void check_rule_mismatch(int lineno, const char *option) { struct audit_rule_data tmprule; unsigned int old_audit_elf = _audit_elf; int rc = 0; switch (_audit_elf) { case AUDIT_ARCH_X86_64: _audit_elf = AUDIT_ARCH_I386; break; case AUDIT_ARCH_PPC64: _audit_elf = AUDIT_ARCH_PPC; break; case AUDIT_ARCH_S390X: _audit_elf = AUDIT_ARCH_S390; break; } memset(&tmprule, 0, sizeof(struct audit_rule_data)); audit_rule_syscallbyname_data(&tmprule, option); if (memcmp(tmprule.mask, rule_new->mask, AUDIT_BITMASK_SIZE)) rc = 1; _audit_elf = old_audit_elf; if (rc) { fprintf(stderr, "WARNING - 32/64 bit syscall mismatch"); if (lineno) fprintf(stderr, " in line %d", lineno); fprintf(stderr, ", you should specify an arch\n"); } }
int audit_add_watch_dir(int type, struct audit_rule_data **rulep, const char *path) { size_t len = strlen(path); struct audit_rule_data *rule = *rulep; if (rule && rule->field_count) { audit_msg(LOG_ERR, "Rule is not empty\n"); return -1; } if (type != AUDIT_WATCH && type != AUDIT_DIR) { audit_msg(LOG_ERR, "Invalid type used\n"); return -1; } *rulep = realloc(rule, len + sizeof(*rule)); if (*rulep == NULL) { free(rule); audit_msg(LOG_ERR, "Cannot realloc memory!\n"); return -1; } rule = *rulep; memset(rule, 0, len + sizeof(*rule)); rule->flags = AUDIT_FILTER_EXIT; rule->action = AUDIT_ALWAYS; audit_rule_syscallbyname_data(rule, "all"); rule->field_count = 2; rule->fields[0] = type; rule->values[0] = len; rule->fieldflags[0] = AUDIT_EQUAL; rule->buflen = len; memcpy(&rule->buf[0], path, len); // Default to all permissions rule->fields[1] = AUDIT_PERM; rule->fieldflags[1] = AUDIT_EQUAL; rule->values[1] = AUDIT_PERM_READ | AUDIT_PERM_WRITE | AUDIT_PERM_EXEC | AUDIT_PERM_ATTR; _audit_permadded = 1; return 0; }
/* * returns: -3 deprecated, -2 success - no reply, -1 error - noreply, * 0 success - reply, > 0 success - rule */ static int setopt(int count, int lineno, char *vars[]) { int c; int retval = 0, rc; optind = 0; opterr = 0; key[0] = 0; keylen = AUDIT_MAX_KEY_LEN; while ((retval >= 0) && (c = getopt(count, vars, "hicslDvtC:e:f:r:b:a:A:d:S:F:m:R:w:W:k:p:q:")) != EOF) { int flags = AUDIT_FILTER_UNSET; rc = 10; // Init to something impossible to see if unused. switch (c) { case 'h': usage(); retval = -1; break; case 'i': ignore = 1; retval = -2; break; case 'c': ignore = 1; continue_error = 1; retval = -2; break; case 's': retval = audit_request_status(fd); if (retval <= 0) retval = -1; else retval = 0; /* success - just get the reply */ break; case 'e': if (optarg && ((strcmp(optarg, "0") == 0) || (strcmp(optarg, "1") == 0) || (strcmp(optarg, "2") == 0))) { if (audit_set_enabled(fd, strtoul(optarg,NULL,0)) > 0) audit_request_status(fd); else retval = -1; } else { fprintf(stderr, "Enable must be 0, 1, or 2 was %s\n", optarg); retval = -1; } break; case 'f': if (optarg && ((strcmp(optarg, "0") == 0) || (strcmp(optarg, "1") == 0) || (strcmp(optarg, "2") == 0))) { if (audit_set_failure(fd, strtoul(optarg,NULL,0)) > 0) audit_request_status(fd); else return -1; } else { fprintf(stderr, "Failure must be 0, 1, or 2 was %s\n", optarg); retval = -1; } break; case 'r': if (optarg && isdigit(optarg[0])) { uint32_t rate; errno = 0; rate = strtoul(optarg,NULL,0); if (errno) { fprintf(stderr, "Error converting rate\n"); return -1; } if (audit_set_rate_limit(fd, rate) > 