diff -Nru audit-2.7.7/aclocal.m4 audit-2.8.2/aclocal.m4 --- audit-2.7.7/aclocal.m4 2017-06-16 19:01:45.000000000 +0000 +++ audit-2.8.2/aclocal.m4 2017-12-14 16:46:53.000000000 +0000 @@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.15 -*- Autoconf -*- +# generated automatically by aclocal 1.15.1 -*- Autoconf -*- -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2017 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,7 @@ If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) -# Copyright (C) 2002-2014 Free Software Foundation, Inc. +# Copyright (C) 2002-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -35,7 +35,7 @@ [am__api_version='1.15' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.15], [], +m4_if([$1], [1.15.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -51,14 +51,14 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.15])dnl +[AM_AUTOMAKE_VERSION([1.15.1])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -110,7 +110,7 @@ # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2014 Free Software Foundation, Inc. +# Copyright (C) 1997-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -141,7 +141,7 @@ Usually this means the macro was only invoked conditionally.]]) fi])]) -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -332,7 +332,7 @@ # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -408,7 +408,7 @@ # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -605,7 +605,7 @@ done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -626,7 +626,7 @@ fi AC_SUBST([install_sh])]) -# Copyright (C) 2003-2014 Free Software Foundation, Inc. +# Copyright (C) 2003-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -647,7 +647,7 @@ # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -697,7 +697,7 @@ # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2014 Free Software Foundation, Inc. +# Copyright (C) 1997-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -738,7 +738,7 @@ # Obsolete and "removed" macros, that must however still report explicit # error messages when used, to smooth transition. # -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -765,7 +765,7 @@ # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -794,7 +794,7 @@ AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -841,7 +841,7 @@ # For backward compatibility. AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -874,8 +874,9 @@ [ dnl Find a Python interpreter. Python versions prior to 2.0 are not dnl supported. (2.0 was released on October 16, 2000). + dnl FIXME: Remove the need to hard-code Python versions here. m4_define_default([_AM_PYTHON_INTERPRETER_LIST], -[python python2 python3 python3.3 python3.2 python3.1 python3.0 python2.7 dnl +[python python2 python3 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 dnl python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0]) AC_ARG_VAR([PYTHON], [the Python interpreter]) @@ -1076,7 +1077,7 @@ sys.exit(sys.hexversion < minverhex)" AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])]) -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1095,7 +1096,7 @@ # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1176,7 +1177,7 @@ rm -f conftest.file ]) -# Copyright (C) 2009-2014 Free Software Foundation, Inc. +# Copyright (C) 2009-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1236,7 +1237,7 @@ _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl ]) -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1264,7 +1265,7 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) -# Copyright (C) 2006-2014 Free Software Foundation, Inc. +# Copyright (C) 2006-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1283,7 +1284,7 @@ # Check how to create a tarball. -*- Autoconf -*- -# Copyright (C) 2004-2014 Free Software Foundation, Inc. +# Copyright (C) 2004-2017 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/audisp/audispd-builtins.c audit-2.8.2/audisp/audispd-builtins.c --- audit-2.7.7/audisp/audispd-builtins.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audisp/audispd-builtins.c 2017-12-14 16:46:49.000000000 +0000 @@ -31,6 +31,7 @@ #include #include #include +#include // writev #include #include "audispd-pconfig.h" #include "audispd-builtins.h" diff -Nru audit-2.7.7/audisp/audispd.c audit-2.8.2/audisp/audispd.c --- audit-2.7.7/audisp/audispd.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audisp/audispd.c 2017-12-14 16:46:49.000000000 +0000 @@ -1,5 +1,5 @@ /* audispd.c -- - * Copyright 2007-08,2013,2016 Red Hat Inc., Durham, North Carolina. + * Copyright 2007-08,2013,2016-17 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -34,6 +34,9 @@ #include #include #include +#include +#include +#include #include "audispd-config.h" #include "audispd-pconfig.h" @@ -51,8 +54,7 @@ static conf_llist plugin_conf; static int audit_fd; static pthread_t inbound_thread; -static const char *config_file = "/etc/audisp/audispd.conf"; -static const char *plugin_dir = "/etc/audisp/plugins.d/"; +static char *config_file = NULL; /* Local function prototypes */ static void signal_plugins(int sig); @@ -62,6 +64,24 @@ static void process_inbound_event(int fd); /* + * Output a usage message and exit with an error. + */ +static void usage(void) +{ + fprintf(stderr, "%s", + "Usage: audispd [options]\n" + "-c,--config_dir : Override default " + "configuration file path\n"); + exit(2); +} + +static void release_memory_exit(int code) +{ + free(config_file); + exit(code); +} + +/* * SIGTERM handler */ static void term_handler( int sig ) @@ -130,7 +150,7 @@ plist_create(plugin); /* read configs */ - d = opendir(plugin_dir); + d = opendir(daemon_config.plugin_dir); if (d) { struct dirent *e; @@ -143,7 +163,7 @@ continue; snprintf(fname, sizeof(fname), "%s%s", - plugin_dir, e->d_name); + daemon_config.plugin_dir, e->d_name); clear_pconfig(&config); if (load_pconfig(&config, fname) == 0) { @@ -329,11 +349,42 @@ int main(int argc, char *argv[]) { + extern char *optarg; + extern int optind; + static const struct option opts[] = { + {"config_dir", required_argument, NULL, 'c'}, + {NULL, 0, NULL, 0} + }; lnode *conf; struct sigaction sa; int i; - set_aumessage_mode(MSG_SYSLOG, DBG_YES); + while ((i = getopt_long(argc, argv, "i:c:", opts, NULL)) != -1) { + switch (i) { + case 'c': + if (asprintf(&config_file, "%s/audispd.conf", + optarg) < 0) { +mem_out: + printf( + "Failed allocating memory, exiting\n"); + release_memory_exit(1); + } + break; + default: + usage(); + } + } + + /* check for trailing command line following options */ + if (optind < argc) + usage(); + + if (config_file == NULL) + config_file = strdup("/etc/audisp/audispd.conf"); + if (config_file == NULL) + goto mem_out; + + set_aumessage_mode(MSG_SYSLOG, DBG_NO); /* Clear any procmask set by libev */ sigfillset (&sa.sa_mask); @@ -357,15 +408,11 @@ sigaction(SIGCHLD, &sa, NULL); setsid(); - /* move stdin to its own fd */ - if (argc == 3 && strcmp(argv[1], "--input") == 0) - audit_fd = open(argv[2], O_RDONLY); - else - audit_fd = dup(0); + audit_fd = dup(0); if (audit_fd < 0) { syslog(LOG_ERR, "Failed setting up input(%s, %d), exiting", strerror(errno), audit_fd); - return 1; + release_memory_exit(1); } /* Make all descriptors point to dev null */ @@ -374,30 +421,35 @@ if (dup2(0, i) < 0 || dup2(1, i) < 0 || dup2(2, i) < 0) { syslog(LOG_ERR, "Failed duping /dev/null %s, exiting", strerror(errno)); - return 1; + release_memory_exit(1); } close(i); } else { syslog(LOG_ERR, "Failed opening /dev/null %s, exiting", strerror(errno)); - return 1; + close(audit_fd); + release_memory_exit(1); } if (fcntl(audit_fd, F_SETFD, FD_CLOEXEC) < 0) { syslog(LOG_ERR, "Failed protecting input %s, exiting", strerror(errno)); - return 1; + close(audit_fd); + release_memory_exit(1); } /* init the daemon's config */ - if (load_config(&daemon_config, config_file)) - return 6; + if (load_config(&daemon_config, config_file)) { + close(audit_fd); + release_memory_exit(6); + } load_plugin_conf(&plugin_conf); /* if no plugins - exit */ if (plist_count(&plugin_conf) == 0) { syslog(LOG_NOTICE, "No plugins found, exiting"); - return 0; + close(audit_fd); + release_memory_exit(0); } /* Plugins are started with the auditd priority */ @@ -425,7 +477,9 @@ /* Tell it to poll the audit fd */ if (add_event(audit_fd, process_inbound_event) < 0) { syslog(LOG_ERR, "Cannot add event, exiting"); - return 1; + close(audit_fd); + close(i); + release_memory_exit(1); } /* Create inbound thread */ @@ -470,6 +524,7 @@ /* Cleanup the queue */ destroy_queue(); free_config(&daemon_config); + free((void *)config_file); return 0; } @@ -496,7 +551,12 @@ } /* Set up comm with child */ - dup2(conf->plug_pipe[0], 0); + if (dup2(conf->plug_pipe[0], 0) < 0) { + close(conf->plug_pipe[0]); + close(conf->plug_pipe[1]); + conf->pid = 0; + return -1; /* Failed to fork */ + } for (i=3; i<24; i++) /* Arbitrary number */ close(i); @@ -650,7 +710,7 @@ type = audit_msg_type_to_name(e->hdr.type); if (type == NULL) { snprintf(unknown, sizeof(unknown), - "UNKNOWN[%d]", e->hdr.type); + "UNKNOWN[%u]", e->hdr.type); type = unknown; } // Protocol 1 is not formatted @@ -691,9 +751,11 @@ continue; /* Now send the event to the right child */ - if (conf->p->type == S_SYSLOG) - send_syslog(v, e->hdr.ver); - else if (conf->p->type == S_AF_UNIX) { + if (conf->p->type == S_SYSLOG) { + // Strip out End of event records for syslog + if (e->hdr.type != AUDIT_EOE) + send_syslog(v, e->hdr.ver); + } else if (conf->p->type == S_AF_UNIX) { if (conf->p->format == F_STRING) send_af_unix_string(v, len); else @@ -871,4 +933,3 @@ } } } - diff -Nru audit-2.7.7/audisp/audispd-config.c audit-2.8.2/audisp/audispd-config.c --- audit-2.7.7/audisp/audispd-config.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audisp/audispd-config.c 2017-12-14 16:46:49.000000000 +0000 @@ -72,6 +72,8 @@ daemon_conf_t *config); static int max_restarts_parser(struct nv_pair *nv, int line, daemon_conf_t *config); +static int plugin_dir_parser(struct nv_pair *nv, int line, + daemon_conf_t *config); static int sanity_check(daemon_conf_t *config, const char *file); static const struct kw_pair keywords[] = @@ -80,9 +82,10 @@ {"name_format", name_format_parser, 0 }, {"name", name_parser, 0 }, {"overflow_action", overflow_action_parser, 0 }, - {"priority_boost", priority_boost_parser, 0 }, - {"max_restarts", max_restarts_parser, 0 }, - { NULL, NULL } + {"priority_boost", priority_boost_parser, 0 }, + {"max_restarts", max_restarts_parser, 0 }, + {"plugin_dir", plugin_dir_parser, 0 }, + { NULL, NULL, 0 } }; static const struct nv_list node_name_formats[] = @@ -483,6 +486,24 @@ return 0; } +static int plugin_dir_parser(struct nv_pair *nv, int line, + daemon_conf_t *config) +{ + if (nv->value == NULL) + config->plugin_dir = NULL; + else { + size_t len = strlen(nv->value); + config->plugin_dir = malloc(len + 2); + if (config->plugin_dir) { + strcpy(config->plugin_dir, nv->value); + if (config->plugin_dir[len - 1] != '/') + config->plugin_dir[len] = '/'; + config->plugin_dir[len + 1] = 0; + } + } + return 0; +} + /* * This function is where we do the integrated check of the audispd config * options. At this point, all fields have been read. Returns 0 if no @@ -497,11 +518,14 @@ file); return 1; } + if (config->plugin_dir == NULL) + config->plugin_dir = strdup("/etc/audisp/plugins.d/"); return 0; } void free_config(daemon_conf_t *config) { free((void *)config->name); + free((void *)config->plugin_dir); } diff -Nru audit-2.7.7/audisp/audispd-config.h audit-2.8.2/audisp/audispd-config.h --- audit-2.7.7/audisp/audispd-config.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audisp/audispd-config.h 2017-12-14 16:46:49.000000000 +0000 @@ -38,6 +38,7 @@ unsigned int max_restarts; node_t node_name_format; const char *name; + char *plugin_dir; } daemon_conf_t; void clear_config(daemon_conf_t *config); diff -Nru audit-2.7.7/audisp/audispd-pconfig.c audit-2.8.2/audisp/audispd-pconfig.c --- audit-2.7.7/audisp/audispd-pconfig.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audisp/audispd-pconfig.c 2017-12-14 16:46:49.000000000 +0000 @@ -80,7 +80,7 @@ {"type", service_type_parser, 0 }, {"args", args_parser, 2 }, {"format", format_parser, 0 }, - { NULL, NULL } + { NULL, NULL, 0 } }; static const struct nv_list active[] = diff -Nru audit-2.7.7/audisp/Makefile.in audit-2.8.2/audisp/Makefile.in --- audit-2.7.7/audisp/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/audisp/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/audisp/plugins/builtins/Makefile.in audit-2.8.2/audisp/plugins/builtins/Makefile.in --- audit-2.7.7/audisp/plugins/builtins/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/audisp/plugins/builtins/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/audisp/plugins/Makefile.in audit-2.8.2/audisp/plugins/Makefile.in --- audit-2.7.7/audisp/plugins/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/audisp/plugins/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/audisp/plugins/prelude/audisp-prelude.8 audit-2.8.2/audisp/plugins/prelude/audisp-prelude.8 --- audit-2.7.7/audisp/plugins/prelude/audisp-prelude.8 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audisp/plugins/prelude/audisp-prelude.8 2017-12-14 16:46:49.000000000 +0000 @@ -31,7 +31,7 @@ At this point, if you want have audit: forbidden login location, max concurrent sessions, max login failures, and forbidden login time anomalies being reported, you have to setup pam modules correctly. The pam modules are respectively: pam_access, pam_limits, pam_tally2, and pam_time. Please see the respective pam module man pages for any instructions. -For performance reasons, some audit events will not produce syscall records which contain additional information about events unless there is at least one audit rule loaded. If you do not have any additional audit rules, edit \fI/etc/audit/audit.rules\fP and add something simple that won't impact performace like this: \fB\-w /etc/shadow \-p wa\fP. This rule will watch the shadow file for writes or changes to its attributes. The additional audit information provided by having at least one rule will allow the plugin to give a more complete view of the alert it is sending. +For performance reasons, some audit events will not produce syscall records which contain additional information about events unless there is at least one audit rule loaded. If you do not have any additional audit rules, edit \fI/etc/audit/audit.rules\fP and add something simple that won't impact performance like this: \fB\-w /etc/shadow \-p wa\fP. This rule will watch the shadow file for writes or changes to its attributes. The additional audit information provided by having at least one rule will allow the plugin to give a more complete view of the alert it is sending. If you are wanting to get alerts on watched syscalls, watched files, watched execution, or something becoming executable, you need to add some keys to your audit rules. For example, if you have the following audit watch in \fI/etc/audit/audit.rules\fP: diff -Nru audit-2.7.7/audisp/plugins/prelude/Makefile.in audit-2.8.2/audisp/plugins/prelude/Makefile.in --- audit-2.7.7/audisp/plugins/prelude/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/audisp/plugins/prelude/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/audisp/plugins/remote/audisp-remote.c audit-2.8.2/audisp/plugins/remote/audisp-remote.c --- audit-2.7.7/audisp/plugins/remote/audisp-remote.