rpms / audit

Clone
Source Code
GIT

Blame SOURCES/audit-3.0-user_avc.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic-beta c7-beta c8 c8-beta c8s c9 c9-beta
  1.   f10f4f759b33545e91056cc8a18fb9d38bafbadb
  2.   SOURCES
  3.   audit-3.0-user_avc.patch
Blob History Raw
f10f4f 
diff -ur audit-3.0.orig/src/aureport-options.c audit-3.0/src/aureport-options.c
f10f4f 
--- audit-3.0.orig/src/aureport-options.c	2018-08-31 17:05:48.000000000 -0400
f10f4f 
+++ audit-3.0/src/aureport-options.c	2018-12-06 19:31:26.945634371 -0500
f10f4f 
@@ -85,7 +85,8 @@
f10f4f 
 	R_AVCS, R_SYSCALLS, R_PIDS, R_EVENTS, R_ACCT_MODS,
f10f4f 
 	R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO,
f10f4f 
 	R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS,
f10f4f 
-	R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE };
f10f4f 
+	R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE,
f10f4f 
+	R_DEBUG };
f10f4f
f10f4f 
 static struct nv_pair optiontab[] = {
f10f4f 
 	{ R_AUTH, "-au" },
f10f4f 
@@ -98,6 +99,7 @@
f10f4f 
 	{ R_CONFIGS, "--config" },
f10f4f 
 	{ R_CRYPTO, "-cr" },
f10f4f 
 	{ R_CRYPTO, "--crypto" },
f10f4f 
+	{ R_DEBUG, "--debug" },
f10f4f 
 	{ R_DEL, "--delete" },
f10f4f 
 	{ R_EVENTS, "-e" },
f10f4f 
 	{ R_EVENTS, "--event" },
f10f4f 
@@ -731,6 +733,9 @@
f10f4f 
 		case R_DEL:
f10f4f 
 			event_conf_act = C_DEL;
f10f4f 
 			break;
f10f4f 
+		case R_DEBUG:
f10f4f 
+			event_debug = 1;
f10f4f 
+			break;
f10f4f 
 		case R_IN_LOGS:
f10f4f 
 			force_logs = 1;
f10f4f 
 			break;
f10f4f 
diff -ur audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
f10f4f 
--- audit-3.0.orig/src/ausearch-parse.c	2018-08-31 17:05:48.000000000 -0400
f10f4f 
+++ audit-3.0/src/ausearch-parse.c	2018-12-06 19:31:26.945634371 -0500
f10f4f 
@@ -102,7 +102,8 @@
f10f4f 
 				ret = parse_path(n, s);
f10f4f 
 				break;
f10f4f 
 			case AUDIT_USER:
f10f4f 
-			case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
f10f4f 
+			case AUDIT_FIRST_USER_MSG...AUDIT_USER_END:
f10f4f 
+			case AUDIT_USER_CHAUTHTOK...AUDIT_LAST_USER_MSG:
f10f4f 
 			case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
f10f4f 
 				ret = parse_user(n, s);
f10f4f 
 				break;
f10f4f 
@@ -136,6 +137,7 @@
f10f4f 
 				avc_parse_path(n, s);
f10f4f 
 				break;
f10f4f 
 			case AUDIT_AVC:
f10f4f 
+			case AUDIT_USER_AVC:
f10f4f 
 				ret = parse_avc(n, s);
f10f4f 
 				break;
f10f4f 
 			case AUDIT_NETFILTER_PKT:
f10f4f 
@@ -1867,6 +1869,20 @@
f10f4f 
 		*term = ' ';
f10f4f 
 	}
f10f4f
f10f4f 
+	// User AVC's are not formatted like a kernel AVC
f10f4f 
+	if (n->type == AUDIT_USER_AVC) {
f10f4f 
+		rc = parse_user(n, s);
f10f4f 
+		if (rc > 20)
f10f4f 
+			rc = 0;
f10f4f 
+		if (audit_avc_init(s) == 0) {
f10f4f 
+			alist_append(s->avc, &an);
f10f4f 
+		} else {
f10f4f 
+			rc = 10;
f10f4f 
+			goto err;
f10f4f 
+		}
f10f4f 
+		return rc;
f10f4f 
+	}
f10f4f 
+
f10f4f 
 	// get pid
f10f4f 
 	if (event_pid != -1) {
f10f4f 
 		str = strstr(term, "pid=");
f10f4f 
diff -urp audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
f10f4f 
--- audit-3.0.orig/src/ausearch-parse.c	2018-10-03 19:46:52.000000000 -0400
f10f4f 
+++ audit-3.0/src/ausearch-parse.c	2018-12-08 15:48:54.350009208 -0500
f10f4f 
@@ -1839,8 +1839,10 @@ static int parse_avc(const lnode *n, sea
f10f4f 
 	if (str) {
f10f4f 
 		str += 5;
f10f4f 
 		term = strchr(str, '{');
f10f4f 
-		if (term == NULL)
f10f4f 
-			return 1;
f10f4f 
+		if (term == NULL) {
f10f4f 
+			term = n->message;
f10f4f 
+			goto other_avc;
f10f4f 
+		}
f10f4f 
 		if (event_success != S_UNSET) {
f10f4f 
 			*term = 0;
f10f4f 
 			// FIXME. Do not override syscall success if already
f10f4f 
@@ -1869,6 +1871,7 @@ static int parse_avc(const lnode *n, sea
f10f4f 
 		*term = ' ';
f10f4f 
 	}
f10f4f
f10f4f 
+other_avc:
f10f4f 
 	// User AVC's are not formatted like a kernel AVC
f10f4f 
 	if (n->type == AUDIT_USER_AVC) {
f10f4f 
 		rc = parse_user(n, s);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation