eg: -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1
to see instances of /bin/bash opening a non-local socket. Or -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F success=1 to instances of /bin/bash, and any descendant processes, opening a non local socket. proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html and it seemed like there was interest. Signed-off-by: Peter Moody <[email protected]> --- trunk/lib/errormsg.h | 2 +- trunk/lib/fieldtab.h | 2 ++ trunk/lib/libaudit.c | 11 +++++++++++ trunk/lib/libaudit.h | 7 ++++++- 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h index 4d996d5..cd595ec 100644 --- a/trunk/lib/errormsg.h +++ b/trunk/lib/errormsg.h @@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = { { -15, 2, "-F unknown errno -"}, { -16, 2, "-F unknown file type - " }, { -17, 1, "can only be used with exit and entry filter list" }, - { -18, 1, "" }, // Unused + { -18, 1, "only takes = operator" }, { -19, 0, "Key field needs a watch or syscall given prior to it" }, { -20, 2, "-F missing value after operation for" }, { -21, 2, "-F value should be number for" }, diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h index c0432cc..245b541 100644 --- a/trunk/lib/fieldtab.h +++ b/trunk/lib/fieldtab.h @@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" ) _S(AUDIT_FILTERKEY, "key" ) _S(AUDIT_FIELD_COMPARE, "field_compare" ) +_S(AUDIT_EXE, "exe" ) +_S(AUDIT_EXE_CHILDREN, "exe_children" ) diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c index 20eaf5f..06eed86 100644 --- a/trunk/lib/libaudit.c +++ b/trunk/lib/libaudit.c @@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, else return -21; break; + case AUDIT_EXE_CHILDREN: + case AUDIT_EXE: + { + struct stat buf; + if ((stat(v, &buf)) < 0) + return -2; + if (op != AUDIT_EQUAL) + return -18; + rule->values[rule->field_count] = (unsigned long)buf.st_ino; + } + break; case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h index 89dd588..2c8a802 100644 --- a/trunk/lib/libaudit.h +++ b/trunk/lib/libaudit.h @@ -243,6 +243,12 @@ extern "C" { #ifndef AUDIT_FIELD_COMPARE #define AUDIT_FIELD_COMPARE 111 #endif +#ifndef AUDIT_EXE +#define AUDIT_EXE 112 +#endif +#ifndef AUDIT_EXE_CHILDREN +#define AUDIT_EXE_CHILDREN 113 +#endif #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 @@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule); #endif #endif - -- 1.7.7.3 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