0) audit_request_status(fd); else return -1; } else { fprintf(stderr, "Rate must be a numeric value was %s\n", optarg); retval = -1; } break; case 'b': if (optarg && isdigit(optarg[0])) { uint32_t limit; errno = 0; limit = strtoul(optarg,NULL,0); if (errno) { fprintf(stderr, "Error converting backlog\n"); return -1; } if (audit_set_backlog_limit(fd, limit) > 0) audit_request_status(fd); else return -1; } else { fprintf(stderr, "Backlog must be a numeric value was %s\n", optarg); retval = -1; } break; case 'l': if (count > 4 || count == 3) { fprintf(stderr, "Wrong number of options for list request\n"); retval = -1; break; } if (count == 4) { if (strcmp(vars[optind], "-k") == 0) { strncat(key, vars[3], keylen); count -= 2; } else { fprintf(stderr, "Only the -k option is allowed\n"); retval = -1; break; } } if (audit_request_rule_list(fd)) retval = -2; else retval = -1; break; case 'a': if (strstr(optarg, "task") && _audit_syscalladded) { fprintf(stderr, "Syscall auditing requested for task list\n"); retval = -1; } else { rc = audit_rule_setup(optarg, &add, &action, lineno); if (rc == 3) { fprintf(stderr, "Multiple rule insert/delete operations are not allowed\n"); retval = -1; } else if (rc == 2) { fprintf(stderr, "Append rule - bad keyword %s\n", optarg); retval = -1; } else if (rc == 1) { fprintf(stderr, "Append rule - possible is deprecated\n"); return -3; /* deprecated - eat it */ } else retval = 1; /* success - please send */ } break; case 'A': if (strstr(optarg, "task") && _audit_syscalladded) { fprintf(stderr, "Error: syscall auditing requested for task list\n"); retval = -1; } else { rc = audit_rule_setup(optarg, &add, &action, lineno); if (rc == 3) { fprintf(stderr, "Multiple rule insert/delete operations are not allowed\n"); retval = -1; } else if (rc == 2) { fprintf(stderr, "Add rule - bad keyword %s\n", optarg); retval = -1; } else if (rc == 1) { fprintf(stderr, "Append rule - possible is deprecated\n"); return -3; /* deprecated - eat it */ } else { add |= AUDIT_FILTER_PREPEND; retval = 1; /* success - please send */ } } break; case 'd': rc = audit_rule_setup(optarg, &del, &action, lineno); if (rc == 3) { fprintf(stderr, "Multiple rule insert/delete operations are not allowed\n"); retval = -1; } else if (rc == 2) { fprintf(stderr, "Delete rule - bad keyword %s\n", optarg); retval = -1; } else if (rc == 1) { fprintf(stderr, "Delete rule - possible is deprecated\n"); return -3; /* deprecated - eat it */ } else retval = 1; /* success - please send */ break; case 'S': { int unknown_arch = !_audit_elf; /* Do some checking to make sure that we are not adding a * syscall rule to a list that does not make sense. */ if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == AUDIT_FILTER_TASK || (del & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == AUDIT_FILTER_TASK)) { fprintf(stderr, "Error: syscall auditing being added to task list\n"); return -1; } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == AUDIT_FILTER_USER || (del & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == AUDIT_FILTER_USER)) { fprintf(stderr, "Error: syscall auditing being added to user list\n"); return -1; } else if (exclude) { fprintf(stderr, "Error: syscall auditing cannot be put on exclude list\n"); return -1; } else { if (unknown_arch) { int machine; unsigned int elf; machine = audit_detect_machine(); if (machine < 0) { fprintf(stderr, "Error detecting machine type\n"); return -1; } elf = audit_machine_to_elf(machine); if (elf == 0) { fprintf(stderr, "Error looking up elf type\n"); return -1; } _audit_elf = elf; } } rc = audit_rule_syscallbyname_data(rule_new, optarg); switch (rc) { case 0: _audit_syscalladded = 1; if (unknown_arch && add != AUDIT_FILTER_UNSET) check_rule_mismatch(lineno, optarg); break; case -1: fprintf(stderr, "Syscall name unknown: %s\n", optarg); retval = -1; break; case -2: fprintf(stderr, "Elf type unknown: 0x%x\n", _audit_elf); retval = -1; break; }} break; case 'F': if (add != AUDIT_FILTER_UNSET) flags = add & AUDIT_FILTER_MASK; else if (del != AUDIT_FILTER_UNSET) flags = del & AUDIT_FILTER_MASK; // if the field is arch & there is a -t option...we // can allow it else if ((optind >= count) || (strstr(optarg, "arch=") == NULL) || (strcmp(vars[optind], "-t") != 0)) { fprintf(stderr, "List must be given before field\n"); retval = -1; break; } rc = audit_rule_fieldpair_data(&rule_new,optarg,flags); if (rc != 0) { audit_number_to_errmsg(rc, optarg); retval = -1; } else { if (rule_new->fields[rule_new->field_count-1] == AUDIT_PERM) _audit_permadded = 1; } break; case 'C': if (add != AUDIT_FILTER_UNSET) flags = add & AUDIT_FILTER_MASK; else if (del != AUDIT_FILTER_UNSET) flags = del & AUDIT_FILTER_MASK; rc = audit_rule_interfield_comp_data(&rule_new, optarg, flags); if (rc != 0) { audit_number_to_errmsg(rc, optarg); retval = -1; } else { if (rule_new->fields[rule_new->field_count - 1] == AUDIT_PERM) _audit_permadded = 1; } break; case 'm': if (count > 3) { fprintf(stderr, "The -m option must be only the only option and takes 1 parameter\n"); retval = -1; } else if (audit_log_user_message( fd, AUDIT_USER, optarg, NULL, NULL, NULL, 1) <= 0) retval = -1; else return -2; // success - no reply for this break; case 'R': fprintf(stderr, "Error - nested rule files not supported\n"); retval = -1; break; case 'D': if (count > 4 || count == 3) { fprintf(stderr, "Wrong number of options for Delete all request\n"); retval = -1; break; } if (count == 4) { if (strcmp(vars[optind], "-k") == 0) { strncat(key, vars[3], keylen); count -= 2; } else { fprintf(stderr, "Only the -k option is allowed\n"); retval = -1; break; } } retval = delete_all_rules(fd); if (retval == 0) { (void)audit_request_rule_list(fd); key[0] = 0; retval = -2; } break; case 'w': if (add != AUDIT_FILTER_UNSET || del != AUDIT_FILTER_UNSET) { fprintf(stderr, "watch option can't be given with a syscall\n"); retval = -1; } else if (optarg) { add = AUDIT_FILTER_EXIT; action = AUDIT_ALWAYS; _audit_syscalladded = 1; retval = audit_setup_watch_name(&rule_new, optarg); } else { fprintf(stderr, "watch option needs a path\n"); retval = -1; } break; case 'W': if (optarg) { del = AUDIT_FILTER_EXIT; action = AUDIT_ALWAYS; _audit_syscalladded = 1; retval = audit_setup_watch_name(&rule_new, optarg); } else { fprintf(stderr, "watch option needs a path\n"); retval = -1; } break; case 'k': if (!