit_add_rule_data(fd, rule_new, add, action); } else { fprintf(stderr, "Error sending add rule data request (%s)\n", errno == EEXIST ? "Rule exists" : strerror(-rc)); } } } else if (del != AUDIT_FILTER_UNSET) { if ((del & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK && _audit_syscalladded != 1) { audit_rule_syscallbyname_data( rule_new, "all"); } set_aumessage_mode(MSG_QUIET, DBG_NO); rc = audit_delete_rule_data(fd, rule_new, del, action); set_aumessage_mode(MSG_STDERR, DBG_NO); /* Retry for legacy kernels */ if (rc < 0) { if (errno == EINVAL && rule_new->fields[0] == AUDIT_DIR) { rule_new->fields[0] = AUDIT_WATCH; rc = audit_delete_rule_data(fd,rule_new, del, action); } else { fprintf(stderr, "Error sending delete rule data request (%s)\n", errno == EEXIST ? "Rule exists" : strerror(-rc)); } } } else { usage(); audit_close(fd); exit(1); } if (rc <= 0) status = -1; else status = 0; } else status = -1; audit_close(fd); fd = -1; return status; }
int main(int argc, char *argv[]) { int retval = 1; set_aumessage_mode(MSG_STDERR, DBG_NO); if (argc == 1) { usage(); return 1; } #ifndef DEBUG /* Make sure we are root */ if (geteuid() != 0) { fprintf(stderr, "You must be root to run this program.\n"); return 4; } #endif /* Check where the rules are coming from: commandline or file */ if ((argc == 3) && (strcmp(argv[1], "-R") == 0)) { fd = audit_open(); if (audit_is_enabled(fd) == 2) { fprintf(stderr, "The audit system is in immutable " "mode, no rule changes allowed\n"); return 0; } else if (errno == ECONNREFUSED) { fprintf(stderr, "The audit system is disabled\n"); return 0; } else if (fileopt(argv[2])) return 1; else { if (continue_error < 0) return 1; return 0; } } else { if (reset_vars()) { free(rule_new); return 1; } retval = setopt(argc, 0, argv); if (retval == -3) { free(rule_new); return 0; } } if (add != AUDIT_FILTER_UNSET || del != AUDIT_FILTER_UNSET) { fd = audit_open(); if (audit_is_enabled(fd) == 2) { fprintf(stderr, "The audit system is in immutable " "mode, no rule changes allowed\n"); free(rule_new); return 0; } else if (errno == ECONNREFUSED) { fprintf(stderr, "The audit system is disabled\n"); free(rule_new); return 0; } } retval = handle_request(retval); free(rule_new); return retval; }
/* * Algorithm: * check that user is root * check to see if program exists * if so fork, child waits for parent * parent clears audit rules, loads audit all syscalls with child's pid * parent tells child to go & waits for sigchld * child exec's program * parent deletes rules after getting sigchld */ int main(int argc, char *argv[]) { int fd[2]; int pid,cmd=1; char buf[2]; if (argc < 2) { usage(); return 1; } if (strcmp(argv[cmd], "-h") == 0) { usage(); return 1; } if (strcmp(argv[cmd], "-r") == 0) { threat = 1; cmd++; } if (getuid() != 0) { fprintf(stderr, "You must be root to run this program.\n"); return 1; } if (access(argv[cmd], X_OK)) { if (errno == ENOENT) fprintf(stderr, "Error - can't find: %s\n", argv[cmd]); else fprintf(stderr, "Error checking %s (%s)\n", argv[cmd], strerror(errno)); return 1; } set_aumessage_mode(MSG_STDERR, DBG_NO); switch (count_rules()) { case -1: if (errno == ECONNREFUSED) fprintf(stderr, "The audit system is disabled\n"); else fprintf(stderr, "Error - can't get rule count.\n"); return 1; case 0: break; default: fprintf(stderr, "autrace cannot be run with rules loaded.\n" "Please delete all rules using 'auditctl -D' if you " "really wanted to\nrun this command.\n"); return 1; } if (pipe(fd) != 0) { fprintf(stderr, "Error creating pipe.\n"); return 1; } switch ((pid=fork())) { case -1: fprintf(stderr, "Error forking.\n"); return 1; case 0: /* Child */ close(fd[1]); printf("Waiting to execute: %s\n", argv[cmd]); while (read(fd[0], buf, 1) == -1 && errno == EINTR) /* blank */ ; close(fd[0]); execvp(argv[cmd], &argv[cmd]); fprintf(stderr, "Failed to exec %s\n", argv[cmd]); return 1; default: /* Parent */ close(fd[0]); fcntl(fd[1], F_SETFD, FD_CLOEXEC); { char field[16]; int audit_fd; audit_fd = audit_open(); if (audit_fd < 0) exit(1); snprintf(field, sizeof(field), "pid=%d", pid); if (insert_rule(audit_fd, field)) { kill(pid,SIGTERM); (void)delete_all_rules(audit_fd); exit(1); } snprintf(field, sizeof(field), "ppid=%d", pid); if (insert_rule(audit_fd, field)) { kill(pid,SIGTERM); (void)delete_all_rules(audit_fd); exit(1); } sleep(1); if (write(fd[1],"1", 1) != 1) { kill(pid,SIGTERM); (void)delete_all_rules(audit_fd); exit(1); } waitpid(pid, NULL, 0); close(fd[1]); puts("Cleaning up..."); (void)delete_all_rules(audit_fd); close(audit_fd); } printf("Trace complete. " "You can locate the records with " "\'ausearch -i -p %d\'\n", pid); break; } return 0; }
