This patch adds support to ausearch for searching for events related to a guest, as proposed in the RFC:
https://www.redhat.com/archives/linux-audit/2011-November/msg00014.html Two new options were added: --uuid uuid Search for an event with the given guest UUID. The given uuid is compared to the value from the "uuid" field of a record. --vmname name Search for an event with the given guest name. The given name is compared to the value from the "vm" field of a record. Signed-off-by: Marcelo Cerri <[email protected]> --- docs/ausearch.8 | 6 ++++++ src/aureport-options.c | 4 ++++ src/ausearch-common.h | 4 ++++ src/ausearch-llist.c | 8 ++++++++ src/ausearch-llist.h | 8 ++++++-- src/ausearch-match.c | 18 ++++++++++++++++++ src/ausearch-options.c | 42 +++++++++++++++++++++++++++++++++++++++++- src/ausearch-parse.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 134 insertions(+), 3 deletions(-) diff --git a/docs/ausearch.8 b/docs/ausearch.8 index 54018ae..704fb52 100644 --- a/docs/ausearch.8 +++ b/docs/ausearch.8 @@ -129,9 +129,15 @@ Search for an event with the given \fIuser ID\fP. .BR \-ul ,\ \-\-loginuid \ \fIlogin-id\fP Search for an event with the given \fIlogin user ID\fP. All entry point programs that are pamified need to be configured with pam_loginuid required for the session for searching on loginuid (auid) to be accurate. .TP +.BR \-uu ,\ \-\-uuid \ \fIguest-uuid\fP +Search for an event with the given \fIguest UUID\fP. +.TP .BR \-v ,\ \-\-version Print the version and exit .TP +.BR \-vm ,\ \-\-vm-name \ \fIguest-name\fP +Search for an event with the given \fIguest name\fP. +.TP .BR \-w ,\ \-\-word String based matches must match the whole word. This category of matches include: filename, hostname, terminal, and SE Linux context. .TP diff --git a/src/aureport-options.c b/src/aureport-options.c index 9786043..72a1d15 100644 --- a/src/aureport-options.c +++ b/src/aureport-options.c @@ -1,5 +1,6 @@ /* aureport-options.c - parse commandline options and configure aureport * Copyright 2005-08,2010-11 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2011 IBM Corp. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -18,6 +19,7 @@ * * Authors: * Steve Grubb <[email protected]> + * Marcelo Henrique Cerri <[email protected]> */ #include "config.h" @@ -49,6 +51,8 @@ const char *event_hostname = NULL; const char *event_terminal = NULL; const char *event_subject = NULL; const char *event_object = NULL; +const char *event_uuid = NULL; +const char *event_vmname = NULL; int event_exit = 0, event_exit_is_set = 0; int event_ppid = -1, event_session_id = -2; diff --git a/src/ausearch-common.h b/src/ausearch-common.h index f9d0d9b..2ee1f33 100644 --- a/src/ausearch-common.h +++ b/src/ausearch-common.h @@ -1,5 +1,6 @@ /* ausearch-common.h -- * Copyright 2006-08,2010 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2011 IBM Corp. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -18,6 +19,7 @@ * * Authors: * Steve Grubb <[email protected]> + * Marcelo Henrique Cerri <[email protected]> * */ @@ -42,6 +44,8 @@ extern int event_syscall; extern const char *event_exe; extern int event_ua, event_ga; extern int event_exit, event_exit_is_set; +extern const char *event_uuid; +extern const char *event_vmname; typedef enum { F_BOTH, F_FAILED, F_SUCCESS } failed_t; typedef enum { C_NEITHER, C_ADD, C_DEL } conf_act_t; diff --git a/src/ausearch-llist.c b/src/ausearch-llist.c index 32cda7e..5d25e7c 100644 --- a/src/ausearch-llist.c +++ b/src/ausearch-llist.c @@ -1,6 +1,7 @@ /* * ausearch-llist.c - Minimal