(_audit_syscalladded || _audit_permadded ) || (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) { fprintf(stderr, "key option needs a watch or syscall given prior to it\n"); retval = -1; } else if (!optarg) { fprintf(stderr, "key option needs a value\n"); retval = -1; } else if ((strlen(optarg)+strlen(key)+(!!key[0])) > AUDIT_MAX_KEY_LEN) { fprintf(stderr, "key option exceeds size limit\n"); retval = -1; } else { if (strncmp(optarg, "ids-", 4) == 0) { if (check_ids_key(optarg)) { retval = -1; break; } } if (strchr(optarg, AUDIT_KEY_SEPARATOR)) fprintf(stderr, "key %s has illegal character\n", optarg); if (key[0]) { // Add the separator if we need to strcat(key, key_sep); keylen--; } strncat(key, optarg, keylen); keylen = AUDIT_MAX_KEY_LEN - strlen(key); } break; case 'p': if (!add && !del) { fprintf(stderr, "permission option needs a watch given prior to it\n"); retval = -1; } else if (!optarg) { fprintf(stderr, "permission option needs a filter\n"); retval = -1; } else retval = audit_setup_perms(rule_new, optarg); break; case 'q': if (_audit_syscalladded) { fprintf(stderr, "Syscall auditing requested for make equivalent\n"); retval = -1; } else { char *mp, *sub; retval = equiv_parse(optarg, &mp, &sub); if (retval < 0) { fprintf(stderr, "Error parsing equivalent parts\n"); retval = -1; } else { retval = audit_make_equivalent(fd, mp, sub); if (retval <= 0) { retval = -1; } else return -2; // success - no reply needed } } break; case 't': retval = audit_trim_subtrees(fd); if (retval <= 0) retval = -1; else return -2; // success - no reply for this break; case 'v': printf("auditctl version %s\n", VERSION); retval = -2; break; default: usage(); retval = -1; break; } } /* catch extra args or errors where the user types "- s" */ if (optind == 1) retval = -1; else if ((optind < count) && (retval != -1)) { fprintf(stderr, "parameter passed without an option given\n"); retval = -1; } /* See if we were adding a key */ if (key[0] && list_requested == 0) { int flags = 0; char *cmd=NULL; /* Get the flag */ if (add != AUDIT_FILTER_UNSET) flags = add & AUDIT_FILTER_MASK; else if (del != AUDIT_FILTER_UNSET) flags = del & AUDIT_FILTER_MASK; /* Build the command */ asprintf(&cmd, "key=%s", key); if (cmd) { /* Add this to the rule */ int ret = audit_rule_fieldpair_data(&rule_new, cmd, flags); if (ret < 0) retval = -1; free(cmd); } else { fprintf(stderr, "Out of memory adding key\n"); retval = -1; } } if (retval == -1 && errno == ECONNREFUSED) fprintf(stderr, "The audit system is disabled\n"); return retval; }
/* * This function is called after setopt to handle the return code. * On entry, status = 0 means just get the reply. Greater than 0 means we * are adding or deleting a rule or watch. -1 means an error occurred. * -2 means everything is OK and no reply needed. Even if there's an * error, we need to call this routine to close up the audit fd. * The return code from this function is 0 success and -1 error. */ static int handle_request(int status) { if (status == 0) { if (_audit_syscalladded) { fprintf(stderr, "Error - no list specified\n"); return -1; } get_reply(); } else if (status == -2) status = 0; // report success else if (status > 0) { int rc; if (add != AUDIT_FILTER_UNSET) { // if !task add syscall any if not specified if ((add & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK && _audit_syscalladded != 1) { audit_rule_syscallbyname_data( rule_new, "all"); } set_aumessage_mode(MSG_QUIET, DBG_NO); rc = audit_add_rule_data(fd, rule_new, add, action); set_aumessage_mode(MSG_STDERR, DBG_NO); /* Retry for legacy kernels */ if (rc < 0) { if (errno == EINVAL && rule_new->fields[0] == AUDIT_DIR) { rule_new->fields[0] = AUDIT_WATCH; rc = audit_add_rule_data(fd, rule_new, add, action); } else { fprintf(stderr, "Error sending add rule data request (%s)\n", errno == EEXIST ? "Rule exists" : strerror(-rc)); } } } else if (del != AUDIT_FILTER_UNSET) { if ((del & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK && _audit_syscalladded != 1) { audit_rule_syscallbyname_data( rule_new, "all"); } set_aumessage_mode(MSG_QUIET, DBG_NO); rc = audit_delete_rule_data(fd, rule_new, del, action); set_aumessage_mode(MSG_STDERR, DBG_NO); /* Retry for legacy kernels */ if (rc < 0) { if (errno == EINVAL && rule_new->fields[0] == AUDIT_DIR) { rule_new->fields[0] = AUDIT_WATCH; rc = audit_delete_rule_data(fd,rule_new, del, action); } else { fprintf(stderr, "Error sending delete rule data request (%s)\n", errno == EEXIST ? "Rule exists" : strerror(-rc)); } } } else { usage(); audit_close(fd); exit(1); } if (rc <= 0) status = -1; else status = 0; } else status = -1; audit_close(fd); fd = -1; return status; }
static int insert_rule(int audit_fd, const char *field) { int rc; int flags = AUDIT_FILTER_EXIT; int action = AUDIT_ALWAYS; struct audit_rule_data *rule = malloc(sizeof(struct audit_rule_data)); int machine = audit_detect_machine(); char *t_field = NULL; if (rule == NULL) goto err; memset(rule, 0, sizeof(struct audit_rule_data)); if (threat) { rc = 0; rc |= audit_rule_syscallbyname_data(rule, "open"); rc |= audit_rule_syscallbyname_data(rule, "openat"); rc |= audit_rule_syscallbyname_data(rule, "creat"); rc |= audit_rule_syscallbyname_data(rule, "truncate"); rc |= audit_rule_syscallbyname_data(rule, "rename"); rc |= audit_rule_syscallbyname_data(rule, "renameat"); rc |= audit_rule_syscallbyname_data(rule, "unlink"); rc |= audit_rule_syscallbyname_data(rule, "unlinkat"); rc |= audit_rule_syscallbyname_data(rule, "mknod"); rc |= audit_rule_syscallbyname_data(rule, "mknodat"); rc |= audit_rule_syscallbyname_data(rule, "mkdir"); rc |= audit_rule_syscallbyname_data(rule, "mkdirat"); rc |= audit_rule_syscallbyname_data(rule, "rmdir"); rc |= audit_rule_syscallbyname_data(rule, "chdir"); rc |= audit_rule_syscallbyname_data(rule, "chown"); rc |= audit_rule_syscallbyname_data(rule, "lchown"); rc |= audit_rule_syscallbyname_data(rule, "fchownat"); rc |= audit_rule_syscallbyname_data(rule, "chmod"); rc |= audit_rule_syscallbyname_data(rule, "fchmodat"); rc |= audit_rule_syscallbyname_data(rule, "link"); rc |= audit_rule_syscallbyname_data(rule, "linkat"); rc |= audit_rule_syscallbyname_data(rule, "symlink"); rc |= audit_rule_syscallbyname_data(rule, "symlinkat"); rc |= audit_rule_syscallbyname_data(rule, "readlink"); rc |= audit_rule_syscallbyname_data(rule, "readlinkat"); rc |= audit_rule_syscallbyname_data(rule, "execve"); rc |= audit_rule_syscallbyname_data(rule, "name_to_handle_at"); if (machine != MACH_X86 && machine != MACH_S390X && machine != MACH_S390) { rc |= audit_rule_syscallbyname_data(rule, "connect"); rc |= audit_rule_syscallbyname_data(rule, "bind"); rc |= audit_rule_syscallbyname_data(rule, "accept"); rc |= audit_rule_syscallbyname_data(rule, "sendto"); rc |= audit_rule_syscallbyname_data(rule, "recvfrom"); rc |= audit_rule_syscallbyname_data(rule, "accept4"); } rc |= audit_rule_syscallbyname_data(rule, "sendfile"); } else