int main(int argc, char *argv[]) { struct sigaction sa; struct rlimit limit; int i, c, rc; int opt_foreground = 0, opt_allow_links = 0; enum startup_state opt_startup = startup_enable; extern char *optarg; extern int optind; struct ev_loop *loop; struct ev_io netlink_watcher; struct ev_signal sigterm_watcher; struct ev_signal sighup_watcher; struct ev_signal sigusr1_watcher; struct ev_signal sigusr2_watcher; struct ev_signal sigchld_watcher; /* Get params && set mode */ while ((c = getopt(argc, argv, "flns:")) != -1) { switch (c) { case 'f': opt_foreground = 1; break; case 'l': opt_allow_links=1; break; case 'n': do_fork = 0; break; case 's': for (i=0; i<startup_INVALID; i++) { if (strncmp(optarg, startup_states[i], strlen(optarg)) == 0) { opt_startup = i; break; } } if (i == startup_INVALID) { fprintf(stderr, "unknown startup mode '%s'\n", optarg); usage(); } break; default: usage(); } } /* check for trailing command line following options */ if (optind < argc) { usage(); } if (opt_allow_links) set_allow_links(1); if (opt_foreground) { config.daemonize = D_FOREGROUND; set_aumessage_mode(MSG_STDERR, DBG_YES); } else { config.daemonize = D_BACKGROUND; set_aumessage_mode(MSG_SYSLOG, DBG_NO); (void) umask( umask( 077 ) | 022 ); } #ifndef DEBUG /* Make sure we are root */ if (getuid() != 0) { fprintf(stderr, "You must be root to run this program.\n"); return 4; } #endif /* Register sighandlers */ sa.sa_flags = 0 ; sigemptyset( &sa.sa_mask ) ; /* Ignore all signals by default */ sa.sa_handler = SIG_IGN; for (i=1; i<NSIG; i++) sigaction( i, &sa, NULL ); atexit(clean_exit); /* Raise the rlimits in case we're being started from a shell * with restrictions. Not a fatal error. */ limit.rlim_cur = RLIM_INFINITY; limit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_FSIZE, &limit); setrlimit(RLIMIT_CPU, &limit); /* Load the Configuration File */ if (load_config(&config, TEST_AUDITD)) return 6; if (config.priority_boost != 0) { errno = 0; rc = nice((int)-config.priority_boost); if (rc == -1 && errno) { audit_msg(LOG_ERR, "Cannot change priority (%s)", strerror(errno)); return 1; } } /* Daemonize or stay in foreground for debugging */ if (config.daemonize == D_BACKGROUND) { if (become_daemon() != 0) { audit_msg(LOG_ERR, "Cannot daemonize (%s)", strerror(errno)); tell_parent(FAILURE); return 1; } openlog("auditd", LOG_PID, LOG_DAEMON); } /* Init netlink */ if ((fd = audit_open()) < 0) { audit_msg(LOG_ERR, "Cannot open netlink audit socket"); tell_parent(FAILURE); return 1; } /* Init the event handler thread */ write_pid_file(); if (init_event(&config)) { if (pidfile) unlink(pidfile); tell_parent(FAILURE); return 1; } if (init_dispatcher(&config)) { if (pidfile) unlink(pidfile); tell_parent(FAILURE); return 1; } /* Get machine name ready for use */ if (resolve_node(&config)) { if (pidfile) unlink(pidfile); tell_parent(FAILURE); return 1; } /* Write message to log that we are alive */ { struct utsname ubuf; char start[DEFAULT_BUF_SZ]; const char *fmt = audit_lookup_format((int)config.log_format); if (fmt == NULL) fmt = "UNKNOWN"; if (uname(&ubuf) != 0) { if (pidfile) unlink(pidfile); tell_parent(FAILURE); return 1; } if (getsubj(subj)) snprintf(start, sizeof(start), "auditd start, ver=%s format=%s " "kernel=%.56s auid=%u pid=%d subj=%s res=success", VERSION, fmt, ubuf.release, audit_getloginuid(), getpid(), subj); else snprintf(start, sizeof(start), "auditd start, ver=%s format=%s " "kernel=%.56s auid=%u pid=%d res=success", VERSION, fmt, ubuf.release, audit_getloginuid(), getpid()); if (send_audit_event(AUDIT_DAEMON_START, start)) { audit_msg(LOG_ERR, "Cannot send start message"); if (pidfile) unlink(pidfile); shutdown_dispatcher(); tell_parent(FAILURE); return 1; } } /* Tell kernel not to kill us */ avoid_oom_killer(); /* let config manager init */ init_config_manager(); if (opt_startup != startup_nochange && (audit_is_enabled(fd) < 2) && audit_set_enabled(fd, (int)opt_startup) < 0) { char emsg[DEFAULT_BUF_SZ]; if (*subj) snprintf(emsg, sizeof(emsg), "auditd error halt, auid=%u pid=%d subj=%s res=failed", audit_getloginuid(), getpid(), subj); else snprintf(emsg, sizeof(emsg), "auditd error halt, auid=%u pid=%d res=failed", audit_getloginuid(), getpid()); stop = 1; send_audit_event(AUDIT_DAEMON_ABORT, emsg); audit_msg(LOG_ERR, "Unable to set initial audit startup state to '%s', exiting", startup_states[opt_startup]); close_down(); if (pidfile) unlink(pidfile); shutdown_dispatcher(); tell_parent(FAILURE); return 1; } /* Tell the kernel we are alive */ if (audit_set_pid(fd, getpid(), WAIT_YES) < 0) { char emsg[DEFAULT_BUF_SZ]; if (*subj) snprintf(emsg, sizeof(emsg), "auditd error halt, auid=%u pid=%d subj=%s res=failed", audit_getloginuid(), getpid(), subj); else snprintf(emsg, sizeof(emsg), "auditd error halt, auid=%u pid=%d res=failed", audit_getloginuid(), getpid()); stop = 1; send_audit_event(AUDIT_DAEMON_ABORT, emsg); audit_msg(LOG_ERR, "Unable to set audit pid, exiting"); close_down(); if (pidfile) unlink(pidfile); shutdown_dispatcher(); tell_parent(FAILURE); return 1; } /* Depending on value of opt_startup (-s) set initial audit state */ loop = ev_default_loop (EVFLAG_NOENV); ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ); ev_io_start (loop, &netlink_watcher); ev_signal_init (&sigterm_watcher, term_handler, SIGTERM); ev_signal_start (loop, &sigterm_watcher); ev_signal_init (&sighup_watcher, hup_handler, SIGHUP); ev_signal_start (loop, &sighup_watcher); ev_signal_init (&sigusr1_watcher, user1_handler, SIGUSR1); ev_signal_start (loop, &sigusr1_watcher); ev_signal_init (&sigusr2_watcher, user2_handler, SIGUSR2); ev_signal_start (loop, &sigusr2_watcher); ev_signal_init (&sigchld_watcher, child_handler, SIGCHLD); ev_signal_start (loop, &sigchld_watcher); if (auditd_tcp_listen_init (loop, &config)) { char emsg[DEFAULT_BUF_SZ]; if (*subj) snprintf(emsg, sizeof(emsg), "auditd error halt, auid=%u pid=%d subj=%s res=failed", audit_getloginuid(), getpid(), subj); else snprintf(emsg, sizeof(emsg), "auditd error halt, auid=%u pid=%d res=failed", audit_getloginuid(), getpid()); stop = 1; send_audit_event(AUDIT_DAEMON_ABORT, emsg); tell_parent(FAILURE); } else { /* Now tell parent that everything went OK */ tell_parent(SUCCESS); audit_msg(LOG_NOTICE, "Init complete, auditd %s listening for events (startup state %s)", VERSION, startup_states[opt_startup]); } /* Parent should be gone by now... */ if (do_fork) close(init_pipe[1]); // Init complete, start event loop if (!stop) ev_loop (loop, 0); auditd_tcp_listen_uninit (loop, &config); // Tear down IO watchers Part 1 ev_signal_stop (loop, &sighup_watcher); ev_signal_stop (loop, &sigusr1_watcher); ev_signal_stop (loop, &sigusr2_watcher); ev_signal_stop (loop, &sigterm_watcher); /* Write message to log that we are going down */ rc = audit_request_signal_info(fd); if (rc > 0) { struct audit_reply trep; rc = get_reply(fd, &trep, rc); if (rc > 0) { char txt[MAX_AUDIT_MESSAGE_LENGTH]; snprintf(txt, sizeof(txt), "auditd normal halt, sending auid=%u " "pid=%d subj=%s res=success", trep.signal_info->uid, trep.signal_info->pid, trep.signal_info->ctx); send_audit_event(AUDIT_DAEMON_END, txt); } } if (rc <= 0) send_audit_event(AUDIT_DAEMON_END, "auditd normal halt, sending auid=? " "pid=? subj=? res=success"); free(rep); // Tear down IO watchers Part 2 ev_io_stop (loop, &netlink_watcher); // Give DAEMON_END event a little time to be sent in case // of remote logging usleep(10000); // 10 milliseconds shutdown_dispatcher(); // Tear down IO watchers Part 3 ev_signal_stop (loop, &sigchld_watcher); close_down(); free_config(&config); ev_default_destroy(); return 0; }