linked list library * Copyright (c) 2005-2008, 2011 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2011 IBM Corp. * All Rights Reserved. * * This software may be freely redistributed and/or modified under the @@ -19,6 +20,7 @@ * * Authors: * Steve Grubb <[email protected]> +* Marcelo Henrique Cerri <[email protected]> */ #include <stdlib.h> @@ -55,6 +57,8 @@ void list_create(llist *l) l->s.arch = 0; l->s.syscall = 0; l->s.session_id = -2; + l->s.uuid = NULL; + l->s.vmname = NULL; l->s.exit = 0; l->s.exit_is_set = 0; } @@ -197,6 +201,10 @@ void list_clear(llist* l) l->s.arch = 0; l->s.syscall = 0; l->s.session_id = -2; + free(l->s.uuid); + l->s.uuid = NULL; + free(l->s.vmname); + l->s.vmname = NULL; l->s.exit = 0; l->s.exit_is_set = 0; } diff --git a/src/ausearch-llist.h b/src/ausearch-llist.h index a77d800..4ab6f14 100644 --- a/src/ausearch-llist.h +++ b/src/ausearch-llist.h @@ -1,6 +1,7 @@ /* * ausearch-llist.h - Header file for ausearch-llist.c * Copyright (c) 2005-2008 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2011 IBM Corp. * All Rights Reserved. * * This software may be freely redistributed and/or modified under the @@ -19,6 +20,7 @@ * * Authors: * Steve Grubb <[email protected]> +* Marcelo Henrique Cerri <[email protected]> */ #ifndef AULIST_HEADER @@ -62,8 +64,10 @@ typedef struct slist *key; // key field char *terminal; // terminal char *comm; // comm name - alist *avc; // avcs for the event - char *acct; // account used when uid is invalid + alist *avc; // avcs for the event + char *acct; // account used when uid is invalid + char *uuid; // virtual machine unique universal identifier + char *vmname; // virtual machine name } search_items; /* This is the node of the linked list. Any data elements that are per diff --git a/src/ausearch-match.c b/src/ausearch-match.c index 24b9320..18e52cb 100644 --- a/src/ausearch-match.c +++ b/src/ausearch-match.c @@ -1,6 +1,7 @@ /* * ausearch-match.c - Extract interesting fields and check for match * Copyright (c) 2005-08, 2011 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2011 IBM Corp. * All Rights Reserved. * * This software may be freely redistributed and/or modified under the @@ -19,6 +20,7 @@ * * Authors: * Steve Grubb <[email protected]> +* Marcelo Henrique Cerri <[email protected]> */ #include "config.h" @@ -201,6 +203,22 @@ int match(llist *l) return 0; } } + if (event_vmname) { + if (l->s.vmname == NULL) { + return 0; + } + if (strmatch(event_vmname, l->s.vmname) == 0) { + return 0; + } + } + if (event_uuid) { + if (l->s.uuid == NULL) { + return 0; + } + if (strmatch(event_uuid, l->s.uuid) == 0) { + return 0; + } + } if (context_match(l) == 0) return 0; return 1; diff --git a/src/ausearch-options.c b/src/ausearch-options.c index 8f4b64e..a92e23f 100644 --- a/src/ausearch-options.c +++ b/src/ausearch-options.c @@ -1,5 +1,6 @@ /* ausearch-options.c - parse commandline options and configure ausearch * Copyright 2005-08,2010-11 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2011 IBM Corp. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -19,6 +20,7 @@ * Authors: * Debora Velarde <[email protected]> * Steve Grubb <[email protected]> + * Marcelo Henrique Cerri <[email protected]> */ #include "config.h" @@ -61,6 +63,8 @@ const char *event_hostname = NULL; const char *event_terminal = NULL; const char *event_subject = NULL; const char *event_object = NULL; +const char *event_uuid = NULL; +const char *event_vmname = NULL; report_t report_format = RPT_DEFAULT; ilist *event_type; @@ -77,7 +81,7 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS, S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT, S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT, -S_LINEBUFFERED }; +S_LINEBUFFERED, S_UUID, S_VMNAME}; static struct nv_pair optiontab[] = { { S_EVENT, "-a" }, @@ -141,10 +145,14 @@ static struct nv_pair optiontab[] = { { S_EFF_UID, "--uid-effective" }, { S_UID, "-ui" }, { S_UID, "--uid" }, + { S_UUID, "-uu" }, + { S_UUID, "--uuid" }, { S_LOGINID, "-ul" }, { S_LOGINID, "--loginuid" }, { S_VERSION, "-v" }, { S_VERSION, "--version" }, + { S_VMNAME, "-vm" }, + { S_VMNAME, "--vm-name" }, { S_EXACT_MATCH, "-w" }, { S_EXACT_MATCH, "--word" }, { S_EXECUTABLE, "-x" }, @@ -199,7 +207,11 @@ static void usage(void) "\t-ue,--uid-effective <effective User id> search based on Effective\n\t\t\t\t\tuser id\n" "\t-ui,--uid <User Id>\t\tsearch based on user id\n" "\t-ul,--loginuid <login id>\tsearch based on the User's Login id\n" + "\t-uu,--uuid <guest UUID>\t\tsearch for events related to the virtual\n" + "\t\t\t\t\tmachine with the given UUID.\n" "\t-v,--version\t\t\tversion\n" + "\t-vm,--vm-name <guest name>\tsearch for events related to the virtual\n" + "\t\t\t\t\tmachine with the name.\n" "\t-w,--word\t\t\tstring matches are whole word\n" "\t-x,--executable <executable name> search based on excutable name\n" ); @@ -997,6 +1009,34 @@ int check_params(int count, char *vars[]) } c++; break; + case S_UUID: + if (!optarg) { + fprintf(stderr, + "Argument is required for %s\n", + vars[c]); + retval = -1; + } else { + event_uuid = strdup(optarg); + if (event_uuid == NULL) { + retval = -1; + } + c++; + } + break; + case S_VMNAME: + if (!optarg) { + fprintf(stderr, + "Argument is required for %s\n", + vars[c]); + retval = -1; + } else { + event_vmname= strdup(optarg); + if (event_vmname == NULL) { + retval = -1; + } + c++; + } + break; case S_VERSION: printf("ausearch version %s\n", VERSION); exit(0); diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c index f7ec834..f9363d9 100644 --- a/src/ausearch-parse.c +++ b/src/ausearch-parse.c @@ -1,6 +1,7 @@ /* * ausearch-parse.c - Extract interesting fields and check for match * Copyright (c) 2005-08, 2011 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2011 IBM Corp. * All Rights Reserved. * * This software may be freely redistributed and/or modified under the @@ -19,6 +20,7 @@ * * Authors: * Steve Grubb <[email protected]> +* Marcelo Henrique Cerri <[email protected]> */ #include "config.h" @@ -767,6 +769,50 @@ static int parse_user(const lnode *n, search_items *s) return 13; } } + if (event_vmname) { + str = strstr(term, "vm="); + if (str) { + str += 3; + if (*str == '"') { + str++; + } + term = str; + while (*term != '"' && *term != ' ' && + *term != ':' && *term != ',' && + *term != 0) { + term++; + } + if (term == str) { + return 23; + } + saved = *term; + *term = 0; + s->vmname= strdup(str); + *term = saved; + } + } + if (event_uuid) { + str = strstr(term, "uuid="); + if (str) { + str += 5; + if (*str == '"') { + str++; + } + term = str; + while (*term != '"' && *term != ' ' && + *term != ':' && *term != ',' && + *term != 0) { + term++; + } + if (term == str) { + return 24; + } + saved = *term; + *term = 0; + s->uuid = strdup(str); + *term = saved; + } + } // get uid - something has uid after auid ?? str = strstr(term, "uid="); if (str != NULL) { @@ -959,6 +1005,7 @@ static int parse_user(const lnode *n, search_items *s) *term = ')'; } } + /* last return code used = 24 */ return 0; } -- 1.7.1 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