rc = audit_rule_syscallbyname_data(rule, "all"); if (rc < 0) goto err; t_field = strdup(field); rc = audit_rule_fieldpair_data(&rule, t_field, flags); free(t_field); if (rc < 0) goto err; rc = audit_add_rule_data(audit_fd, rule, flags, action); if (rc < 0) goto err; // Now if i386, lets add its network rules if (machine == MACH_X86 || machine == MACH_S390X || machine == MACH_S390) { int i, a0[6] = { SYS_CONNECT, SYS_BIND, SYS_ACCEPT, SYS_SENDTO, SYS_RECVFROM, SYS_ACCEPT4 }; for (i=0; i<6; i++) { char pair[32]; memset(rule, 0, sizeof(struct audit_rule_data)); rc |= audit_rule_syscallbyname_data(rule, "socketcall"); snprintf(pair, sizeof(pair), "a0=%d", a0[i]); rc |= audit_rule_fieldpair_data(&rule, pair, flags); t_field = strdup(field); rc |= audit_rule_fieldpair_data(&rule, t_field, flags); free(t_field); rc |= audit_add_rule_data(audit_fd, rule, flags, action); } } free(rule); return 0; err: fprintf(stderr, "Error inserting audit rule for %s\n", field); free(rule); return 1; }
static int insert_rule(int audit_fd, const char *field) { int rc; int flags = AUDIT_FILTER_ENTRY; int action = AUDIT_ALWAYS; struct audit_rule_data *rule = malloc(sizeof(struct audit_rule_data)); if (rule == NULL) goto err; memset(rule, 0, sizeof(struct audit_rule_data)); if (threat) { rc = 0; rc |= audit_rule_syscallbyname_data(rule, "open"); rc |= audit_rule_syscallbyname_data(rule, "openat"); rc |= audit_rule_syscallbyname_data(rule, "creat"); rc |= audit_rule_syscallbyname_data(rule, "truncate"); rc |= audit_rule_syscallbyname_data(rule, "rename"); rc |= audit_rule_syscallbyname_data(rule, "renameat"); rc |= audit_rule_syscallbyname_data(rule, "unlink"); rc |= audit_rule_syscallbyname_data(rule, "unlinkat"); rc |= audit_rule_syscallbyname_data(rule, "mknod"); rc |= audit_rule_syscallbyname_data(rule, "mknodat"); rc |= audit_rule_syscallbyname_data(rule, "mkdir"); rc |= audit_rule_syscallbyname_data(rule, "mkdirat"); rc |= audit_rule_syscallbyname_data(rule, "rmdir"); rc |= audit_rule_syscallbyname_data(rule, "chdir"); rc |= audit_rule_syscallbyname_data(rule, "chown"); rc |= audit_rule_syscallbyname_data(rule, "lchown"); rc |= audit_rule_syscallbyname_data(rule, "fchownat"); rc |= audit_rule_syscallbyname_data(rule, "chmod"); rc |= audit_rule_syscallbyname_data(rule, "fchmodat"); rc |= audit_rule_syscallbyname_data(rule, "link"); rc |= audit_rule_syscallbyname_data(rule, "linkat"); rc |= audit_rule_syscallbyname_data(rule, "symlink"); rc |= audit_rule_syscallbyname_data(rule, "symlinkat"); rc |= audit_rule_syscallbyname_data(rule, "readlink"); rc |= audit_rule_syscallbyname_data(rule, "readlinkat"); rc |= audit_rule_syscallbyname_data(rule, "execve"); rc |= audit_rule_syscallbyname_data(rule, "connect"); rc |= audit_rule_syscallbyname_data(rule, "bind"); rc |= audit_rule_syscallbyname_data(rule, "accept"); rc |= audit_rule_syscallbyname_data(rule, "sendto"); rc |= audit_rule_syscallbyname_data(rule, "recvfrom"); rc |= audit_rule_syscallbyname_data(rule, "sendfile"); } else rc = audit_rule_syscallbyname_data(rule, "all"); if (rc < 0) goto err; rc = audit_rule_fieldpair_data(&rule, field, flags); if (rc < 0) goto err; rc = audit_add_rule_data(audit_fd, rule, flags, action); if (rc < 0) goto err; return 0; err: fprintf(stderr, "Error inserting audit rule for %s\n", field); return 1; }