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audisp/plugins/remote/audisp-remote.c 2017-12-14 16:46:49.000000000 +0000 @@ -1006,7 +1006,7 @@ static int init_sock(void) { int rc; - struct addrinfo *ai; + struct addrinfo *ai, *runp; struct addrinfo hints; char remote[BUF_SIZE]; int one=1; @@ -1016,6 +1016,8 @@ transport_ok = 1; return ET_SUCCESS; } + + // Resolve the remote host memset(&hints, '\0', sizeof(hints)); hints.ai_flags = AI_ADDRCONFIG|AI_NUMERICSERV; hints.ai_socktype = SOCK_STREAM; @@ -1031,46 +1033,75 @@ else return ET_TEMPORARY; } - sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); - if (sock < 0) { - if (!quiet) - syslog(LOG_ERR, "Error creating socket: %s", - strerror(errno)); - freeaddrinfo(ai); - return ET_TEMPORARY; - } - - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int)); - - if (config.local_port != 0) { - struct sockaddr_in address; - - memset (&address, 0, sizeof(address)); - address.sin_family = AF_INET; - address.sin_port = htons(config.local_port); - address.sin_addr.s_addr = htonl(INADDR_ANY); - if (bind(sock, (struct sockaddr *)&address, sizeof(address))) { + // Cycle through the list until we connect + runp = ai; + while (runp) { + sock = socket(runp->ai_family, runp->ai_socktype, + runp->ai_protocol); + if (sock < 0) { if (!quiet) - syslog(LOG_ERR, - "Cannot bind local socket to port %d", - config.local_port); - stop_sock(); - freeaddrinfo(ai); - return ET_TEMPORARY; + syslog(LOG_ERR, "Error creating socket: %s", + strerror(errno)); + goto next_try; } - } - if (connect(sock, ai->ai_addr, ai->ai_addrlen)) { - if (!quiet) - syslog(LOG_ERR, "Error connecting to %s: %s", - config.remote_server, strerror(errno)); - freeaddrinfo(ai); - stop_sock(); - return ET_TEMPORARY; - } + setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, + (char *)&one, sizeof (int)); - freeaddrinfo(ai); + // If we are binding, resolve somethihng relative to + // the address of the aggregating server + if (config.local_port != 0) { + struct addrinfo *ai2; + struct addrinfo hints2; + char local[BUF_SIZE]; + + // Ask for setting that can be used for bind + memset(&hints2, '\0', sizeof(hints2)); + hints2.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; + hints2.ai_socktype = SOCK_STREAM; + hints2.ai_family = runp->ai_family; + hints2.ai_protocol = runp->ai_protocol; + snprintf(local, BUF_SIZE, "%u", config.local_port); + + rc = getaddrinfo(NULL, local, &hints2, &ai2); + if (rc) { + if (!quiet) + syslog(LOG_ERR, + "Error looking up local host: %s - retrying", + gai_strerror(rc)); + stop_sock(); + goto next_try; + } + // We are not going to cycle through the list. + // If done right only one should be on list. + if (bind(sock, ai2->ai_addr, ai2->ai_addrlen)) { + if (!quiet) + syslog(LOG_ERR, + "Cannot bind local socket to port %d", + config.local_port); + stop_sock(); + freeaddrinfo(ai2); + goto next_try; + } + freeaddrinfo(ai2); + } + if (connect(sock, runp->ai_addr, runp->ai_addrlen)) { + if (!quiet) + syslog(LOG_ERR, "Error connecting to %s: %s", + config.remote_server, strerror(errno)); + stop_sock(); + } else + break; // Success, quit trying +next_try: + runp = runp->ai_next; + } + // If the list was exhausted and no connection, we failed. + if (runp == NULL) { + rc = ET_PERMANENT; + goto out; + } + rc = ET_SUCCESS; setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (char *)&one, sizeof (int)); /* The idea here is to minimize the time between the message @@ -1083,14 +1114,18 @@ #ifdef USE_GSSAPI if (USE_GSS) { - if (negotiate_credentials ()) - return ET_PERMANENT; + if (negotiate_credentials ()) { + rc = ET_PERMANENT; + goto out; + } } #endif transport_ok = 1; syslog(LOG_NOTICE, "Connected to %s", config.remote_server); - return ET_SUCCESS; +out: + freeaddrinfo(ai); + return rc; } static int init_transport(void) @@ -1254,12 +1289,14 @@ if (utok.length < AUDIT_RMW_HEADER_SIZE) { sync_error_handler ("message too short"); + free (utok.value); return -1; } memcpy (header, utok.value, AUDIT_RMW_HEADER_SIZE); if (! AUDIT_RMW_IS_MAGIC (header, AUDIT_RMW_HEADER_SIZE)) { sync_error_handler ("bad magic number"); + free (utok.value); return -1; } @@ -1267,6 +1304,7 @@ if (rlen > MAX_AUDIT_MESSAGE_LENGTH) { sync_error_handler ("message too long"); + free (utok.value); return -1; } @@ -1274,6 +1312,7 @@ *mlen = rlen; + free (utok.value); return 0; } #endif @@ -1365,11 +1404,17 @@ return remote_server_ending_handler(msg); if (type == AUDIT_RMW_TYPE_DISKLOW) return remote_disk_low_handler(msg); - if (type == AUDIT_RMW_TYPE_DISKFULL) + if (type == AUDIT_RMW_TYPE_DISKFULL) { + // Can't log for a while might want a delay + stop_transport(); return remote_disk_full_handler(msg); - if (type == AUDIT_RMW_TYPE_DISKERROR) + } + if (type == AUDIT_RMW_TYPE_DISKERROR) { + // Can't log for a while might want a delay + stop_transport(); return remote_disk_error_handler(msg); - return -1; + } + return 0; } /* This is to check for async notification like server is shutting down */ @@ -1400,7 +1445,7 @@ int hver, mver; uint32_t type, rlen, seq; char msg[MAX_AUDIT_MESSAGE_LENGTH+1]; - int n_tries_this_message = 0; + unsigned int n_tries_this_message = 0; time_t now, then = 0; sequence_id ++; @@ -1484,10 +1529,16 @@ /* Specific errors we know how to deal with. */ if (type == AUDIT_RMW_TYPE_DISKLOW) return remote_disk_low_handler (msg); - if (type == AUDIT_RMW_TYPE_DISKFULL) + if (type == AUDIT_RMW_TYPE_DISKFULL) { + // Can't log for a while might want a delay + stop_transport(); return remote_disk_full_handler (msg); - if (type == AUDIT_RMW_TYPE_DISKERROR) + } + if (type == AUDIT_RMW_TYPE_DISKERROR) { + // Can't log for a while might want a delay + stop_transport(); return remote_disk_error_handler (msg); + } /* Generic errors. */ if (type & AUDIT_RMW_TYPE_FATALMASK) diff -Nru audit-2.7.7/audisp/plugins/remote/Makefile.in audit-2.8.2/audisp/plugins/remote/Makefile.in --- audit-2.7.7/audisp/plugins/remote/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/audisp/plugins/remote/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/audisp/plugins/zos-remote/Makefile.in audit-2.8.2/audisp/plugins/zos-remote/Makefile.in --- audit-2.7.7/audisp/plugins/zos-remote/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/audisp/plugins/zos-remote/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/audisp/plugins/zos-remote/zos-remote-plugin.c audit-2.8.2/audisp/plugins/zos-remote/zos-remote-plugin.c --- audit-2.7.7/audisp/plugins/zos-remote/zos-remote-plugin.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audisp/plugins/zos-remote/zos-remote-plugin.c 2017-12-14 16:46:49.000000000 +0000 @@ -572,8 +572,7 @@ alarm(0); /* cancel any pending alarm */ auparse_destroy(au); /* 2 */ plugin_free_config(&conf); /* 1 */ - } - while (hup && stop == 0); + } while (hup && stop == 0); /* destroy queue before leaving */ destroy_queue(); diff -Nru audit-2.7.7/audisp/queue.c audit-2.8.2/audisp/queue.c --- audit-2.7.7/audisp/queue.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audisp/queue.c 2017-12-14 16:46:49.000000000 +0000 @@ -202,7 +202,7 @@ { pthread_mutex_lock(&queue_lock); if (size > q_depth) { - int i; + unsigned int i; void *tmp_q; tmp_q = realloc(q, size * sizeof(event_t *)); diff -Nru audit-2.7.7/audit.spec audit-2.8.2/audit.spec --- audit-2.7.7/audit.spec 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/audit.spec 2017-12-14 16:46:49.000000000 +0000 @@ -2,7 +2,7 @@ Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 2.7.7 +Version: 2.8.2 Release: 1 License: GPLv2+ Group: System Environment/Daemons @@ -263,6 +263,6 @@ %changelog -* Fri Jun 16 2017 Steve Grubb 2.7.7-1 +* Thu Dec 14 2017 Steve Grubb 2.8.2-1 - New upstream release diff -Nru audit-2.7.7/auparse/auditd-config.c audit-2.8.2/auparse/auditd-config.c --- audit-2.7.7/auparse/auditd-config.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/auditd-config.c 2017-12-14 16:46:49.000000000 +0000 @@ -206,10 +206,10 @@ too_long = 0; *lineno = *lineno + 1; } else { - // If a line is too long skip it. - // Only output 1 warning - if (!too_long) - audit_msg(au, LOG_ERR, + // If a line is too long skip it. + // Only output 1 warning + if (!too_long) + audit_msg(au, LOG_ERR, "Skipping line %d in %s: too long", *lineno, file); too_long = 1; diff -Nru audit-2.7.7/auparse/auparse.c audit-2.8.2/auparse/auparse.c --- audit-2.7.7/auparse/auparse.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/auparse.c 2017-12-14 16:46:49.000000000 +0000 @@ -339,11 +339,11 @@ printf("\n"); return; } - printf("0x%X: %lu.%3.3lu:%d %s", l, l->e.sec, l->e.milli, + printf("0x%X: %ld.%3.3u:%lu %s", l, l->e.sec, l->e.milli, l->e.serial, l->e.host ? l->e.host : ""); - printf(" cnt=%d", l->cnt); + printf(" cnt=%u", l->cnt); for (r = l->head; r != NULL; r = r->next) { - printf(" {%d %d %d}", r->type, r->list_idx, r->line_number); + printf(" {%d %d %u}", r->type, r->list_idx, r->line_number); } printf("\n"); } @@ -521,6 +521,7 @@ au->escape_mode = AUPARSE_ESC_TTY; au->message_mode = MSG_QUIET; au->debug_message = DBG_NO; + au->tmp_translation = NULL; init_normalizer(&au->norm_data); return au; @@ -723,6 +724,7 @@ } au->expr = e; } + au->expr->started = 0; return 0; } @@ -931,6 +933,7 @@ free_interpretation_list(); clear_normalizer(&au->norm_data); au_lol_clear(au->au_lo, 0); + free((void *)au->tmp_translation); free(au->au_lo); free(au); } @@ -1073,25 +1076,27 @@ char *ptr; errno = 0; - ptr = strchr(s+10, ':'); + e->sec = strtoul(s, NULL, 10); + if (errno) + return -1; + ptr = strchr(s, '.'); if (ptr) { - e->serial = strtoul(ptr+1, NULL, 10); - *ptr = 0; + ptr++; + e->milli = strtoul(ptr, NULL, 10); if (errno) return -1; + s = ptr; } else - e->serial = 0; - ptr = strchr(s, '.'); + e->milli = 0; + + ptr = strchr(s, ':'); if (ptr) { - e->milli = strtoul(ptr+1, NULL, 10); - *ptr = 0; + ptr++; + e->serial = strtoul(ptr, NULL, 10); if (errno) return -1; } else - e->milli = 0; - e->sec = strtoul(s, NULL, 10); - if (errno) - return -1; + e->serial = 0; return 0; } @@ -1136,7 +1141,7 @@ // else we have a bad line } if (rc) - free(e->host); + free((void *)e->host); // else we have a bad line return rc; @@ -1297,9 +1302,14 @@ { rnode *r; + if (au->le == NULL) + return 0; + r = aup_list_get_cur(au->le); - if (r) - return expr_eval(au, r, au->expr); + if (r) { + int res = expr_eval(au, r, au->expr); + return res; + } return 0; } @@ -1313,8 +1323,14 @@ errno = EINVAL; return -1; } - if ((rc = auparse_first_record(au)) <= 0) - return rc; + if (au->expr->started == 0) { + if ((rc = auparse_first_record(au)) <= 0) + return rc; + au->expr->started = 1; + } else { + if ((rc = auparse_next_event(au)) <= 0) + return rc; + } do { do { if ((rc = ausearch_compare(au)) > 0) { @@ -1539,7 +1555,7 @@ /* Accessors to event data */ const au_event_t *auparse_get_timestamp(auparse_state_t *au) { - if (au && au->le->e.sec != 0) + if (au && au->le && au->le->e.sec != 0) return &au->le->e; else return NULL; @@ -1548,7 +1564,7 @@ time_t auparse_get_time(auparse_state_t *au) { - if (au) + if (au && au->le) return au->le->e.sec; else return 0; @@ -1557,7 +1573,7 @@ unsigned int auparse_get_milli(auparse_state_t *au) { - if (au) + if (au && au->le) return au->le->e.milli; else return 0; @@ -1566,7 +1582,7 @@ unsigned long auparse_get_serial(auparse_state_t *au) { - if (au) + if (au && au->le) return au->le->e.serial; else return 0; @@ -1576,7 +1592,7 @@ // Gets the machine node name const char *auparse_get_node(auparse_state_t *au) { - if (au && au->le->e.host != NULL) + if (au && au->le && au->le->e.host != NULL) return strdup(au->le->e.host); else return NULL; @@ -1621,11 +1637,15 @@ unsigned int auparse_get_num_records(auparse_state_t *au) { + // Its OK if au->le == NULL because get_cnt handles it return aup_list_get_cnt(au->le); } unsigned int auparse_get_record_num(auparse_state_t *au) { + if (au->le == NULL) + return 0; + rnode *r = aup_list_get_cur(au->le); if (r) return r->item; @@ -1640,6 +1660,7 @@ int rc; rnode *r; + // Its OK if au->le == NULL because get_cnt handles it if (aup_list_get_cnt(au->le) == 0) { // This function loads interpretations rc = auparse_next_event(au); @@ -1665,6 +1686,7 @@ rnode *r; free_interpretation_list(); + // Its OK if au->le == NULL because get_cnt handles it if (aup_list_get_cnt(au->le) == 0) { int rc = auparse_first_record(au); if (rc <= 0) @@ -1685,12 +1707,14 @@ /* Check if a request is out of range */ free_interpretation_list(); + // Its OK if au->le == NULL because get_cnt handles it if (num >= aup_list_get_cnt(au->le)) return 0; r = aup_list_goto_rec(au->le, num); if (r != NULL) { load_interpretation_list(r->interp); + aup_list_first_field(au->le); return 1; } else return 0; @@ -1700,6 +1724,9 @@ /* Accessors to record data */ int auparse_get_type(auparse_state_t *au) { + if (au->le == NULL) + return 0; + rnode *r = aup_list_get_cur(au->le); if (r) return r->type; @@ -1710,6 +1737,9 @@ const char *auparse_get_type_name(auparse_state_t *au) { + if (au->le == NULL) + return NULL; + rnode *r = aup_list_get_cur(au->le); if (r) return audit_msg_type_to_name(r->type); @@ -1720,6 +1750,9 @@ unsigned int auparse_get_line_number(auparse_state_t *au) { + if (au->le == NULL) + return 0; + rnode *r = aup_list_get_cur(au->le); if (r) return r->line_number; @@ -1739,6 +1772,9 @@ return NULL; } + if (au->le == NULL) + return NULL; + rnode *r = aup_list_get_cur(au->le); if (r) { if (r->list_idx < 0) return NULL; @@ -1751,12 +1787,18 @@ int auparse_first_field(auparse_state_t *au) { + if (au->le == NULL) + return 0; + return aup_list_first_field(au->le); } int auparse_next_field(auparse_state_t *au) { + if (au->le == NULL) + return 0; + rnode *r = aup_list_get_cur(au->le); if (r) { if (nvlist_next(&r->nv)) @@ -1770,6 +1812,9 @@ unsigned int auparse_get_num_fields(auparse_state_t *au) { + if (au->le == NULL) + return 0; + rnode *r = aup_list_get_cur(au->le); if (r) return nvlist_get_cnt(&r->nv); @@ -1779,6 +1824,9 @@ const char *auparse_get_record_text(auparse_state_t *au) { + if (au->le == NULL) + return NULL; + rnode *r = aup_list_get_cur(au->le); if (r) return r->record; @@ -1788,6 +1836,9 @@ const char *auparse_get_record_interpretations(auparse_state_t *au) { + if (au->le == NULL) + return NULL; + rnode *r = aup_list_get_cur(au->le); if (r) return r->interp; @@ -1799,6 +1850,9 @@ /* scan from current location to end of event */ const char *auparse_find_field(auparse_state_t *au, const char *name) { + if (au->le == NULL) + return NULL; + free(au->find_field); au->find_field = strdup(name); @@ -1822,6 +1876,9 @@ /* Increment 1 location and then scan for next field */ const char *auparse_find_field_next(auparse_state_t *au) { + if (au->le == NULL) + return NULL; + if (au->find_field == NULL) { errno = EINVAL; return NULL; @@ -1851,6 +1908,9 @@ /* Accessors to field data */ unsigned int auparse_get_field_num(auparse_state_t *au) { + if (au->le == NULL) + return 0; + rnode *r = aup_list_get_cur(au->le); if (r) { nvnode *n = nvlist_get_cur(&r->nv); @@ -1878,6 +1938,9 @@ const char *auparse_get_field_name(auparse_state_t *au) { + if (au->le == NULL) + return NULL; + if (au->le->e.sec) { rnode *r = aup_list_get_cur(au->le); if (r) @@ -1889,6 +1952,9 @@ const char *auparse_get_field_str(auparse_state_t *au) { + if (au->le == NULL) + return NULL; + if (au->le->e.sec) { rnode *r = aup_list_get_cur(au->le); if (r) @@ -1899,6 +1965,9 @@ int auparse_get_field_type(auparse_state_t *au) { + if (au->le == NULL) + return AUPARSE_TYPE_UNCLASSIFIED; + if (au->le->e.sec) { rnode *r = aup_list_get_cur(au->le); if (r) @@ -1924,11 +1993,94 @@ const char *auparse_interpret_field(auparse_state_t *au) { + if (au->le == NULL) + return NULL; + + if (au->le->e.sec) { + rnode *r = aup_list_get_cur(au->le); + if (r) { + r->cwd = NULL; + return nvlist_interp_cur_val(r, au->escape_mode); + } + } + return NULL; +} + + +const char *auparse_interpret_realpath(auparse_state_t *au) +{ + if (au->le == NULL) + return NULL; + if (au->le->e.sec) { rnode *r = aup_list_get_cur(au->le); - if (r) + if (r) { + if (nvlist_get_cur_type(r) != AUPARSE_TYPE_ESCAPED_FILE) + return NULL; + + // Tell it to make a realpath + r->cwd = au->le->cwd; return nvlist_interp_cur_val(r, au->escape_mode); + } + } + return NULL; +} + +static const char *auparse_interpret_sock_parts(auparse_state_t *au, + const char *field) +{ + if (au->le == NULL) + return NULL; + + if (au->le->e.sec) { + rnode *r = aup_list_get_cur(au->le); + if (r == NULL) + return NULL; + // This is limited to socket address fields + if (nvlist_get_cur_type(r) != AUPARSE_TYPE_SOCKADDR) + return NULL; + // Get interpretation + const char *val = nvlist_interp_cur_val(r, au->escape_mode); + if (val == NULL) + return NULL; + // make a copy since we modify it + char *tmp = strdup(val); + if (tmp == NULL) + return NULL; + // Locate the address part + val = strstr(tmp, field); + if (val) { + // Get past the = + val += strlen(field); + // find other side + char *ptr = strchr(val, ' '); + if (ptr) { + // terminate, copy, and return it + *ptr = 0; + const char *final = strdup(val); + free(tmp); + free((void *)au->tmp_translation); + au->tmp_translation = final; + return final; + } + } + free(tmp); } return NULL; } +const char *auparse_interpret_sock_family(auparse_state_t *au) +{ + return auparse_interpret_sock_parts(au, "fam="); +} + +const char *auparse_interpret_sock_port(auparse_state_t *au) +{ + return auparse_interpret_sock_parts(au, "lport="); +} + +const char *auparse_interpret_sock_address(auparse_state_t *au) +{ + return auparse_interpret_sock_parts(au, "laddr="); +} + diff -Nru audit-2.7.7/auparse/auparse-defs.h audit-2.8.2/auparse/auparse-defs.h --- audit-2.7.7/auparse/auparse-defs.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/auparse-defs.h 2017-12-14 16:46:49.000000000 +0000 @@ -86,7 +86,8 @@ AUPARSE_TYPE_MMAP, AUPARSE_TYPE_MODE_SHORT, AUPARSE_TYPE_MAC_LABEL, AUPARSE_TYPE_PROCTITLE, AUPARSE_TYPE_HOOK, AUPARSE_TYPE_NETACTION, AUPARSE_TYPE_MACPROTO, - AUPARSE_TYPE_IOCTL_REQ, AUPARSE_TYPE_ESCAPED_KEY } auparse_type_t; + AUPARSE_TYPE_IOCTL_REQ, AUPARSE_TYPE_ESCAPED_KEY, + AUPARSE_TYPE_ESCAPED_FILE, AUPARSE_TYPE_FANOTIFY } auparse_type_t; /* This type determines what escaping if any gets applied to interpreted fields */ typedef enum { AUPARSE_ESC_RAW, AUPARSE_ESC_TTY, AUPARSE_ESC_SHELL, diff -Nru audit-2.7.7/auparse/auparse.h audit-2.8.2/auparse/auparse.h --- audit-2.7.7/auparse/auparse.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/auparse.h 2017-12-14 16:46:49.000000000 +0000 @@ -91,6 +91,7 @@ // Object accessing functions int auparse_normalize_object_primary(auparse_state_t *au); int auparse_normalize_object_secondary(auparse_state_t *au); +int auparse_normalize_object_primary2(auparse_state_t *au); int auparse_normalize_object_first_attribute(auparse_state_t *au); int auparse_normalize_object_next_attribute(auparse_state_t *au); const char *auparse_normalize_object_kind(auparse_state_t *au); @@ -145,8 +146,10 @@ int auparse_get_field_type(auparse_state_t *au); int auparse_get_field_int(auparse_state_t *au); const char *auparse_interpret_field(auparse_state_t *au); - - +const char *auparse_interpret_realpath(auparse_state_t *au); +const char *auparse_interpret_sock_family(auparse_state_t *au); +const char *auparse_interpret_sock_port(auparse_state_t *au); +const char *auparse_interpret_sock_address(auparse_state_t *au); #ifdef __cplusplus } #endif diff -Nru audit-2.7.7/auparse/auparse-idata.h audit-2.8.2/auparse/auparse-idata.h --- audit-2.7.7/auparse/auparse-idata.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/auparse-idata.h 2017-12-14 16:46:49.000000000 +0000 @@ -1,6 +1,6 @@ /* * idata.h - Header file for ausearch-lookup.c -* Copyright (c) 2013,2016 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -33,6 +33,7 @@ int syscall; // The syscall for the event unsigned long long a0; // arg 0 to the syscall unsigned long long a1; // arg 1 to the syscall + const char *cwd; // The current working directory const char *name; // name of field being interpretted const char *val; // value of field being interpretted } idata; diff -Nru audit-2.7.7/auparse/data_buf.c audit-2.8.2/auparse/data_buf.c --- audit-2.7.7/auparse/data_buf.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/data_buf.c 2017-12-14 16:46:49.000000000 +0000 @@ -105,18 +105,12 @@ static inline char *databuf_end(DataBuf *db) {return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->offset+db->len;} -static inline char *databuf_alloc_end(DataBuf *db) -{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->alloc_size;} - -static inline int databuf_tail_size(DataBuf *db) +static inline unsigned databuf_tail_size(DataBuf *db) {return db->alloc_size - (db->offset+db->len);} -static inline int databuf_tail_available(DataBuf *db, size_t append_len) +static inline unsigned databuf_tail_available(DataBuf *db, size_t append_len) {return append_len <= databuf_tail_size(db);} -static inline size_t databuf_free_size(DataBuf *db) -{return db->alloc_size-db->len;} - /*****************************************************************************/ /*************************** Internal Functions ****************************/ /*****************************************************************************/ diff -Nru audit-2.7.7/auparse/ellist.c audit-2.8.2/auparse/ellist.c --- audit-2.7.7/auparse/ellist.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/ellist.c 2017-12-14 16:46:49.000000000 +0000 @@ -1,6 +1,6 @@ /* * ellist.c - Minimal linked list library -* Copyright (c) 2006-08,2014,2016 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2006-08,2014,2016-17 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -25,7 +25,7 @@ #include #include #include -#include +#include "libaudit.h" #include "ellist.h" #include "interpret.h" @@ -40,6 +40,7 @@ l->e.sec = 0L; l->e.serial = 0L; l->e.host = NULL; + l->cwd = NULL; } static void aup_list_last(event_list_t *l) @@ -101,7 +102,7 @@ static int parse_up_record(rnode* r) { char *ptr, *buf, *saved=NULL; - int offset = 0; + unsigned int offset = 0; // Potentially cut the record in two ptr = strchr(r->record, AUDIT_INTERP_SEPARATOR); @@ -234,6 +235,9 @@ r->a1 = strtoull(n.val, NULL, 16); if (errno) r->a1 = -1LL; + } else if (r->type == AUDIT_CWD) { + if (strcmp(n.name, "cwd") == 0) + r->cwd = strdup(n.val); } } else if (r->type == AUDIT_AVC || r->type == AUDIT_USER_AVC) { // We special case these 2 fields because selinux @@ -277,7 +281,6 @@ n.val = strdup(ptr); nvlist_append(&r->nv, &n); } - // FIXME: There should be an else here to catch ancillary data } while((ptr = audit_strsplit_r(NULL, &saved))); free(buf); @@ -288,6 +291,7 @@ int aup_list_append(event_list_t *l, char *record, int list_idx, unsigned int line_number) { + int rc; rnode* r; if (record == NULL) @@ -300,6 +304,7 @@ r->record = record; r->interp = NULL; + r->cwd = NULL; r->type = 0; r->a0 = 0LL; r->a1 = 0LL; @@ -324,7 +329,10 @@ l->cnt++; // Then parse the record up into nvlist - return parse_up_record(r); + rc = parse_up_record(r); + if (r->cwd) + l->cwd = r->cwd; + return rc; } void aup_list_clear(event_list_t* l) @@ -350,7 +358,8 @@ l->e.sec = 0L; l->e.serial = 0L; free((char *)l->e.host); - l->e.host = NULL; + l->e.host = NULL; + free((void *)l->cwd); } /*int aup_list_get_event(event_list_t* l, au_event_t *e) diff -Nru audit-2.7.7/auparse/ellist.h audit-2.8.2/auparse/ellist.h --- audit-2.7.7/auparse/ellist.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/ellist.h 2017-12-14 16:46:49.000000000 +0000 @@ -1,6 +1,6 @@ /* * ellist.h - Header file for ellist.c -* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2006-07,2017 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -30,7 +30,7 @@ #include #include "nvlist.h" -/* This is the linked list head. Only data elements that are 1 per +/* This is the record linked list head. Only data elements that are 1 per * event goes here. */ typedef struct { rnode *head; // List head @@ -39,6 +39,7 @@ // Data we add as 1 per event au_event_t e; // event - time & serial number + const char *cwd; // cwd used for realpath conversion } event_list_t; static inline unsigned int aup_list_get_cnt(event_list_t *l) { return l ? l->cnt : 0; } diff -Nru audit-2.7.7/auparse/expression.c audit-2.8.2/auparse/expression.c --- audit-2.7.7/auparse/expression.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/expression.c 2017-12-14 16:46:49.000000000 +0000 @@ -29,8 +29,9 @@ #include #include "expression.h" +#include "interpret.h" - /* Utilities */ +/* Utilities */ /* Free EXPR and all its subexpressions. */ void @@ -71,7 +72,7 @@ free(expr); } - /* Expression parsing. */ +/* Expression parsing. */ /* The formal grammar: @@ -365,8 +366,9 @@ *dest = EF_RECORD_TYPE; else if (strcmp(name, "timestamp_ex") == 0) *dest = EF_TIMESTAMP_EX; - else + else return -1; + return 0; } @@ -426,6 +428,29 @@ return 0; } +/* Parse a uid/gid field value in P->token_value to DEST. + On success, return 0. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + -1. */ +static int +parse_unsigned_value(struct expr *dest, struct parsing *p) +{ + uint32_t val; + + assert(p->token == T_STRING); + errno = 0; + val = strtoul(p->token_value, NULL, 10); + if (errno) { + if (asprintf(p->error, "Error converting number `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + return -1; + } + dest->v.p.unsigned_val = val; + dest->precomputed_value = 1; + return 0; +} + /* Parse a virtual field value in P->token_value to DEST. On success, return 0. On error, set *P->ERROR to an error string (for free()) or NULL, and return @@ -510,6 +535,7 @@ res = parser_malloc(p, sizeof(*res)); if (res == NULL) return NULL; + res->numeric_field = 0; if (p->token == T_FIELD_ESCAPE) { if (lex(p) != 0) goto err_res; @@ -521,6 +547,7 @@ if (strcmp(p->token_value, "regexp") == 0) return parse_comparison_regexp(p, res); res->virtual_field = 1; + res->numeric_field = 1; if (parse_escaped_field_name(&res->v.p.field.id, p->token_value) != 0) { if (asprintf(p->error, @@ -533,6 +560,9 @@ assert(p->token == T_STRING); res->virtual_field = 0; res->v.p.field.name = p->token_value; + int type = lookup_type(p->token_value); + if (type == AUPARSE_TYPE_UID || type == AUPARSE_TYPE_GID) + res->numeric_field = 1; p->token_value = NULL; } if (lex(p) != 0) @@ -569,15 +599,20 @@ *p->error = NULL; goto err_field; } - if (res->virtual_field == 0) { + if (res->numeric_field == 0) { if (asprintf(p->error, "Field `%s' does not support " "value comparison", res->v.p.field.name) < 0) *p->error = NULL; goto err_field; } else { - if (parse_virtual_field_value(res, p) != 0) - goto err_field; + if (res->virtual_field) { + if (parse_virtual_field_value(res, p) != 0) + goto err_field; + } else { + if (parse_unsigned_value(res, p) != 0) + goto err_field; + } } if (lex(p) != 0) { expr_free(res); @@ -778,7 +813,7 @@ { struct expr *res; - res = malloc(sizeof(*res)); + res = calloc(sizeof(struct expr), 1); if (res == NULL) goto err; assert(op == EO_RAW_EQ || op == EO_RAW_NE || op == EO_INTERPRETED_EQ @@ -812,13 +847,14 @@ { struct expr *res; - res = malloc(sizeof(*res)); + res = calloc(sizeof(struct expr), 1); if (res == NULL) return NULL; assert(op == EO_VALUE_EQ || op == EO_VALUE_NE || op == EO_VALUE_LT || op == EO_VALUE_LE || op == EO_VALUE_GT || op == EO_VALUE_GE); res->op = op; res->virtual_field = 1; + res->numeric_field = 1; res->v.p.field.id = EF_TIMESTAMP_EX; res->precomputed_value = 1; res->v.p.value.timestamp_ex.sec = sec; @@ -845,7 +881,7 @@ { struct expr *res; - res = malloc(sizeof(*res)); + res = calloc(sizeof(struct expr), 1); if (res == NULL) goto err; res->op = EO_FIELD_EXISTS; @@ -869,7 +905,7 @@ { struct expr *res; - res = malloc(sizeof(*res)); + res = calloc(sizeof(struct expr), 1); if (res == NULL) goto err; res->v.regexp = malloc(sizeof(*res->v.regexp)); @@ -898,7 +934,7 @@ { struct expr *res; - res = malloc(sizeof(*res)); + res = calloc(sizeof(struct expr), 1); if (res == NULL) return NULL; assert(op == EO_AND || op ==EO_OR); @@ -908,14 +944,13 @@ return res; } - /* Expression evaluation */ +/* Expression evaluation */ /* Return the "raw" value of the field in EXPR for RECORD in AU->le. Set *FREE_IT to 1 if the return value should free()'d. Return NULL on error. */ static char * -eval_raw_value(auparse_state_t *au, rnode *record, const struct expr *expr, - int *free_it) +eval_raw_value(rnode *record, const struct expr *expr, int *free_it) { if (expr->virtual_field == 0) { nvlist_first(&record->nv); @@ -925,7 +960,9 @@ return (char *)nvlist_get_cur_val(&record->nv); } switch (expr->v.p.field.id) { - case EF_TIMESTAMP: case EF_RECORD_TYPE: case EF_TIMESTAMP_EX: + case EF_TIMESTAMP: + case EF_RECORD_TYPE: + case EF_TIMESTAMP_EX: return NULL; default: @@ -933,6 +970,27 @@ } } +/* Return the "int" value of the field in EXPR for RECORD in AU->le. Set + valid to 1 if the return value is valid. Valid is set to 0 on error. */ +static uint32_t +eval_unsigned_value(rnode *record, const struct expr *expr, int *valid) +{ + *valid = 0; + if (expr->virtual_field == 0) { + nvlist_first(&record->nv); + if (nvlist_find_name(&record->nv, expr->v.p.field.name) == 0) + return 0; + const char *val = nvlist_get_cur_val(&record->nv); + if (val) { + uint32_t v = strtoul(val, NULL, 10); + *valid = 1; + return v; + } + } else + abort(); + return 0; +} + /* Return the "interpreted" value of the field in EXPR for RECORD in AU->le. Set *FREE_IT to 1 if the return value should free()'d. Return NULL on *error. */ @@ -953,7 +1011,9 @@ return (char *)res; } switch (expr->v.p.field.id) { - case EF_TIMESTAMP: case EF_RECORD_TYPE: case EF_TIMESTAMP_EX: + case EF_TIMESTAMP: + case EF_RECORD_TYPE: + case EF_TIMESTAMP_EX: return NULL; default: @@ -961,6 +1021,16 @@ } } +static int +compare_unsigned_values(uint32_t one, uint32_t two) +{ + if (one < two) + return -1; + else if (one > two) + return 1; + return 0; +} + /* Return -1, 0, 1 depending on comparing the field in EXPR with RECORD in AU. Set *ERROR to 0 if OK, non-zero otherwise. */ static int @@ -968,7 +1038,7 @@ int *error) { int res; - if (expr->virtual_field == 0) { + if (expr->numeric_field == 0) { *error = 1; return 0; } @@ -1026,30 +1096,36 @@ int expr_eval(auparse_state_t *au, rnode *record, const struct expr *expr) { + int res; + switch (expr->op) { case EO_NOT: - return !expr_eval(au, record, expr->v.sub[0]); + res = !expr_eval(au, record, expr->v.sub[0]); + break; case EO_AND: - return (expr_eval(au, record, expr->v.sub[0]) + res = (expr_eval(au, record, expr->v.sub[0]) && expr_eval(au, record, expr->v.sub[1])); + break; case EO_OR: - return (expr_eval(au, record, expr->v.sub[0]) + res = (expr_eval(au, record, expr->v.sub[0]) || expr_eval(au, record, expr->v.sub[1])); + break; case EO_RAW_EQ: case EO_RAW_NE: { int free_it, ne; char *value; - value = eval_raw_value(au, record, expr, &free_it); + value = eval_raw_value(record, expr, &free_it); if (value == NULL) return 0; assert(expr->precomputed_value == 0); ne = strcmp(expr->v.p.value.string, value); if (free_it != 0) free(value); - return expr->op == EO_RAW_EQ ? ne == 0 : ne != 0; + res = expr->op == EO_RAW_EQ ? ne == 0 : ne != 0; + break; } case EO_INTERPRETED_EQ: case EO_INTERPRETED_NE: { @@ -1063,49 +1139,68 @@ ne = strcmp(expr->v.p.value.string, value); if (free_it != 0) free(value); - return expr->op == EO_INTERPRETED_EQ ? ne == 0 : ne != 0; + res = expr->op == EO_INTERPRETED_EQ ? ne == 0 : ne != 0; + break; } case EO_VALUE_EQ: case EO_VALUE_NE: case EO_VALUE_LT: case EO_VALUE_LE: case EO_VALUE_GT: case EO_VALUE_GE: { - int err, cmp; + int err = 0, cmp; - cmp = compare_values(au, record, expr, &err); + if (expr->virtual_field == 0) { + // UID & GID here + int valid; + uint32_t val = eval_unsigned_value(record,expr,&valid); + if (valid == 0) + return 0; + cmp = compare_unsigned_values(val, + expr->v.p.unsigned_val); + } else // virtual fields here + cmp = compare_values(au, record, expr, &err); if (err != 0) return 0; switch (expr->op) { case EO_VALUE_EQ: - return cmp == 0; + res = cmp == 0; + break; case EO_VALUE_NE: - return cmp != 0; + res = cmp != 0; + break; case EO_VALUE_LT: - return cmp < 0; + res = cmp < 0; + break; case EO_VALUE_LE: - return cmp <= 0; + res = cmp <= 0; + break; case EO_VALUE_GT: - return cmp > 0; + res = cmp > 0; + break; case EO_VALUE_GE: - return cmp >= 0; - + res = cmp >= 0; + break; default: abort(); } } + break; case EO_FIELD_EXISTS: assert(expr->virtual_field == 0); nvlist_first(&record->nv); - return nvlist_find_name(&record->nv, expr->v.p.field.name) != 0; + res = nvlist_find_name(&record->nv, expr->v.p.field.name) != 0; + break; case EO_REGEXP_MATCHES: - return regexec(expr->v.regexp, record->record, 0, NULL, 0) == 0; + res = regexec(expr->v.regexp, record->record, 0, NULL, 0) == 0; + break; default: abort(); } + return res; } diff -Nru audit-2.7.7/auparse/expression.h audit-2.8.2/auparse/expression.h --- audit-2.7.7/auparse/expression.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/expression.h 2017-12-14 16:46:49.000000000 +0000 @@ -52,6 +52,9 @@ unsigned virtual_field : 1; /* Can be non-zero only if virtual_field != 0 */ unsigned precomputed_value : 1; + /* Decides if >= > < <= applies to field */ + unsigned numeric_field : 1; + unsigned started : 1; union { struct expr *sub[2]; struct { @@ -74,6 +77,7 @@ } timestamp_ex; /* EF_TIMESTAMP_EX */ int int_value; /* EF_RECORD_TYPE */ } value; + uint32_t unsigned_val; /* UID & GID */ } p; regex_t *regexp; } v; diff -Nru audit-2.7.7/auparse/famtab.h audit-2.8.2/auparse/famtab.h --- audit-2.7.7/auparse/famtab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/famtab.h 2017-12-14 16:46:49.000000000 +0000 @@ -59,4 +59,6 @@ _S(38, "alg" ) _S(39, "nfc" ) _S(40, "vsock" ) - +_S(41, "kcm" ) +_S(42, "qipcrtr" ) +_S(43, "smc" ) diff -Nru audit-2.7.7/auparse/fcntl-cmdtab.h audit-2.8.2/auparse/fcntl-cmdtab.h --- audit-2.7.7/auparse/fcntl-cmdtab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/fcntl-cmdtab.h 2017-12-14 16:46:49.000000000 +0000 @@ -49,4 +49,7 @@ _S(1032, "F_GETPIPE_SZ" ) _S(1033, "F_ADD_SEALS" ) _S(1034, "F_GET_SEALS" ) - +_S(1035, "F_GET_RW_HINT" ) +_S(1036, "F_SET_RW_HINT" ) +_S(1037, "F_GET_FILE_RW_HINT" ) +_S(1038, "F_SET_FILE_RW_HINT" ) diff -Nru audit-2.7.7/auparse/internal.h audit-2.8.2/auparse/internal.h --- audit-2.7.7/auparse/internal.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/internal.h 2017-12-14 16:46:49.000000000 +0000 @@ -120,12 +120,13 @@ value_t secondary; // typically uid cllist attr; // List of attributes const char *what; // What the subject is -}subject; +} subject; typedef struct obj { value_t primary; value_t secondary; + value_t two; // Sometimes we have a second e.g. rename/mount cllist attr; // List of attributes unsigned int what; // What the primary object is } object; @@ -181,6 +182,7 @@ auparse_esc_t escape_mode; message_t message_mode; // Where to send error messages debug_message_t debug_message; // Whether or not messages are debug or not + const char *tmp_translation; // Pointer to manage mem for field translation normalize_data norm_data; }; diff -Nru audit-2.7.7/auparse/interpret.c audit-2.8.2/auparse/interpret.c --- audit-2.7.7/auparse/interpret.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/interpret.c 2017-12-14 16:46:49.000000000 +0000 @@ -50,6 +50,12 @@ #include #include #include +#ifdef USE_FANOTIFY +#include +#else +#define FAN_ALLOW 1 +#define FAN_DENY 2 +#endif #include "auparse-defs.h" #include "gen_tables.h" @@ -778,7 +784,7 @@ static char *print_escaped(const char *val) { - const char *out; + char *out; if (*val == '"') { char *term; @@ -809,6 +815,41 @@ return strdup(val); // Something is wrong with string, just send as is } +static const char *print_escaped_ext(const idata *id) +{ + if (id->cwd) { + char *str1 = NULL, *str2, *str3 = NULL, *out = NULL; + str2 = print_escaped(id->val); + if (!str2) + goto err_out; + if (*str2 != '/') { + str1 = print_escaped(id->cwd); + if (!str1) + goto err_out; + if (asprintf(&str3, "%s/%s", str1, str2) < 0) + goto err_out; + } else { + // Check in case /home/../etc/passwd + if (strstr(str2, "..") == NULL) + return str2; + + str3 = str2; + str2 = NULL; + str1 = NULL; + } + errno = 0; + out = realpath(str3, NULL); + if (errno) // If there's an error, just return the original + return str3; +err_out: + free(str1); + free(str2); + free(str3); + return out; + } else + return print_escaped(id->val); +} + static const char *print_proctitle(const char *val) { char *out = (char *)print_escaped(val); @@ -1030,7 +1071,8 @@ static const char *print_sockaddr(const char *val) { - int slen, rc = 0; + size_t slen; + int rc = 0; const struct sockaddr *saddr; char name[NI_MAXHOST], serv[NI_MAXSERV]; const char *host; @@ -1309,7 +1351,7 @@ size_t i; unsigned int flags; int cnt = 0; - char *out, buf[178]; + char *out, buf[sizeof(open_flag_strings)+8]; errno = 0; flags = strtoul(val, NULL, 16); @@ -1347,7 +1389,7 @@ { unsigned int flags, i, clone_sig; int cnt = 0; - char *out, buf[362]; // added 10 for signal name + char *out, buf[sizeof(clone_flag_strings)+16];// + 10 for signal name errno = 0; flags = strtoul(val, NULL, 16); @@ -1454,8 +1496,8 @@ static const char *print_prot(const char *val, unsigned int is_mmap) { - unsigned int prot, i; - int cnt = 0, limit; + unsigned int prot, i, limit; + int cnt = 0; char buf[144]; char *out; @@ -1476,7 +1518,7 @@ limit = 4; else limit = 3; - for (i=0; isyscall; id.a0 = r->a0; id.a1 = r->a1; + id.cwd = r->cwd; id.name = nvlist_get_cur_name(nv); id.val = nvlist_get_cur_val(nv); type = auparse_interp_adjust_type(r->type, id.name, id.val); @@ -2847,9 +2926,12 @@ out = print_exit(id->val); break; case AUPARSE_TYPE_ESCAPED: + case AUPARSE_TYPE_ESCAPED_FILE: + out = print_escaped_ext(id); + break; case AUPARSE_TYPE_ESCAPED_KEY: out = print_escaped(id->val); - break; + break; case AUPARSE_TYPE_PERM: out = print_perm(id->val); break; @@ -2940,6 +3022,9 @@ case AUPARSE_TYPE_IOCTL_REQ: out = print_ioctl_req(id->val); break; + case AUPARSE_TYPE_FANOTIFY: + out = print_fanotify(id->val); + break; case AUPARSE_TYPE_MAC_LABEL: case AUPARSE_TYPE_UNCLASSIFIED: default: diff -Nru audit-2.7.7/auparse/ioctlreqtab.h audit-2.8.2/auparse/ioctlreqtab.h --- audit-2.7.7/auparse/ioctlreqtab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/ioctlreqtab.h 2017-12-14 16:46:49.000000000 +0000 @@ -18,6 +18,8 @@ * * Authors: * Steve Grubb + * + * This list is not comprehensive. Its just some cherry picked ioctls. * include/uapi/linux/kd.h * include/uapi/linux/cdrom.h * include/uapi/asm-generic/ioctls.h @@ -26,10 +28,12 @@ _S(0x4B3A, "KDSETMODE" ) _S(0x4B3B, "KDGETMODE" ) + _S(0x5309, "CDROMEJECT" ) _S(0x530F, "CDROMEJECT_SW" ) _S(0x5311, "CDROM_GET_UPC" ) _S(0x5316, "CDROMSEEK" ) + _S(0x5401, "TCGETS" ) _S(0x5402, "TCSETS" ) _S(0x5403, "TCSETSW" ) @@ -43,6 +47,7 @@ _S(0x5414, "TIOCSWINSZ" ) _S(0x541B, "TIOCINQ" ) _S(0x5421, "FIONBIO" ) +_S(0x5422, "TIOCNOTTY" ) _S(0x8901, "FIOSETOWN" ) _S(0x8903, "FIOGETOWN" ) _S(0x8910, "SIOCGIFNAME" ) @@ -52,6 +57,7 @@ _S(0x40045431, "TIOCSPTLCK" ) // Need a better fix for these _S(0x80045430, "TIOCGPTN" ) _S(0x80045431, "TIOCSPTLCK" ) + _S(0xC01C64A3, "DRM_IOCTL_MODE_CURSOR" ) _S(0xC01864B0, "DRM_IOCTL_MODE_PAGE_FLIP" ) _S(0xC01864B1, "DRM_IOCTL_MODE_DIRTYFB" ) diff -Nru audit-2.7.7/auparse/ip6optnametab.h audit-2.8.2/auparse/ip6optnametab.h --- audit-2.7.7/auparse/ip6optnametab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/ip6optnametab.h 2017-12-14 16:46:49.000000000 +0000 @@ -80,10 +80,12 @@ _S(67, "IPV6_TCLASS") _S(68, "IP6T_SO_GET_REVISION_MATCH") _S(69, "IP6T_SO_GET_REVISION_TARGET") +_S(70, "IPV6_AUTOFLOWLABEL") _S(72, "IPV6_ADDR_PREFERENCES") _S(73, "IPV6_MINHOPCOUNT") _S(74, "IPV6_ORIGDSTADDR") _S(75, "IPV6_TRANSPARENT") _S(76, "IPV6_UNICAST_IF") +_S(77, "IPV6_RECVFRAGSIZE") _S(80, "IP6T_SO_ORIGINAL_DST") diff -Nru audit-2.7.7/auparse/lru.c audit-2.8.2/auparse/lru.c --- audit-2.7.7/auparse/lru.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/lru.c 2017-12-14 16:46:49.000000000 +0000 @@ -61,6 +61,10 @@ return hash; hash->array = malloc(hsize * sizeof(QNode*)); + if (hash->array == NULL) { + free(hash); + return NULL; + } // Initialize all hash entries as empty for (i = 0; i < hsize; i++) diff -Nru audit-2.7.7/auparse/Makefile.in audit-2.8.2/auparse/Makefile.in --- audit-2.7.7/auparse/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/auparse/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/auparse/mmaptab.h audit-2.8.2/auparse/mmaptab.h --- audit-2.7.7/auparse/mmaptab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/mmaptab.h 2017-12-14 16:46:49.000000000 +0000 @@ -20,7 +20,6 @@ * Steve Grubb * Location: include/uapi/asm-generic/mman.h >0x100 * include/uapi/asm-generic/mman-common.h < 0x100 - * NOTE: If this is updated, also update interpret.c:print_mmap() */ _S(0x00001, "MAP_SHARED" ) diff -Nru audit-2.7.7/auparse/normalize.c audit-2.8.2/auparse/normalize.c --- audit-2.7.7/auparse/normalize.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/normalize.c 2017-12-14 16:46:49.000000000 +0000 @@ -25,7 +25,7 @@ #include #include #include -#include +#include "libaudit.h" #include "auparse.h" #include "internal.h" #include "normalize-llist.h" @@ -51,6 +51,7 @@ #define is_unset(y) (get_record(y) == UNSET) #define D au->norm_data +static int syscall_success; void init_normalizer(normalize_data *d) { @@ -63,12 +64,14 @@ d->action = NULL; d->thing.primary = set_record(0, UNSET); d->thing.secondary = set_record(0, UNSET); + d->thing.two = set_record(0, UNSET); cllist_create(&d->thing.attr, NULL); d->thing.what = NORM_WHAT_UNKNOWN; d->results = set_record(0, UNSET); d->how = NULL; d->opt = NORM_OPT_ALL; d->key = set_record(0, UNSET); + syscall_success = -1; } void clear_normalizer(normalize_data *d) @@ -77,20 +80,22 @@ d->session = set_record(0, UNSET); d->actor.primary = set_record(0, UNSET); d->actor.secondary = set_record(0, UNSET); - free(d->actor.what); + free((void *)d->actor.what); d->actor.what = NULL; cllist_clear(&d->actor.attr); - free(d->action); + free((void *)d->action); d->action = NULL; d->thing.primary = set_record(0, UNSET); d->thing.secondary = set_record(0, UNSET); + d->thing.two = set_record(0, UNSET); cllist_clear(&d->thing.attr); d->thing.what = NORM_WHAT_UNKNOWN; d->results = set_record(0, UNSET); - free(d->how); + free((void *)d->how); d->how = NULL; d->opt = NORM_OPT_ALL; d->key = set_record(0, UNSET); + syscall_success = -1; } static unsigned int set_subject_what(auparse_state_t *au) @@ -100,7 +105,7 @@ int uid = auparse_get_field_int(au); if (uid == NORM_ACCT_PRIV) D.actor.what = strdup("priviliged-acct"); - else if (uid == NORM_ACCT_UNSET) + else if ((unsigned)uid == NORM_ACCT_UNSET) D.actor.what = strdup("unset-acct"); else if (uid < NORM_ACCT_MAX_SYS) D.actor.what = strdup("service-acct"); @@ -165,6 +170,23 @@ return 1; } +static unsigned int set_prime_object2(auparse_state_t *au, const char *str, + unsigned int adjust) +{ + unsigned int rnum = 2 + adjust; + + auparse_goto_record_num(au, rnum); + auparse_first_field(au); + + if (auparse_find_field(au, str)) { + D.thing.two = set_record(0, rnum); + D.thing.two = set_field(D.thing.two, + auparse_get_field_num(au)); + return 0; + } + return 1; +} + static unsigned int add_obj_attr(auparse_state_t *au, const char *str, unsigned int rnum) { @@ -232,11 +254,87 @@ } while (auparse_next_record(au) == 1); } +static void collect_perm_obj2(auparse_state_t *au, const char *syscall) +{ + const char *val; + + if (strcmp(syscall, "fchmodat") == 0) + val = "a2"; + else + val = "a1"; + + auparse_first_record(au); + if (auparse_find_field(au, val)) { + D.thing.two = set_record(0, 0); + D.thing.two = set_field(D.thing.two, + auparse_get_field_num(au)); + } +} + +static void collect_own_obj2(auparse_state_t *au, const char *syscall) +{ + const char *val; + + if (strcmp(syscall, "fchownat") == 0) + val = "a2"; + else + val = "a1"; + + auparse_first_record(au); + if (auparse_find_field(au, val)) { + // if uid is -1, its not being changed, user group + if (auparse_get_field_int(au) == -1 && errno == 0) + auparse_next_field(au); + D.thing.two = set_record(0, 0); + D.thing.two = set_field(D.thing.two, + auparse_get_field_num(au)); + } +} + +static void collect_id_obj2(auparse_state_t *au, const char *syscall) +{ + unsigned int limit, cnt = 1;; + + if (strcmp(syscall, "setuid") == 0) + limit = 1; + else if (strcmp(syscall, "setreuid") == 0) + limit = 2; + else if (strcmp(syscall, "setresuid") == 0) + limit = 3; + else if (strcmp(syscall, "setgid") == 0) + limit = 1; + else if (strcmp(syscall, "setregid") == 0) + limit = 2; + else if (strcmp(syscall, "setresgid") == 0) + limit = 3; + else + return; // Shouldn't happen + + auparse_first_record(au); + if (auparse_find_field(au, "a0")) { + while (cnt <= limit) { + const char *str = auparse_interpret_field(au); + if ((strcmp(str, "unset") == 0) && errno == 0) { + // Only move it if its safe to + if (cnt < limit) { + auparse_next_field(au); + cnt++; + } + } else + break; + } + D.thing.two = set_record(0, 0); + D.thing.two = set_field(D.thing.two, + auparse_get_field_num(au)); + } +} + static void collect_path_attrs(auparse_state_t *au) { value_t attr; unsigned int rnum = auparse_get_record_num(au); + auparse_first_field(au); if (add_obj_attr(au, "mode", rnum)) return; // Failed opens don't have anything else @@ -281,7 +379,6 @@ continue; } // First normal record is collected - auparse_first_field(au); collect_path_attrs(au); return; break; @@ -297,7 +394,6 @@ // If we get here, path was never collected. Go back and get parent if (parent) { auparse_goto_record_num(au, parent); - auparse_first_field(au); collect_path_attrs(au); } } @@ -409,16 +505,16 @@ * This function is supposed to come up with the action and object for the * syscalls. */ -static int normalize_syscall(auparse_state_t *au, const char *syscall, int type) +static int normalize_syscall(auparse_state_t *au, const char *syscall) { - int rc, tmp_objkind, objtype = NORM_UNKNOWN, offset = 0;; + int rc, tmp_objkind, objtype = NORM_UNKNOWN, ttype = 0, offset = 0; const char *act = NULL, *f; // cycle through all records and see what we have tmp_objkind = objtype; rc = auparse_first_record(au); while (rc == 1) { - int ttype = auparse_get_type(au); + ttype = auparse_get_type(au); if (ttype == AUDIT_AVC) { // We want to go ahead with syscall to get objects @@ -436,6 +532,18 @@ } else if (ttype == AUDIT_KERN_MODULE) { objtype = NORM_FILE_LDMOD; break; + } else if (ttype == AUDIT_MAC_POLICY_LOAD) { + objtype = NORM_MAC_LOAD; + break; + } else if (ttype == AUDIT_MAC_STATUS) { + objtype = NORM_MAC_ENFORCE; + break; + } else if (ttype == AUDIT_MAC_CONFIG_CHANGE) { + objtype = NORM_MAC_CONFIG; + break; + } else if (ttype == AUDIT_FANOTIFY) { + tmp_objkind = NORM_AV; + break; } rc = auparse_next_record(au); } @@ -466,6 +574,7 @@ D.thing.what = NORM_WHAT_FILE; // this gets overridden if (strcmp(syscall, "fchmod") == 0) offset = -1; + collect_perm_obj2(au, syscall); set_file_object(au, offset); simple_file_attr(au); break; @@ -474,6 +583,7 @@ D.thing.what = NORM_WHAT_FILE; // this gets overridden if (strcmp(syscall, "fchown") == 0) offset = -1; + collect_own_obj2(au, syscall); set_file_object(au, offset); // FIXME: fchown has no cwd simple_file_attr(au); break; @@ -481,7 +591,7 @@ act = "loaded-kernel-module"; D.thing.what = NORM_WHAT_FILE; auparse_goto_record_num(au, 1); - set_prime_object(au, "name", 1); + set_prime_object(au, "name", 1);// FIXME:is this needed? break; case NORM_FILE_UNLDMOD: act = "unloaded-kernel-module"; @@ -497,13 +607,20 @@ break; case NORM_FILE_MOUNT: act = "mounted"; - D.thing.what = NORM_WHAT_FILESYSTEM; // this gets overridden - set_file_object(au, 1); // The device is one after - simple_file_attr(au); + // this gets overridden + D.thing.what = NORM_WHAT_FILESYSTEM; + if (syscall_success == 1) + set_prime_object2(au, "name", 0); + //The device is 1 after on success 0 on fail + set_file_object(au, syscall_success); + // We call this directly to make sure the right + // PATH record is used. (There can be 4.) + collect_path_attrs(au); break; case NORM_FILE_RENAME: act = "renamed"; D.thing.what = NORM_WHAT_FILE; // this gets overridden + set_prime_object2(au, "name", 4); set_file_object(au, 2); // Thing renamed is 2 after simple_file_attr(au); break; @@ -522,9 +639,9 @@ case NORM_FILE_LNK: act = "symlinked"; D.thing.what = NORM_WHAT_FILE; // this gets overridden - set_file_object(au, 0); + set_prime_object2(au, "name", 0); + set_file_object(au, 2); simple_file_attr(au); - // FIXME: what do we do with the link? break; case NORM_FILE_UMNT: act = "unmounted"; @@ -592,6 +709,33 @@ } D.thing.what = NORM_WHAT_PROCESS; break; + case NORM_MAC_LOAD: + act = normalize_record_map_i2s(ttype); + // FIXME: What is the object? + D.thing.what = NORM_WHAT_MAC_CONFIG; + break; + case NORM_MAC_CONFIG: + act = normalize_record_map_i2s(ttype); + f = auparse_find_field(au, "bool"); + if (f) { + D.thing.primary = set_record(0, + auparse_get_record_num(au)); + D.thing.primary = set_field(D.thing.primary, + auparse_get_field_num(au)); + } + D.thing.what = NORM_WHAT_MAC_CONFIG; + break; + case NORM_MAC_ENFORCE: + act = normalize_record_map_i2s(ttype); + f = auparse_find_field(au, "enforcing"); + if (f) { + D.thing.primary = set_record(0, + auparse_get_record_num(au)); + D.thing.primary = set_field(D.thing.primary, + auparse_get_field_num(au)); + } + D.thing.what = NORM_WHAT_MAC_CONFIG; + break; case NORM_MAC_ERR: // FIXME: What could the object be? act = "caused-mac-policy-error"; @@ -635,9 +779,10 @@ D.thing.what = NORM_WHAT_PROCESS; set_program_obj(au); if (D.how) { - free(D.how); + free((void *)D.how); D.how = strdup(syscall); } + collect_id_obj2(au, syscall); break; case NORM_SYSTEM_TIME: act = "changed-system-time"; @@ -661,7 +806,19 @@ break; case NORM_SYSTEM_MEMORY: act = "allocated-memory"; - // TODO: The object is implied + if (syscall_success == 1) { + // If its not a mmap avc, we can use comm + act = "allocated-memory-in"; + auparse_first_record(au); + f = auparse_find_field(au, "comm"); + if (f) { + D.thing.primary = set_record(0, + auparse_get_record_num(au)); + D.thing.primary = + set_field(D.thing.primary, + auparse_get_field_num(au)); + } + } D.thing.what = NORM_WHAT_MEMORY; break; case NORM_SCHEDULER: @@ -669,13 +826,13 @@ D.thing.what = NORM_WHAT_PROCESS; set_program_obj(au); if (D.how) { - free(D.how); + free((void *)D.how); D.how = strdup(syscall); } break; default: { - char *k; + const char *k; rc = auparse_first_record(au); k = auparse_find_field(au, "key"); if (k && strcmp(k, "(null)")) { @@ -694,7 +851,9 @@ // We put the AVC back after gathering the object information if (tmp_objkind == NORM_MAC) - act = "violated-mac-policy"; + act = "accessed-mac-policy-controlled-object"; + else if (tmp_objkind == NORM_AV) + act = "accessed-policy-controlled-file"; if (act) D.action = strdup(act); @@ -708,7 +867,8 @@ switch (type) { - case AUDIT_USER_AUTH ... AUDIT_USER_END: + case AUDIT_USER_AUTH ... AUDIT_USER_ACCT: + case AUDIT_CRED_ACQ ... AUDIT_USER_END: case AUDIT_USER_CHAUTHTOK ... AUDIT_CRED_REFR: case AUDIT_USER_LOGIN ... AUDIT_USER_LOGOUT: case AUDIT_LOGIN: @@ -718,6 +878,7 @@ case AUDIT_CHGRP_ID: kind = NORM_EVTYPE_GROUP_CHANGE; break; + case AUDIT_USER_MGMT: case AUDIT_ADD_USER ...AUDIT_DEL_GROUP: case AUDIT_GRP_MGMT ... AUDIT_GRP_CHAUTHTOK: case AUDIT_ACCT_LOCK ... AUDIT_ACCT_UNLOCK: @@ -731,6 +892,7 @@ case AUDIT_CONFIG_CHANGE: case AUDIT_NETFILTER_CFG: case AUDIT_FEATURE_CHANGE ... AUDIT_REPLACE: + case AUDIT_USER_DEVICE: kind = NORM_EVTYPE_CONFIG; break; case AUDIT_SECCOMP: @@ -786,6 +948,9 @@ case AUDIT_BPRM_FCAPS ... AUDIT_NETFILTER_PKT: kind = NORM_EVTYPE_AUDIT_RULE; break; + case AUDIT_FANOTIFY: + kind = NORM_EVTYPE_AV_DECISION; + break; default: kind = NORM_EVTYPE_UNKNOWN; } @@ -796,19 +961,19 @@ static int normalize_compound(auparse_state_t *au) { const char *f, *syscall = NULL; - int rc, recno, saved = 0, otype, type; + int rc, recno, otype, type; otype = type = auparse_get_type(au); // All compound events have a syscall record // Some start with a record type and follow with a syscall if (type == AUDIT_NETFILTER_CFG || type == AUDIT_ANOM_PROMISCUOUS || - type == AUDIT_AVC || type == AUDIT_SELINUX_ERR) { + type == AUDIT_AVC || type == AUDIT_SELINUX_ERR || + type == AUDIT_MAC_POLICY_LOAD || type == AUDIT_MAC_STATUS || + type == AUDIT_MAC_CONFIG_CHANGE || type == AUDIT_FANOTIFY) { auparse_next_record(au); type = auparse_get_type(au); } else if (type == AUDIT_ANOM_LINK) { - // Save the action before moving to syscall - saved = type; auparse_next_record(au); auparse_next_record(au); type = auparse_get_type(au); @@ -829,13 +994,19 @@ // Results f = auparse_find_field(au, "success"); if (f) { + const char *str = auparse_get_field_str(au); + if (strcmp(str, "no") == 0) + syscall_success = 0; + else + syscall_success = 1; + D.results = set_record(0, recno); D.results = set_field(D.results, auparse_get_field_num(au)); } else { rc = auparse_goto_record_num(au, recno); if (rc != 1) { - free(syscall); + free((void *)syscall); return 1; } auparse_first_field(au); @@ -845,7 +1016,7 @@ if (set_prime_subject(au, "auid", recno)) { rc = auparse_goto_record_num(au, recno); if (rc != 1) { - free(syscall); + free((void *)syscall); return 1; } auparse_first_field(au); @@ -855,7 +1026,7 @@ if (set_secondary_subject(au, "uid", recno)) { rc = auparse_goto_record_num(au, recno); if (rc != 1) { - free(syscall); + free((void *)syscall); return 1; } auparse_first_field(au); @@ -883,7 +1054,7 @@ auparse_first_record(au); f = auparse_find_field(au, "comm"); if (f) { - free(D.how); + free((void *)D.how); exe = auparse_interpret_field(au); D.how = strdup(exe); } @@ -891,7 +1062,7 @@ } else { rc = auparse_goto_record_num(au, recno); if (rc != 1) { - free(syscall); + free((void *)syscall); return 1; } auparse_first_field(au); @@ -910,16 +1081,16 @@ // below uses fields. // action & object - if (saved) { - const char *act = normalize_record_map_i2s(saved); + if (otype == AUDIT_ANOM_LINK) { + const char *act = normalize_record_map_i2s(otype); if (act) D.action = strdup(act); // FIXME: AUDIT_ANOM_LINK needs an object } else - normalize_syscall(au, syscall, type); + normalize_syscall(au, syscall); } - free(syscall); + free((void *)syscall); return 0; } @@ -946,6 +1117,9 @@ break; case AUDIT_ROLE_ASSIGN: case AUDIT_ROLE_REMOVE: + case AUDIT_USER_MGMT: + case AUDIT_ACCT_LOCK: + case AUDIT_ACCT_UNLOCK: case AUDIT_ADD_USER: case AUDIT_DEL_USER: case AUDIT_ADD_GROUP: @@ -968,7 +1142,6 @@ break; case AUDIT_USER_AUTH: case AUDIT_USER_ACCT: - case AUDIT_USER_MGMT: case AUDIT_CRED_ACQ: case AUDIT_CRED_REFR: case AUDIT_CRED_DISP: @@ -986,6 +1159,17 @@ f = auparse_find_field(au, "cmd"); D.thing.what = NORM_WHAT_PROCESS; break; + case AUDIT_USER_TTY: + case AUDIT_TTY: + auparse_first_record(au); + f = auparse_find_field(au, "data"); + D.thing.what = NORM_WHAT_KEYSTROKES; + break; + case AUDIT_USER_DEVICE: + auparse_first_record(au); + f = auparse_find_field(au, "device"); + D.thing.what = NORM_WHAT_KEYSTROKES; + break; case AUDIT_VIRT_MACHINE_ID: f = auparse_find_field(au, "vm"); D.thing.what = NORM_WHAT_VM; @@ -1045,7 +1229,7 @@ case AUDIT_USYS_CONFIG: f = auparse_find_field(au, "op"); if (f) { - free(D.action); + free((void *)D.action); D.action = strdup(auparse_interpret_field(au)); f = NULL; } @@ -1082,15 +1266,34 @@ auparse_first_field(au); switch (type) { + case AUDIT_CRYPTO_SESSION: + f = auparse_find_field(au, "rport"); + break; + default: + break; + } + if (f) { + o = set_record(0, 0); + o = set_field(o, auparse_get_field_num(au)); + } + return o; +} + +static value_t find_simple_obj_primary2(auparse_state_t *au, int type) +{ + value_t o = set_record(0, UNSET); + const char *f = NULL; + + // FIXME: maybe pass flag indicating if this is needed + auparse_first_field(au); + switch (type) + { case AUDIT_VIRT_CONTROL: f = auparse_find_field(au, "vm"); break; case AUDIT_VIRT_RESOURCE: f = auparse_find_field(au, "vm"); break; - case AUDIT_CRYPTO_SESSION: - f = auparse_find_field(au, "rport"); - break; default: break; } @@ -1107,7 +1310,6 @@ return; auparse_first_record(au); - auparse_first_field(au); add_subj_attr(au, "pid", 0); // Just pass 0 since simple is 1 record add_subj_attr(au, "subj", 0); } @@ -1129,7 +1331,7 @@ static int normalize_simple(auparse_state_t *au) { - const char *f, *act; + const char *f, *act = NULL; int type = auparse_get_type(au); // netfilter_cfg sometimes emits 1 record events @@ -1223,6 +1425,15 @@ if (set_prime_object(au, "syscall", 0)) auparse_first_record(au); D.thing.what = NORM_WHAT_PROCESS; + + // Results + f = auparse_find_field(au, "code"); + if (f) { + D.results = set_record(0, 0); + D.results = set_field(D.results, + auparse_get_field_num(au)); + } + return 0; } if (type == AUDIT_ANOM_ABEND) { @@ -1250,7 +1461,7 @@ return 0; } - // This one is atypical + // This one is atypical and originates from the kernel if (type == AUDIT_LOGIN) { // Secondary if (set_secondary_subject(au, "uid", 0)) @@ -1284,6 +1495,7 @@ return 0; } + /* This one is also atypical and comes from the kernel */ if (type == AUDIT_AVC) { // how f = auparse_find_field(au, "comm"); @@ -1314,6 +1526,7 @@ return 0; } + /* Daemon events are atypical because they never transit the kernel */ if (type >= AUDIT_FIRST_DAEMON && type < AUDIT_LAST_DAEMON) { // Subject - primary @@ -1376,13 +1589,28 @@ set_results(au, 0); // action - act = normalize_record_map_i2s(type); + if (type == AUDIT_USER_DEVICE) { + auparse_first_record(au); + f = auparse_find_field(au, "op"); + if (f) + act = f; + } + if (act == NULL) + act = normalize_record_map_i2s(type); if (act) D.action = strdup(act); // object D.thing.primary = find_simple_object(au, type); D.thing.secondary = find_simple_obj_secondary(au, type); + D.thing.two = find_simple_obj_primary2(au, type); + + // object attrs - rare on simple events + if (D.opt == NORM_OPT_ALL) { + if (type == AUDIT_USER_DEVICE) { + add_obj_attr(au, "uuid", 0); + } + } // how if (type == AUDIT_SYSTEM_BOOT) { @@ -1401,6 +1629,14 @@ } return 0; } + if (type == AUDIT_TTY) { + f = auparse_find_field(au, "comm"); + if (f) { + const char *comm = auparse_interpret_field(au); + D.how = strdup(comm); + } + return 0; + } f = auparse_find_field(au, "exe"); if (f) { const char *exe = auparse_interpret_field(au); @@ -1417,7 +1653,7 @@ auparse_first_record(au); f = auparse_find_field(au, "comm"); if (f) { - free(D.how); + free((void *)D.how); exe = auparse_interpret_field(au); D.how = strdup(exe); } @@ -1550,6 +1786,11 @@ return seek_field(au, D.thing.secondary); } +int auparse_normalize_object_primary2(auparse_state_t *au) +{ + return seek_field(au, D.thing.two); +} + // Returns: -1 = error, 0 uninitialized, 1 == success int auparse_normalize_object_first_attribute(auparse_state_t *au) { diff -Nru audit-2.7.7/auparse/normalize_evtypetab.h audit-2.8.2/auparse/normalize_evtypetab.h --- audit-2.7.7/auparse/normalize_evtypetab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/normalize_evtypetab.h 2017-12-14 16:46:49.000000000 +0000 @@ -40,4 +40,5 @@ _S(NORM_EVTYPE_AUDIT_RULE, "audit-rule" ) _S(NORM_EVTYPE_DAC_DECISION, "dac-decision" ) _S(NORM_EVTYPE_GROUP_CHANGE, "group-change" ) +_S(NORM_EVTYPE_AV_DECISION, "av-decision" ) diff -Nru audit-2.7.7/auparse/normalize-internal.h audit-2.8.2/auparse/normalize-internal.h --- audit-2.7.7/auparse/normalize-internal.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/normalize-internal.h 2017-12-14 16:46:49.000000000 +0000 @@ -25,7 +25,7 @@ #define NORMALIZE_INTERNAL #define NORM_ACCT_PRIV 0 -#define NORM_ACCT_UNSET 4294967295 +#define NORM_ACCT_UNSET 4294967295U #define NORM_ACCT_MAX_SYS 1000 #define NORM_ACCT_MAX_USER 60000 @@ -56,17 +56,21 @@ #define NORM_SOCKET_SEND 20 #define NORM_PID 21 #define NORM_MAC 22 -#define NORM_MAC_ERR 23 -#define NORM_IPTABLES 24 -#define NORM_PROMISCUOUS 25 -#define NORM_UID 26 -#define NORM_GID 27 -#define NORM_SYSTEM_TIME 28 -#define NORM_MAKE_DEV 29 -#define NORM_SYSTEM_NAME 30 -#define NORM_FILE_SYS_STAT 31 -#define NORM_SYSTEM_MEMORY 32 -#define NORM_SCHEDULER 33 +#define NORM_MAC_LOAD 23 +#define NORM_MAC_CONFIG 24 +#define NORM_MAC_ENFORCE 25 +#define NORM_MAC_ERR 26 +#define NORM_IPTABLES 27 +#define NORM_PROMISCUOUS 28 +#define NORM_UID 29 +#define NORM_GID 30 +#define NORM_SYSTEM_TIME 31 +#define NORM_MAKE_DEV 32 +#define NORM_SYSTEM_NAME 33 +#define NORM_FILE_SYS_STAT 34 +#define NORM_SYSTEM_MEMORY 35 +#define NORM_SCHEDULER 36 +#define NORM_AV 37 // This enum is used to map what the system objects are #define NORM_WHAT_UNKNOWN 0 @@ -90,6 +94,8 @@ #define NORM_WHAT_MAC_CONFIG 18 #define NORM_WHAT_FILESYSTEM 19 #define NORM_WHAT_MEMORY 20 +#define NORM_WHAT_KEYSTROKES 21 +#define NORM_WHAT_DEVICE 22 // This enum is used to map events to what kind they are #define NORM_EVTYPE_UNKNOWN 0 @@ -110,5 +116,6 @@ #define NORM_EVTYPE_AUDIT_RULE 15 #define NORM_EVTYPE_DAC_DECISION 16 #define NORM_EVTYPE_GROUP_CHANGE 17 +#define NORM_EVTYPE_AV_DECISION 18 #endif diff -Nru audit-2.7.7/auparse/normalize_obj_kind_map.h audit-2.8.2/auparse/normalize_obj_kind_map.h --- audit-2.7.7/auparse/normalize_obj_kind_map.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/normalize_obj_kind_map.h 2017-12-14 16:46:49.000000000 +0000 @@ -43,4 +43,6 @@ _S(NORM_WHAT_AUDIT_CONFIG, "audit-config") _S(NORM_WHAT_MAC_CONFIG, "mac-config") _S(NORM_WHAT_MEMORY, "memory") +_S(NORM_WHAT_KEYSTROKES, "keystrokes") +_S(NORM_WHAT_DEVICE, "device") //_S(, "") diff -Nru audit-2.7.7/auparse/normalize_record_map.h audit-2.8.2/auparse/normalize_record_map.h --- audit-2.7.7/auparse/normalize_record_map.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/normalize_record_map.h 2017-12-14 16:46:49.000000000 +0000 @@ -21,7 +21,7 @@ * Steve Grubb */ -#include +#include "libaudit.h" _S(AUDIT_USER, "sent-message") _S(AUDIT_LOGIN, "changed-login-id-to") @@ -62,6 +62,7 @@ _S(AUDIT_MAC_CHECK, "mac-permission") _S(AUDIT_ACCT_LOCK, "locked-account") _S(AUDIT_ACCT_UNLOCK, "unlocked-account") +_S(AUDIT_USER_DEVICE, "configured-device") _S(AUDIT_DAEMON_START, "started-audit") _S(AUDIT_DAEMON_END, "shutdown-audit") _S(AUDIT_DAEMON_ABORT, "aborted-auditd-startup") @@ -74,15 +75,17 @@ _S(AUDIT_DAEMON_ERR, "audit-error") _S(AUDIT_CONFIG_CHANGE, "changed-audit-configuration") //_S(AUDIT_KERNEL_OTHER,"") +_S(AUDIT_TTY, "typed") //_S(AUDIT_NETFILTER_PKT,"") //_S(AUDIT_NETFILTER_CFG,"") -_S(AUDIT_SECCOMP, "violated-seccomp-policy") +_S(AUDIT_SECCOMP, "called-seccomp-controlled-syscall") _S(AUDIT_FEATURE_CHANGE, "changed-audit-feature") //_S(AUDIT_REPLACE,"") _S(AUDIT_KERN_MODULE, "loaded-kernel-module") -_S(AUDIT_AVC, "violated-selinux-policy") +_S(AUDIT_FANOTIFY, "accessed-policy-controlled-file") +_S(AUDIT_AVC, "accessed-mac-policy-controlled-object") _S(AUDIT_MAC_POLICY_LOAD, "loaded-selinux-policy") -_S(AUDIT_MAC_STATUS, "changed-selinux-enforcement") +_S(AUDIT_MAC_STATUS, "changed-selinux-enforcement-to") _S(AUDIT_MAC_CONFIG_CHANGE, "changed-selinux-boolean") _S(AUDIT_ANOM_ABEND, "crashed-program") _S(AUDIT_ANOM_LINK, "used-suspcious-link") diff -Nru audit-2.7.7/auparse/normalize_syscall_map.h audit-2.8.2/auparse/normalize_syscall_map.h --- audit-2.7.7/auparse/normalize_syscall_map.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/normalize_syscall_map.h 2017-12-14 16:46:49.000000000 +0000 @@ -64,13 +64,13 @@ _S(NORM_FILE_DEL, "rmdir") _S(NORM_FILE_LNK, "symlink") _S(NORM_FILE_LNK, "symlinkat") +_S(NORM_FILE_UMNT, "umount") _S(NORM_FILE_UMNT, "umount2") _S(NORM_FILE_DEL, "unlink") _S(NORM_FILE_DEL, "unlinkat") _S(NORM_FILE_TIME, "utime") _S(NORM_FILE_TIME, "utimes") _S(NORM_FILE_TIME, "futimesat") -_S(NORM_FILE_TIME, "futimens") _S(NORM_FILE_TIME, "utimensat") _S(NORM_EXEC, "execve") _S(NORM_EXEC, "execveat") diff -Nru audit-2.7.7/auparse/nvlist.c audit-2.8.2/auparse/nvlist.c --- audit-2.7.7/auparse/nvlist.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/nvlist.c 2017-12-14 16:46:49.000000000 +0000 @@ -95,7 +95,7 @@ } } -nvnode *nvlist_goto_rec(nvlist *l, int i) +nvnode *nvlist_goto_rec(nvlist *l, unsigned int i) { register nvnode* node; diff -Nru audit-2.7.7/auparse/nvlist.h audit-2.8.2/auparse/nvlist.h --- audit-2.7.7/auparse/nvlist.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/nvlist.h 2017-12-14 16:46:49.000000000 +0000 @@ -49,7 +49,7 @@ void nvlist_interp_fixup(nvlist *l); /* Given a numeric index, find that record. */ -nvnode *nvlist_goto_rec(nvlist *l, int i); +nvnode *nvlist_goto_rec(nvlist *l, unsigned int i); /* Given a name, find that record */ int nvlist_find_name(nvlist *l, const char *name); diff -Nru audit-2.7.7/auparse/open-flagtab.h audit-2.8.2/auparse/open-flagtab.h --- audit-2.7.7/auparse/open-flagtab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/open-flagtab.h 2017-12-14 16:46:49.000000000 +0000 @@ -19,7 +19,6 @@ * Authors: * Steve Grubb * Location: include/uapi/asm-generic/fcntl.h - * NOTE: When updating this table, update interpret.c:print_open_flags() */ // Handled in the code: _S(00, "O_RDONLY" ) diff -Nru audit-2.7.7/auparse/pktoptnametab.h audit-2.8.2/auparse/pktoptnametab.h --- audit-2.7.7/auparse/pktoptnametab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/pktoptnametab.h 2017-12-14 16:46:49.000000000 +0000 @@ -40,4 +40,5 @@ _S(18, "PACKET_FANOUT") _S(19, "PACKET_TX_HAS_OFF") _S(20, "PACKET_QDISC_BYPASS") - +_S(21, "PACKET_ROLLOVER_STATS") +_S(22, "PACKET_FANOUT_DATA") diff -Nru audit-2.7.7/auparse/ptracetab.h audit-2.8.2/auparse/ptracetab.h --- audit-2.7.7/auparse/ptracetab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/ptracetab.h 2017-12-14 16:46:49.000000000 +0000 @@ -19,6 +19,7 @@ * Authors: * Steve Grubb * Location: include/uapi/linux/ptrace.h + * ./arch/x86/include/uapi/asm/ptrace-abi.h */ _S(0, "PTRACE_TRACEME" ) @@ -40,6 +41,12 @@ _S(18, "PTRACE_GETFPXREGS" ) _S(19, "PTRACE_SETFPXREGS" ) _S(24, "PTRACE_SYSCALL" ) +_S(25, "PTRACE_GET_THREAD_AREA") +_S(26, "PTRACE_SET_THREAD_AREA") +_S(30, "PTRACE_ARCH_PRCTL" ) +_S(31, "PTRACE_SYSEMU" ) +_S(32, "PTRACE_SYSEMU_SINGLESTEP") +_S(33, "PTRACE_SINGLEBLOCK" ) _S(0x4200, "PTRACE_SETOPTIONS" ) _S(0x4201, "PTRACE_GETEVENTMSG" ) _S(0x4202, "PTRACE_GETSIGINFO" ) diff -Nru audit-2.7.7/auparse/recvtab.h audit-2.8.2/auparse/recvtab.h --- audit-2.7.7/auparse/recvtab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/recvtab.h 2017-12-14 16:46:49.000000000 +0000 @@ -19,7 +19,6 @@ * Authors: * Steve Grubb * Location: include/linux/socket.h - * NOTE: If any update are made, update buffer size in interpret.c:print_recv() */ _S(0x00000001, "MSG_OOB") @@ -40,6 +39,7 @@ _S(0x00008000, "MSG_MORE") _S(0x00010000, "MSG_WAITFORONE") _S(0x00020000, "MSG_SENDPAGE_NOTLAST") +_S(0x00040000, "MSG_BATCH") _S(0x20000000, "MSG_FASTOPEN") _S(0x40000000, "MSG_CMSG_CLOEXEC") _S(0x80000000, "MSG_CMSG_COMPAT") diff -Nru audit-2.7.7/auparse/rnode.h audit-2.8.2/auparse/rnode.h --- audit-2.7.7/auparse/rnode.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/rnode.h 2017-12-14 16:46:49.000000000 +0000 @@ -1,6 +1,6 @@ /* rnode.h -- - * Copyright 2007,2016 Red Hat Inc., Durham, North Carolina. + * Copyright 2007,2016-17 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -25,7 +25,7 @@ #define RNODE_HEADER /* This is the node of the linked list. Any data elements that are - * per item goes here. */ + * per field goes here. */ typedef struct _nvnode{ char *name; // The name string char *val; // The value field @@ -34,8 +34,7 @@ struct _nvnode* next; // Next nvpair node pointer } nvnode; -/* This is the linked list head. Only data elements that are 1 per - * event goes here. */ +/* This is the field linked list head. */ typedef struct { nvnode *head; // List head nvnode *cur; // Pointer to current node @@ -43,11 +42,12 @@ } nvlist; -/* This is the node of the linked list. Any data elements that are per - * item goes here. */ +/* This is the node of the linked list. Only data elements that are per + * record goes here. */ typedef struct _rnode{ char *record; // The whole unparsed record char *interp; // The interpretations that go with record + const char *cwd; // This is pass thru for ellist int type; // record type (KERNEL, USER, LOGIN, etc) int machine; // The machine type for the event int syscall; // The syscall for the event diff -Nru audit-2.7.7/auparse/seccomptab.h audit-2.8.2/auparse/seccomptab.h --- audit-2.7.7/auparse/seccomptab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/seccomptab.h 2017-12-14 16:46:49.000000000 +0000 @@ -26,5 +26,6 @@ _S(0x00030000U, "trap" ) _S(0x00050000U, "errno" ) _S(0x7ff00000U, "trace" ) +_S(0x7ffc0000U, "log" ) _S(0x7fff0000U, "allow" ) diff -Nru audit-2.7.7/auparse/shm_modetab.h audit-2.8.2/auparse/shm_modetab.h --- audit-2.7.7/auparse/shm_modetab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/shm_modetab.h 2017-12-14 16:46:49.000000000 +0000 @@ -19,11 +19,13 @@ * Authors: * Steve Grubb * Location: include/linux/shm.h + * include/uapi/linux/shm.h */ _S(00001000, "SHM_DEST" ) _S(00002000, "SHM_LOCKED" ) + _S(00004000, "SHM_HUGETLB" ) _S(00010000, "SHM_NORESERVE" ) diff -Nru audit-2.7.7/auparse/sockleveltab.h audit-2.8.2/auparse/sockleveltab.h --- audit-2.7.7/auparse/sockleveltab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/sockleveltab.h 2017-12-14 16:46:49.000000000 +0000 @@ -54,3 +54,5 @@ _S(278, "SOL_CAIF") _S(279, "SOL_ALG") _S(280, "SOL_NFC") +_S(281, "SOL_KCM") +_S(282, "SOL_TLS") diff -Nru audit-2.7.7/auparse/sockoptnametab.h audit-2.8.2/auparse/sockoptnametab.h --- audit-2.7.7/auparse/sockoptnametab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/sockoptnametab.h 2017-12-14 16:46:49.000000000 +0000 @@ -74,6 +74,14 @@ _S(50, "SO_ATTACH_BPF") _S(51, "SO_ATTACH_REUSEPORT_CBPF") _S(52, "SO_ATTACH_REUSEPORT_EBPF") +_S(53, "SO_CNX_ADVICE") +_S(54, "SCM_TIMESTAMPING_OPT_STATS") +_S(55, "SO_MEMINFO") +_S(56, "SO_INCOMING_NAPI_ID") +_S(57, "SO_COOKIE") +_S(58, "SCM_TIMESTAMPING_PKTINFO") +_S(59, "SO_PEERGROUPS") +_S(60, "SO_ZEROCOPY") // PPC has these different _S(116, "SO_RCVLOWAT") diff -Nru audit-2.7.7/auparse/tcpoptnametab.h audit-2.8.2/auparse/tcpoptnametab.h --- audit-2.7.7/auparse/tcpoptnametab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/tcpoptnametab.h 2017-12-14 16:46:49.000000000 +0000 @@ -46,4 +46,10 @@ _S(23, "TCP_FASTOPEN") _S(24, "TCP_TIMESTAMP") _S(25, "TCP_NOTSENT_LOWAT") - +_S(26, "TCP_CC_INFO") +_S(27, "TCP_SAVE_SYN") +_S(28, "TCP_SAVED_SYN") +_S(29, "TCP_REPAIR_WINDOW") +_S(30, "TCP_FASTOPEN_CONNECT") +_S(31, "TCP_ULP") +_S(32, "TCP_MD5SIG_EXT") diff -Nru audit-2.7.7/auparse/test/auparse_test.c audit-2.8.2/auparse/test/auparse_test.c --- audit-2.7.7/auparse/test/auparse_test.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/test/auparse_test.c 2017-12-14 16:46:49.000000000 +0000 @@ -4,8 +4,8 @@ #include #include #include -#include -#include +#include "libaudit.h" +#include "auparse.h" static const char *buf[] = { diff -Nru audit-2.7.7/auparse/test/lookup_test.c audit-2.8.2/auparse/test/lookup_test.c --- audit-2.7.7/auparse/test/lookup_test.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-2.8.2/auparse/test/lookup_test.c 2017-12-14 16:46:49.000000000 +0000 @@ -0,0 +1,600 @@ +/* lookup_test.c -- A test of table lookups. + * Copyright 2017 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb + * Miloslav Trmač + */ + +#include "config.h" +#include +#include +#include +#include +#include +#include +#include "gen_tables.h" + +// To see if new tests are needed: +// $ grep 'i2s(int v)' ../*.h | wc -l +// 30 +// only headers with i2s can be tested. + + +/* Number of lookups of random strings */ +#define RAND_ITERATIONS 1000 + +/* Maximum size of randomly generated strings, including the terminating NUL. */ +#define S_LEN 8 + +struct entry { + int val; + const char *s; +}; +#define _S(V, S) { (V), (S) }, + +/* Generate a random string into DEST[S_LEN]. */ +static void +gen_id(char *dest) +{ + size_t i, len; + + assert(S_LEN >= 2); + len = 1 + rand() % (S_LEN - 1); + assert('A' == 0x41 && 'a' == 0x61); /* ASCII */ + for (i = 0; i < len; i++) { + /* Don't start with a digit, audit_name_to_msg_type() interprets + those strings specially. */ + do { + dest[i] = 0x21 + rand() % (0x7F - 0x21); + } while (i == 0 && dest[i] >= '0' && dest[i] <= '9'); + } + dest[i] = '\0'; +} + +static int debug = 0; + +#define TEST_I2S(EXCL) \ + do { \ + size_t i; \ + \ + for (i = 0; i < sizeof(t) / sizeof(*t); i++) { \ + const char *s; \ + \ + if (EXCL) \ + continue; \ + s = I2S(t[i].val); \ + if (s == NULL) { \ + fprintf(stderr, \ + "%d -> `%s' not found\n", \ + t[i].val, t[i].s); \ + abort(); \ + } \ + if (strcmp(t[i].s, s) != 0) { \ + fprintf(stderr, \ + "%d -> `%s' mismatch `%s'\n", \ + t[i].val, t[i].s, s); \ + abort(); \ + } \ + if (debug) printf("%d=%s\n", t[i].val, t[i].s); \ + } \ + for (i = 0; i < RAND_ITERATIONS; i++) { \ + int val; \ + size_t j; \ + val = rand(); \ + for (j = 0; j < sizeof(t) / sizeof(*t); j++) { \ + if (t[j].val == val) \ + goto test_i2s_found; \ + } \ + assert(I2S(val) == NULL); \ + test_i2s_found: \ + ; \ + } \ + } while (0) + +#define TEST_S2I(ERR_VALUE) \ + do { \ + size_t i; \ + char buf[S_LEN]; \ + \ + for (i = 0; i < sizeof(t) / sizeof(*t); i++) \ + assert(S2I(t[i].s) == t[i].val); \ + for (i = 0; i < RAND_ITERATIONS; i++) { \ + /* Blindly assuming this will not generate a \ + meaningful identifier. */ \ + gen_id(buf); \ + if (S2I(buf) != (ERR_VALUE)) { \ + fprintf(stderr, \ + "Unexpected match `%s'\n", \ + buf); \ + abort(); \ + } \ + } \ + } while (0) + +#include "../captabs.h" +static void +test_captab(void) +{ + static const struct entry t[] = { +#include "../captab.h" + }; + + printf("Testing captab...\n"); +#define I2S(I) cap_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../clocktabs.h" +static void +test_clocktab(void) +{ + static const struct entry t[] = { +#include "../clocktab.h" + }; + + printf("Testing clocktab...\n"); +#define I2S(I) clock_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../epoll_ctls.h" +static void +test_epoll_ctl(void) +{ + static const struct entry t[] = { +#include "../epoll_ctl.h" + }; + + printf("Testing epoll_ctl...\n"); +#define I2S(I) epoll_ctl_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include +#include "../famtabs.h" +static void +test_famtab(void) +{ + static const struct entry t[] = { +#include "../famtab.h" + }; + + printf("Testing famtab...\n"); +#define I2S(I) fam_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../fcntl-cmdtabs.h" +static void +test_fcntltab(void) +{ + static const struct entry t[] = { +#include "../fcntl-cmdtab.h" + }; + + printf("Testing fcntltab...\n"); +#define I2S(I) fcntl_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../icmptypetabs.h" +static void +test_icmptypetab(void) +{ + static const struct entry t[] = { +#include "../icmptypetab.h" + }; + + printf("Testing icmptypetab...\n"); +#define I2S(I) icmptype_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../inethooktabs.h" +static void +test_inethooktab(void) +{ + static const struct entry t[] = { +#include "../inethooktab.h" + }; + + printf("Testing inethooktab...\n"); +#define I2S(I) inethook_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../ioctlreqtabs.h" +static void +test_ioctlreqtab(void) +{ + static const struct entry t[] = { +#include "../ioctlreqtab.h" + }; + + printf("Testing ioctlreqtab...\n"); +#define I2S(I) ioctlreq_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../ip6optnametabs.h" +static void +test_ip6optnametab(void) +{ + static const struct entry t[] = { +#include "../ip6optnametab.h" + }; + + printf("Testing ip6optnametab...\n"); +#define I2S(I) ip6optname_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include +#include "../ipctabs.h" +static void +test_ipctab(void) +{ + static const struct entry t[] = { +#include "../ipctab.h" + }; + + printf("Testing ipctab...\n"); +#define I2S(I) ipc_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../ipoptnametabs.h" +static void +test_ipoptnametab(void) +{ + static const struct entry t[] = { +#include "../ipoptnametab.h" + }; + + printf("Testing ipoptnametab...\n"); +#define I2S(I) ipoptname_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../netactiontabs.h" +static void +test_netactiontab(void) +{ + static const struct entry t[] = { +#include "../netactiontab.h" + }; + + printf("Testing netactiontab...\n"); +#define I2S(I) netaction_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../nfprototabs.h" +static void +test_nfprototab(void) +{ + static const struct entry t[] = { +#include "../nfprototab.h" + }; + + printf("Testing nfprototab...\n"); +#define I2S(I) nfproto_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../normalize_evtypetabs.h" +static void +test_evtypetab(void) +{ + static const struct entry t[] = { +#include "../normalize_evtypetab.h" + }; + + printf("Testing evtypetab...\n"); +#define I2S(I) evtype_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../normalize_obj_kind_maps.h" +static void +test_normalize_obj_kind_map(void) +{ + static const struct entry t[] = { +#include "../normalize_obj_kind_map.h" + }; + + printf("Testing normalize_obj_kind_map...\n"); +#define I2S(I) normalize_obj_kind_map_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "libaudit.h" +#include "../normalize_record_maps.h" +static void +test_normalize_record_map(void) +{ + static const struct entry t[] = { +#include "../normalize_record_map.h" + }; + + printf("Testing normalize_record_map...\n"); +#define I2S(I) normalize_record_map_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include +#include "../persontabs.h" +static void +test_persontab(void) +{ + static const struct entry t[] = { +#include "../persontab.h" + }; + + printf("Testing persontab...\n"); +#define I2S(I) person_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../pktoptnametabs.h" +static void +test_pktoptnametab(void) +{ + static const struct entry t[] = { +#include "../pktoptnametab.h" + }; + + printf("Testing pktoptnametab...\n"); +#define I2S(I) pktoptname_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include +#include "../prctl_opttabs.h" +static void +test_prctl_opttab(void) +{ + static const struct entry t[] = { +#include "../prctl-opt-tab.h" + }; + + printf("Testing prctl_opttab...\n"); +#define I2S(I) prctl_opt_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../ptracetabs.h" +static void +test_ptracetab(void) +{ + static const struct entry t[] = { +#include "../ptracetab.h" + }; + + printf("Testing ptracetab...\n"); +#define I2S(I) ptrace_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../rlimittabs.h" +static void +test_rlimittab(void) +{ + static const struct entry t[] = { +#include "../rlimittab.h" + }; + + printf("Testing rlimittab...\n"); +#define I2S(I) rlimit_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include +#include "../schedtabs.h" +static void +test_schedtab(void) +{ + static const struct entry t[] = { +#include "../schedtab.h" + }; + + printf("Testing schedtab...\n"); +#define I2S(I) sched_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../seccomptabs.h" +static void +test_seccomptab(void) +{ + static const struct entry t[] = { +#include "../seccomptab.h" + }; + + printf("Testing seccomptab...\n"); +#define I2S(I) seccomp_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../seektabs.h" +static void +test_seektab(void) +{ + static const struct entry t[] = { +#include "../seektab.h" + }; + + printf("Testing seektab...\n"); +#define I2S(I) seek_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../signaltabs.h" +static void +test_signaltab(void) +{ + static const struct entry t[] = { +#include "../signaltab.h" + }; + + printf("Testing signaltab...\n"); +#define I2S(I) signal_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../sockleveltabs.h" +static void +test_sockleveltab(void) +{ + static const struct entry t[] = { +#include "../sockleveltab.h" + }; + + printf("Testing sockleveltab...\n"); +#define I2S(I) socklevel_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../sockoptnametabs.h" +static void +test_sockoptnametab(void) +{ + static const struct entry t[] = { +#include "../sockoptnametab.h" + }; + + printf("Testing sockoptnametab...\n"); +#define I2S(I) sockoptname_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include +#include "../socktabs.h" +static void +test_socktab(void) +{ + static const struct entry t[] = { +#include "../socktab.h" + }; + + printf("Testing socktab...\n"); +#define I2S(I) sock_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../socktypetabs.h" +static void +test_socktypetab(void) +{ + static const struct entry t[] = { +#include "../socktypetab.h" + }; + + printf("Testing socktypetab...\n"); +#define I2S(I) sock_type_i2s(I) + TEST_I2S(0); +#undef I2S +} + +#include "../tcpoptnametabs.h" +static void +test_tcpoptnametab(void) +{ + static const struct entry t[] = { +#include "../tcpoptnametab.h" + }; + + printf("Testing tcpoptnametab...\n"); +#define I2S(I) tcpoptname_i2s(I) + TEST_I2S(0); +#undef I2S +} + +int +main(void) +{ + // This is only for preventing collisions in s2i tests. + // If collisions are found in future, change the number. + srand(3); + test_captab(); + test_clocktab(); + test_epoll_ctl(); + test_famtab(); + test_fcntltab(); + test_icmptypetab(); + test_inethooktab(); + test_ioctlreqtab(); + test_ip6optnametab(); + test_ipctab(); + test_ipoptnametab(); + test_netactiontab(); + test_nfprototab(); + test_evtypetab(); + test_normalize_obj_kind_map(); + test_normalize_record_map(); + test_persontab(); + test_pktoptnametab(); + test_prctl_opttab(); + test_ptracetab(); + test_rlimittab(); + test_schedtab(); + test_seccomptab(); + test_seektab(); + test_signaltab(); + test_sockleveltab(); + test_sockoptnametab(); + test_socktab(); + test_socktypetab(); + test_tcpoptnametab(); + + puts("==============================="); + puts("Interpretation table tests pass"); + puts("==============================="); + + return EXIT_SUCCESS; +} + diff -Nru audit-2.7.7/auparse/test/Makefile.am audit-2.8.2/auparse/test/Makefile.am --- audit-2.7.7/auparse/test/Makefile.am 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/test/Makefile.am 2017-12-14 16:46:49.000000000 +0000 @@ -1,5 +1,5 @@ # Makefile.am -- -# Copyright 2006-08,2014-16 Red Hat Inc., Durham, North Carolina. +# Copyright 2006-08,2014-17 Red Hat Inc., Durham, North Carolina. # All Rights Reserved. # # This library is free software; you can redistribute it and/or @@ -22,12 +22,16 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur AUTOMAKE_OPTIONS = no-dependencies -check_PROGRAMS = auparse_test auparselol_test +check_PROGRAMS = auparse_test auparselol_test lookup_test dist_check_SCRIPTS = auparse_test.py EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log test3.log auditd_raw.sed AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib +lookup_test_SOURCES = lookup_test.c +lookup_test_LDADD = ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/lib/libaudit.la + auparse_test_SOURCES = auparse_test.c auparse_test_LDFLAGS = -static auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \ @@ -40,7 +44,7 @@ drop_srcdir = sed 's,$(srcdir)/test,test,' -check: auparse_test auparselol_test +check: auparse_test auparselol_test lookup_test test "$(top_srcdir)" = "$(top_builddir)" || \ cp $(top_srcdir)/auparse/test/test*.log . LC_ALL=C \ @@ -57,6 +61,7 @@ | $(drop_srcdir) > auparse_test.cur diff -u $(top_srcdir)/auparse/test/auparse_test.ref.py auparse_test.cur endif + ./lookup_test echo -e "===================\nAuparse Test Passes\n===================" diffcheck: auparse_test auparselol_test diff -Nru audit-2.7.7/auparse/test/Makefile.in audit-2.8.2/auparse/test/Makefile.in --- audit-2.7.7/auparse/test/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/auparse/test/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,7 @@ @SET_MAKE@ # Makefile.am -- -# Copyright 2006-08,2014-16 Red Hat Inc., Durham, North Carolina. +# Copyright 2006-08,2014-17 Red Hat Inc., Durham, North Carolina. # All Rights Reserved. # # This library is free software; you can redistribute it and/or @@ -110,7 +110,8 @@ build_triplet = @build@ host_triplet = @host@ target_triplet = @target@ -check_PROGRAMS = auparse_test$(EXEEXT) auparselol_test$(EXEEXT) +check_PROGRAMS = auparse_test$(EXEEXT) auparselol_test$(EXEEXT) \ + lookup_test$(EXEEXT) subdir = auparse/test ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ @@ -144,6 +145,10 @@ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(auparselol_test_LDFLAGS) $(LDFLAGS) \ -o $@ +am_lookup_test_OBJECTS = lookup_test.$(OBJEXT) +lookup_test_OBJECTS = $(am_lookup_test_OBJECTS) +lookup_test_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/lib/libaudit.