Signed-off-by: Richard Guy Briggs <[email protected]>
---
docs/aureport.8 | 3 +++
src/aureport-options.c | 19 ++++++++++++++++++-
src/aureport-options.h | 2 +-
src/aureport-output.c | 37 +++++++++++++++++++++++++++++++++++++
src/aureport-scan.c | 26 ++++++++++++++++++++++++++
src/aureport-scan.h | 2 ++
src/aureport.c | 3 ++-
7 files changed, 89 insertions(+), 3 deletions(-)
diff --git a/docs/aureport.8 b/docs/aureport.8
index c4ceb09e2f7d..187fd495bea7 100644
--- a/docs/aureport.8
+++ b/docs/aureport.8
@@ -90,6 +90,9 @@ Report about responses to anomaly events
.BR \-s ,\ \-\-syscall
Report about syscalls
.TP
+.BR \-U ,\ \-\-uringop
+Report about uringops
+.TP
.B \-\-success
Only select successful events for processing in the reports. The default is
both success and failed events.
.TP
diff --git a/src/aureport-options.c b/src/aureport-options.c
index 93621e250630..b8ab55192d08 100644
--- a/src/aureport-options.c
+++ b/src/aureport-options.c
@@ -83,7 +83,7 @@ struct nv_pair {
enum { R_INFILE, R_TIME_END, R_TIME_START, R_VERSION, R_SUMMARY, R_LOG_TIMES,
R_CONFIGS, R_LOGINS, R_USERS, R_TERMINALS, R_HOSTS, R_EXES, R_FILES,
- R_AVCS, R_SYSCALLS, R_PIDS, R_EVENTS, R_ACCT_MODS,
+ R_AVCS, R_SYSCALLS, R_URINGOPS, R_PIDS, R_EVENTS, R_ACCT_MODS,
R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO,
R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS,
R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE,
@@ -148,6 +148,8 @@ static struct nv_pair optiontab[] = {
{ R_TIME_START, "-ts" },
{ R_TTY, "--tty" },
{ R_TIME_START, "--start" },
+ { R_URINGOPS, "-U" },
+ { R_URINGOPS, "--uringop" },
{ R_USERS, "-u" },
{ R_USERS, "--user" },
{ R_VERSION, "-v" },
@@ -206,6 +208,7 @@ static void usage(void)
"\t-tm,--terminal\t\t\tTerMinal name report\n"
"\t-ts,--start [start date] [start time]\tstarting data & time for
reports\n"
"\t--tty\t\t\t\tReport about tty keystrokes\n"
+ "\t-U,--uringop\t\t\tUring op report\n"
"\t-u,--user\t\t\tUser name report\n"
"\t-v,--version\t\t\tVersion\n"
"\t--virt\t\t\t\tVirtualization report\n"
@@ -485,6 +488,20 @@ int check_params(int count, char *vars[])
}
}
break;
+ case R_URINGOPS:
+ if (set_report(RPT_URINGOP))
+ retval = -1;
+ else {
+ if (!optarg) {
+ set_detail(D_DETAILED);
+ event_comm = dummy;
+ event_loginuid = 1;
+ event_tauid = dummy;
+ } else {
+ UNIMPLEMENTED;
+ }
+ }
+ break;
case R_USERS:
if (set_report(RPT_USER))
retval = -1;
diff --git a/src/aureport-options.h b/src/aureport-options.h
index a559f64546be..5d9ac2ba5dbf 100644
--- a/src/aureport-options.h
+++ b/src/aureport-options.h
@@ -36,7 +36,7 @@ typedef enum { RPT_UNSET, RPT_TIME, RPT_SUMMARY, RPT_AVC,
RPT_MAC,
RPT_ACCT_MOD, RPT_PID, RPT_SYSCALL, RPT_TERM, RPT_USER,
RPT_EXE, RPT_ANOMALY, RPT_RESPONSE, RPT_CRYPTO,
RPT_AUTH, RPT_KEY, RPT_TTY, RPT_COMM, RPT_VIRT,
- RPT_INTEG } report_type_t;
+ RPT_INTEG, RPT_URINGOP } report_type_t;
typedef enum { D_UNSET, D_SUM, D_DETAILED, D_SPECIFIC } report_det_t;
diff --git a/src/aureport-output.c b/src/aureport-output.c
index a635d536f8b3..7e92c5fab1a5 100644
--- a/src/aureport-output.c
+++ b/src/aureport-output.c
@@ -160,6 +160,12 @@ static void print_title_summary(void)
printf("total terminal\n");
printf("===============================\n");
break;
+ case RPT_URINGOP:
+ printf("IO URING ops Summary Report\n");
+ printf("==========================\n");
+ printf("total uringop\n");
+ printf("==========================\n");
+ break;
case RPT_USER:
printf("User Summary Report\n");
printf("===========================\n");
@@ -338,6 +344,21 @@ static void print_title_detailed(void)
printf("========================\n");
}
break;
+ case RPT_URINGOP:
+ if (report_detail == D_DETAILED) {
+ printf("URING op Report\n");
+ printf(
+ "=======================================\n");
+ printf(
+ //"# date time uringop pid comm auid
event\n");
+ "# date time syscall pid auid event\n");
+ printf(
+ "=======================================\n");
+ } else {
+ printf("Specific Uring op Report\n");
+ printf("=======================\n");
+ }
+ break;
case RPT_USER:
if (report_detail == D_DETAILED) {
printf("User ID Report\n");
@@ -636,6 +657,17 @@ void print_per_event_item(llist *l)
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
+ case RPT_URINGOP: // report_detail == D_DETAILED
+ // uringop, pid, comm, who, event
+ // uringop, pid, who, event
