On 12/08/23, Peter Moody wrote: > eg: > > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1 > > to see instances of /bin/bash opening a non-local socket. Or > > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F > success=1 > > to instances of /bin/bash, and any descendant processes, opening a non local > socket.
In addition to these sample rules, do you have a command or script to trigger it? > proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html > and it seemed like there was interest. > > Signed-off-by: Peter Moody <[email protected]> > --- > trunk/lib/errormsg.h | 2 +- > trunk/lib/fieldtab.h | 2 ++ > trunk/lib/libaudit.c | 11 +++++++++++ > trunk/lib/libaudit.h | 7 ++++++- > 4 files changed, 20 insertions(+), 2 deletions(-) > > diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h > index 4d996d5..cd595ec 100644 > --- a/trunk/lib/errormsg.h > +++ b/trunk/lib/errormsg.h > @@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = { > { -15, 2, "-F unknown errno -"}, > { -16, 2, "-F unknown file type - " }, > { -17, 1, "can only be used with exit and entry filter list" }, > - { -18, 1, "" }, // Unused > + { -18, 1, "only takes = operator" }, > { -19, 0, "Key field needs a watch or syscall given prior to it" }, > { -20, 2, "-F missing value after operation for" }, > { -21, 2, "-F value should be number for" }, > diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h > index c0432cc..245b541 100644 > --- a/trunk/lib/fieldtab.h > +++ b/trunk/lib/fieldtab.h > @@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" ) > _S(AUDIT_FILTERKEY, "key" ) > > _S(AUDIT_FIELD_COMPARE, "field_compare" ) > +_S(AUDIT_EXE, "exe" ) > +_S(AUDIT_EXE_CHILDREN, "exe_children" ) > diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c > index 20eaf5f..06eed86 100644 > --- a/trunk/lib/libaudit.c > +++ b/trunk/lib/libaudit.c > @@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data > **rulep, const char *pair, > else > return -21; > break; > + case AUDIT_EXE_CHILDREN: > + case AUDIT_EXE: > + { > + struct stat buf; > + if ((stat(v, &buf)) < 0) > + return -2; > + if (op != AUDIT_EQUAL) > + return -18; > + rule->values[rule->field_count] = (unsigned > long)buf.st_ino; > + } > + break; > case AUDIT_DEVMAJOR...AUDIT_INODE: > case AUDIT_SUCCESS: > if (flags != AUDIT_FILTER_EXIT) > diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h > index 89dd588..2c8a802 100644 > --- a/trunk/lib/libaudit.h > +++ b/trunk/lib/libaudit.h > @@ -243,6 +243,12 @@ extern "C" { > #ifndef AUDIT_FIELD_COMPARE > #define AUDIT_FIELD_COMPARE 111 > #endif > +#ifndef AUDIT_EXE > +#define AUDIT_EXE 112 > +#endif > +#ifndef AUDIT_EXE_CHILDREN > +#define AUDIT_EXE_CHILDREN 113 > +#endif > > #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID > #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 > @@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data > *rule); > #endif > > #endif > - > -- > 1.7.7.3 - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