+ printf("%s %u ", aulookup_uringop(l,buf,sizeof(buf)),
+ l->s.pid);
+ //safe_print_string(l->s.comm ? l->s.comm : "?", 0);
+ //putchar(' ');
+ safe_print_string(aulookup_uid(l->s.loginuid, name,
+ sizeof(name)), 0);
+ printf(" %lu\n", l->e.serial);
+ break;
case RPT_USER: // report_detail == D_DETAILED
// who, terminal, host, exe, event
safe_print_string(aulookup_uid(l->s.loginuid, name,
@@ -807,6 +839,10 @@ void print_wrap_up(void)
slist_sort_by_hits(&sd.terms);
do_string_summary_output(&sd.terms);
break;
+ case RPT_URINGOP:
+ slist_sort_by_hits(&sd.uringop_list);
+ do_syscall_summary_output(&sd.uringop_list);
+ break;
case RPT_USER:
slist_sort_by_hits(&sd.users);
do_user_summary_output(&sd.users);
@@ -918,6 +954,7 @@ static void do_summary_output(void)
printf("Number of AVC's: %lu\n", sd.avcs);
printf("Number of MAC events: %lu\n", sd.mac);
printf("Number of failed syscalls: %lu\n", sd.failed_syscalls);
+ printf("Number of failed uring ops: %lu\n", sd.failed_uringops);
printf("Number of anomaly events: %lu\n", sd.anomalies);
printf("Number of responses to anomaly events: %lu\n", sd.responses);
printf("Number of crypto events: %lu\n", sd.crypto);
diff --git a/src/aureport-scan.c b/src/aureport-scan.c
index 4095e8686a05..5b2d81047e1d 100644
--- a/src/aureport-scan.c
+++ b/src/aureport-scan.c
@@ -53,6 +53,7 @@ void reset_counters(void)
sd.avcs = 0UL;
sd.mac = 0UL;
sd.failed_syscalls = 0UL;
+ sd.failed_uringops = 0UL;
sd.anomalies = 0UL;
sd.responses = 0UL;
sd.virt = 0UL;
@@ -67,6 +68,7 @@ void reset_counters(void)
slist_create(&sd.keys);
ilist_create(&sd.pids);
slist_create(&sd.sys_list);
+ slist_create(&sd.uringop_list);
ilist_create(&sd.anom_list);
ilist_create(&sd.mac_list);
ilist_create(&sd.resp_list);
@@ -89,6 +91,7 @@ void destroy_counters(void)
sd.avcs = 0UL;
sd.mac = 0UL;
sd.failed_syscalls = 0UL;
+ sd.failed_uringops = 0UL;
sd.anomalies = 0UL;
sd.responses = 0UL;
sd.virt = 0UL;
@@ -103,6 +106,7 @@ void destroy_counters(void)
slist_clear(&sd.keys);
ilist_clear(&sd.pids);
slist_clear(&sd.sys_list);
+ slist_clear(&sd.uringop_list);
ilist_clear(&sd.anom_list);
ilist_create(&sd.mac_list);
ilist_clear(&sd.resp_list);
@@ -430,6 +434,13 @@ static int per_event_summary(llist *l)
if (l->s.terminal)
slist_add_if_uniq(&sd.terms, l->s.terminal);
break;
+ case RPT_URINGOP:
+ if (l->s.uringop > 0) {
+ char tmp[32];
+ aulookup_uringop(l, tmp, 32);
+ slist_add_if_uniq(&sd.uringop_list, tmp);
+ }
+ break;
case RPT_USER:
if (l->s.loginuid != -2) {
char tmp[32];
@@ -688,6 +699,17 @@ static int per_event_detailed(llist *l)
UNIMPLEMENTED;
}
break;
+ case RPT_URINGOP:
+ list_first(l);
+ if (report_detail == D_DETAILED) {
+ if (l->s.uringop) {
+ print_per_event_item(l);
+ rc = 1;
+ }
+ } else { // specific uring op report
+ UNIMPLEMENTED;
+ }
+ break;
case RPT_USER:
list_first(l);
if (report_detail == D_DETAILED) {
@@ -938,6 +960,10 @@ static void do_summary_total(llist *l)
if (l->s.success == S_FAILED && l->s.syscall > 0)
sd.failed_syscalls++;
+ // add failed uring ops
+ if (l->s.success == S_FAILED && l->s.uringop > 0)
+ sd.failed_uringops++;
+
// add pids
if (l->s.pid != -1) {
ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
diff --git a/src/aureport-scan.h b/src/aureport-scan.h
index 76cc81874874..b974bc4d70ab 100644
--- a/src/aureport-scan.h
+++ b/src/aureport-scan.h
@@ -38,6 +38,7 @@ typedef struct sdata {
slist keys;
ilist pids;
slist sys_list;
+ slist uringop_list;
ilist anom_list;
ilist resp_list;
ilist mac_list;
@@ -55,6 +56,7 @@ typedef struct sdata {
unsigned long avcs;
unsigned long mac;
unsigned long failed_syscalls;
+ unsigned long failed_uringops;
unsigned long anomalies;
unsigned long responses;
unsigned long virt;
diff --git a/src/aureport.c b/src/aureport.c
index 22618f02346a..48d69b493f80 100644
--- a/src/aureport.c
+++ b/src/aureport.c
@@ -236,7 +236,8 @@ static void process_event(llist *entries)
if (scan(entries)) {
// If its a single event or SYSCALL load interpretations
if ((entries->cnt == 1) ||
- (entries->head->type == AUDIT_SYSCALL))
+ (entries->head->type == AUDIT_SYSCALL) ||
+ (entries->head->type == AUDIT_URINGOP))
_auparse_load_interpretations(entries->head->interp);
// This is the per entry action item
if (per_event_processing(entries))
--
2.27.0
--
Linux-audit mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/linux-audit