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -177,8 +182,10 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(auparse_test_SOURCES) $(auparselol_test_SOURCES) -DIST_SOURCES = $(auparse_test_SOURCES) $(auparselol_test_SOURCES) +SOURCES = $(auparse_test_SOURCES) $(auparselol_test_SOURCES) \ + $(lookup_test_SOURCES) +DIST_SOURCES = $(auparse_test_SOURCES) $(auparselol_test_SOURCES) \ + $(lookup_test_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -366,6 +373,10 @@ dist_check_SCRIPTS = auparse_test.py EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log test3.log auditd_raw.sed AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib +lookup_test_SOURCES = lookup_test.c +lookup_test_LDADD = ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/lib/libaudit.la + auparse_test_SOURCES = auparse_test.c auparse_test_LDFLAGS = -static auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \ @@ -428,6 +439,10 @@ @rm -f auparselol_test$(EXEEXT) $(AM_V_CCLD)$(auparselol_test_LINK) $(auparselol_test_OBJECTS) $(auparselol_test_LDADD) $(LIBS) +lookup_test$(EXEEXT): $(lookup_test_OBJECTS) $(lookup_test_DEPENDENCIES) $(EXTRA_lookup_test_DEPENDENCIES) + @rm -f lookup_test$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(lookup_test_OBJECTS) $(lookup_test_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -653,7 +668,7 @@ .PRECIOUS: Makefile -check: auparse_test auparselol_test +check: auparse_test auparselol_test lookup_test test "$(top_srcdir)" = "$(top_builddir)" || \ cp $(top_srcdir)/auparse/test/test*.log . LC_ALL=C \ @@ -668,6 +683,7 @@ @HAVE_PYTHON_TRUE@ srcdir=$(srcdir) $(srcdir)/auparse_test.py \ @HAVE_PYTHON_TRUE@ | $(drop_srcdir) > auparse_test.cur @HAVE_PYTHON_TRUE@ diff -u $(top_srcdir)/auparse/test/auparse_test.ref.py auparse_test.cur + ./lookup_test echo -e "===================\nAuparse Test Passes\n===================" diffcheck: auparse_test auparselol_test diff -Nru audit-2.7.7/auparse/typetab.h audit-2.8.2/auparse/typetab.h --- audit-2.7.7/auparse/typetab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/typetab.h 2017-12-14 16:46:49.000000000 +0000 @@ -1,5 +1,5 @@ /* typetab.h -- - * Copyright 2007-09,2011-12,2014-16 Red Hat Inc., Durham, North Carolina. + * Copyright 2007-09,2011-12,2014-17 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -50,7 +50,7 @@ _S(AUPARSE_TYPE_ESCAPED, "comm" ) _S(AUPARSE_TYPE_ESCAPED, "exe" ) _S(AUPARSE_TYPE_ESCAPED, "file" ) -_S(AUPARSE_TYPE_ESCAPED, "name" ) +_S(AUPARSE_TYPE_ESCAPED_FILE, "name" ) _S(AUPARSE_TYPE_ESCAPED, "watch" ) _S(AUPARSE_TYPE_ESCAPED, "cwd" ) _S(AUPARSE_TYPE_ESCAPED, "cmd" ) @@ -89,6 +89,7 @@ _S(AUPARSE_TYPE_CAP_BITMAP, "cap_pi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_pe" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_pp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pa" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_fi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_fp" ) _S(AUPARSE_TYPE_CAP_BITMAP, "fp" ) @@ -96,9 +97,14 @@ _S(AUPARSE_TYPE_CAP_BITMAP, "old_pp" ) _S(AUPARSE_TYPE_CAP_BITMAP, "old_pi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "old_pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "old_pa" ) _S(AUPARSE_TYPE_CAP_BITMAP, "new_pp" ) _S(AUPARSE_TYPE_CAP_BITMAP, "new_pi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "new_pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pi" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pa" ) _S(AUPARSE_TYPE_NFPROTO, "family" ) _S(AUPARSE_TYPE_ICMPTYPE, "icmptype" ) _S(AUPARSE_TYPE_PROTOCOL, "proto" ) @@ -133,4 +139,5 @@ _S(AUPARSE_TYPE_MACPROTO, "macproto" ) _S(AUPARSE_TYPE_ESCAPED, "invalid_context") _S(AUPARSE_TYPE_IOCTL_REQ, "ioctlcmd" ) +_S(AUPARSE_TYPE_FANOTIFY, "resp" ) diff -Nru audit-2.7.7/auparse/umounttab.h audit-2.8.2/auparse/umounttab.h --- audit-2.7.7/auparse/umounttab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/auparse/umounttab.h 2017-12-14 16:46:49.000000000 +0000 @@ -26,5 +26,5 @@ _S(0x00000002, "MNT_DETACH" ) _S(0x00000004, "MNT_EXPIRE" ) _S(0x00000008, "UMOUNT_NOFOLLOW" ) -_S(0x80000001, "UMOUNT_UNUSED" ) +_S(0x80000000, "UMOUNT_UNUSED" ) diff -Nru audit-2.7.7/bindings/golang/Makefile.in audit-2.8.2/bindings/golang/Makefile.in --- audit-2.7.7/bindings/golang/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/bindings/golang/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/bindings/Makefile.in audit-2.8.2/bindings/Makefile.in --- audit-2.7.7/bindings/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/bindings/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/bindings/python/auparse_python.c audit-2.8.2/bindings/python/auparse_python.c --- audit-2.7.7/bindings/python/auparse_python.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/bindings/python/auparse_python.c 2017-12-14 16:46:49.000000000 +0000 @@ -448,6 +448,10 @@ PyErr_SetString(PyExc_TypeError, "source must be open file when source_type is AUSOURCE_FILE_POINTER"); return -1; } +#if PY_MAJOR_VERSION < 3 + int fd = fileno(fp); + fp = fdopen(fd, "r"); +#endif if ((self->au = auparse_init(source_type, fp)) == NULL) { //char *filename = PYSTR_ASSTRING(PyFile_Name(source)); char *filename = "TODO"; @@ -1691,7 +1695,7 @@ get_type_name() allows access to the current record type name in the\n\ current event.\n\ \n\ -Returns None if the record type name is unavailable.\n\ +Raises exception (LookupError) on error.\n\ "); static PyObject * AuParser_get_type_name(AuParser *self) @@ -1700,6 +1704,10 @@ PARSER_CHECK; name = auparse_get_type_name(self->au); + if (name == NULL) { + PyErr_SetString(PyExc_LookupError, "Not found"); + return NULL; + } return Py_BuildValue("s", name); } @@ -2003,7 +2011,6 @@ return NULL; } -// FIXME: can't tell if interpret is successful, always returns some string in somewhat arbitrary format. PyDoc_STRVAR(interpret_field_doc, "interpret_field() Return an interpretation of the current field as a string that has the chosen character escaping applied.\n\ \n\ @@ -2024,6 +2031,86 @@ return Py_BuildValue("s", value); } +PyDoc_STRVAR(interpret_realpath_doc, +"interpret_realpath() Return an interpretation of the current field as a realpath string that has the chosen character escaping applied.\n\ +\n\ +If the field cannot be interpreted the field is returned unmodified.\n\ +Raises exception (RuntimeError) on error\n\ +"); +static PyObject * +AuParser_interpret_realpath(AuParser *self) +{ + const char *value = NULL; + + PARSER_CHECK; + value = auparse_interpret_realpath(self->au); + if (value == NULL) { + PyErr_SetString(PyExc_RuntimeError, "'interpretation' is NULL"); + return NULL; + } + return Py_BuildValue("s", value); +} + +PyDoc_STRVAR(interpret_sock_family_doc, +"interpret_sock_family() Return an interpretation of the current field's socket family. Only supported on sockaddr field types.\n\ +\n\ +If the field cannot be interpreted the field is returned unmodified.\n\ +Raises exception (RuntimeError) on error\n\ +"); +static PyObject * +AuParser_interpret_sock_family(AuParser *self) +{ + const char *value = NULL; + + PARSER_CHECK; + value = auparse_interpret_sock_family(self->au); + if (value == NULL) { + PyErr_SetString(PyExc_RuntimeError, "'interpretation' is NULL"); + return NULL; + } + return Py_BuildValue("s", value); +} + +PyDoc_STRVAR(interpret_sock_port_doc, +"interpret_sock_address() Return an interpretation of the current field's socket port. Only supported on sockaddr field types.\n\ +\n\ +If the field cannot be interpreted the field is returned unmodified.\n\ +Raises exception (RuntimeError) on error\n\ +"); +static PyObject * +AuParser_interpret_sock_port(AuParser *self) +{ + const char *value = NULL; + + PARSER_CHECK; + value = auparse_interpret_sock_port(self->au); + if (value == NULL) { + PyErr_SetString(PyExc_RuntimeError, "'interpretation' is NULL"); + return NULL; + } + return Py_BuildValue("s", value); +} + +PyDoc_STRVAR(interpret_sock_address_doc, +"interpret_sock_address() Return an interpretation of the current field's socket address. Only supported on sockaddr field types.\n\ +\n\ +If the field cannot be interpreted the field is returned unmodified.\n\ +Raises exception (RuntimeError) on error\n\ +"); +static PyObject * +AuParser_interpret_sock_address(AuParser *self) +{ + const char *value = NULL; + + PARSER_CHECK; + value = auparse_interpret_sock_address(self->au); + if (value == NULL) { + PyErr_SetString(PyExc_RuntimeError, "'interpretation' is NULL"); + return NULL; + } + return Py_BuildValue("s", value); +} + static PyGetSetDef AuParser_getseters[] = { {NULL} /* Sentinel */ @@ -2089,7 +2176,11 @@ {"get_field_type", (PyCFunction)AuParser_get_field_type, METH_NOARGS, get_field_type_doc}, {"get_field_int", (PyCFunction)AuParser_get_field_int, METH_NOARGS, get_field_int_doc}, {"interpret_field", (PyCFunction)AuParser_interpret_field, METH_NOARGS, interpret_field_doc}, - {NULL, NULL} /* Sentinel */ + {"interpret_realpath", (PyCFunction)AuParser_interpret_realpath, METH_NOARGS, interpret_realpath_doc}, + {"interpret_sock_family", (PyCFunction)AuParser_interpret_sock_family, METH_NOARGS, interpret_sock_family_doc}, + {"interpret_sock_port", (PyCFunction)AuParser_interpret_sock_port, METH_NOARGS, interpret_sock_port_doc}, + {"interpret_sock_address", (PyCFunction)AuParser_interpret_sock_address, METH_NOARGS, interpret_sock_address_doc}, + {NULL, NULL, 0, NULL} /* Sentinel */ }; PyDoc_STRVAR(AuParser_doc, diff -Nru audit-2.7.7/bindings/python/Makefile.in audit-2.8.2/bindings/python/Makefile.in --- audit-2.7.7/bindings/python/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/bindings/python/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/bindings/python/python2/Makefile.in audit-2.8.2/bindings/python/python2/Makefile.in --- audit-2.7.7/bindings/python/python2/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/bindings/python/python2/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/bindings/python/python3/Makefile.in audit-2.8.2/bindings/python/python3/Makefile.in --- audit-2.7.7/bindings/python/python3/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/bindings/python/python3/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/bindings/swig/Makefile.in audit-2.8.2/bindings/swig/Makefile.in --- audit-2.7.7/bindings/swig/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/bindings/swig/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/bindings/swig/python/audit.py audit-2.8.2/bindings/swig/python/audit.py --- audit-2.7.7/bindings/swig/python/audit.py 2017-06-16 19:01:52.000000000 +0000 +++ audit-2.8.2/bindings/swig/python/audit.py 2017-12-14 16:46:59.000000000 +0000 @@ -1,5 +1,5 @@ # This file was automatically generated by SWIG (http://www.swig.org). -# Version 3.0.11 +# Version 3.0.12 # # Do not make changes to this file unless you know what you are doing--modify # the SWIG interface file instead. @@ -597,6 +597,8 @@ AUDIT_MAC_CHECK = _audit.AUDIT_MAC_CHECK AUDIT_ACCT_LOCK = _audit.AUDIT_ACCT_LOCK AUDIT_ACCT_UNLOCK = _audit.AUDIT_ACCT_UNLOCK +AUDIT_USER_DEVICE = _audit.AUDIT_USER_DEVICE +AUDIT_SOFTWARE_UPDATE = _audit.AUDIT_SOFTWARE_UPDATE AUDIT_FIRST_DAEMON = _audit.AUDIT_FIRST_DAEMON AUDIT_LAST_DAEMON = _audit.AUDIT_LAST_DAEMON AUDIT_DAEMON_RECONFIG = _audit.AUDIT_DAEMON_RECONFIG @@ -694,10 +696,14 @@ AUDIT_VIRT_MIGRATE_IN = _audit.AUDIT_VIRT_MIGRATE_IN AUDIT_VIRT_MIGRATE_OUT = _audit.AUDIT_VIRT_MIGRATE_OUT AUDIT_LAST_VIRT_MSG = _audit.AUDIT_LAST_VIRT_MSG +AUDIT_FANOTIFY = _audit.AUDIT_FANOTIFY AUDIT_KEY_SEPARATOR = _audit.AUDIT_KEY_SEPARATOR +AUDIT_FILTER_FS = _audit.AUDIT_FILTER_FS AUDIT_FILTER_EXCLUDE = _audit.AUDIT_FILTER_EXCLUDE AUDIT_FILTER_MASK = _audit.AUDIT_FILTER_MASK AUDIT_FILTER_UNSET = _audit.AUDIT_FILTER_UNSET +AUDIT_FEATURE_BITMAP_FILTER_FS = _audit.AUDIT_FEATURE_BITMAP_FILTER_FS +AUDIT_FSTYPE = _audit.AUDIT_FSTYPE EM_ARM = _audit.EM_ARM EM_AARCH64 = _audit.EM_AARCH64 AUDIT_INTERP_SEPARATOR = _audit.AUDIT_INTERP_SEPARATOR @@ -994,6 +1000,14 @@ return _audit.audit_ftype_to_name(ftype) audit_ftype_to_name = _audit.audit_ftype_to_name +def audit_name_to_fstype(name): + return _audit.audit_name_to_fstype(name) +audit_name_to_fstype = _audit.audit_name_to_fstype + +def audit_fstype_to_name(fstype): + return _audit.audit_fstype_to_name(fstype) +audit_fstype_to_name = _audit.audit_fstype_to_name + def audit_number_to_errmsg(errnumber, opt): return _audit.audit_number_to_errmsg(errnumber, opt) audit_number_to_errmsg = _audit.audit_number_to_errmsg diff -Nru audit-2.7.7/bindings/swig/python/Makefile.in audit-2.8.2/bindings/swig/python/Makefile.in --- audit-2.7.7/bindings/swig/python/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/bindings/swig/python/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/bindings/swig/python3/audit.py audit-2.8.2/bindings/swig/python3/audit.py --- audit-2.7.7/bindings/swig/python3/audit.py 2017-06-16 19:01:53.000000000 +0000 +++ audit-2.8.2/bindings/swig/python3/audit.py 2017-12-14 16:47:00.000000000 +0000 @@ -1,5 +1,5 @@ # This file was automatically generated by SWIG (http://www.swig.org). -# Version 3.0.11 +# Version 3.0.12 # # Do not make changes to this file unless you know what you are doing--modify # the SWIG interface file instead. @@ -508,6 +508,8 @@ AUDIT_MAC_CHECK = _audit.AUDIT_MAC_CHECK AUDIT_ACCT_LOCK = _audit.AUDIT_ACCT_LOCK AUDIT_ACCT_UNLOCK = _audit.AUDIT_ACCT_UNLOCK +AUDIT_USER_DEVICE = _audit.AUDIT_USER_DEVICE +AUDIT_SOFTWARE_UPDATE = _audit.AUDIT_SOFTWARE_UPDATE AUDIT_FIRST_DAEMON = _audit.AUDIT_FIRST_DAEMON AUDIT_LAST_DAEMON = _audit.AUDIT_LAST_DAEMON AUDIT_DAEMON_RECONFIG = _audit.AUDIT_DAEMON_RECONFIG @@ -605,10 +607,14 @@ AUDIT_VIRT_MIGRATE_IN = _audit.AUDIT_VIRT_MIGRATE_IN AUDIT_VIRT_MIGRATE_OUT = _audit.AUDIT_VIRT_MIGRATE_OUT AUDIT_LAST_VIRT_MSG = _audit.AUDIT_LAST_VIRT_MSG +AUDIT_FANOTIFY = _audit.AUDIT_FANOTIFY AUDIT_KEY_SEPARATOR = _audit.AUDIT_KEY_SEPARATOR +AUDIT_FILTER_FS = _audit.AUDIT_FILTER_FS AUDIT_FILTER_EXCLUDE = _audit.AUDIT_FILTER_EXCLUDE AUDIT_FILTER_MASK = _audit.AUDIT_FILTER_MASK AUDIT_FILTER_UNSET = _audit.AUDIT_FILTER_UNSET +AUDIT_FEATURE_BITMAP_FILTER_FS = _audit.AUDIT_FEATURE_BITMAP_FILTER_FS +AUDIT_FSTYPE = _audit.AUDIT_FSTYPE EM_ARM = _audit.EM_ARM EM_AARCH64 = _audit.EM_AARCH64 AUDIT_INTERP_SEPARATOR = _audit.AUDIT_INTERP_SEPARATOR @@ -830,6 +836,14 @@ return _audit.audit_ftype_to_name(ftype) audit_ftype_to_name = _audit.audit_ftype_to_name +def audit_name_to_fstype(name: 'char const *') -> "int": + return _audit.audit_name_to_fstype(name) +audit_name_to_fstype = _audit.audit_name_to_fstype + +def audit_fstype_to_name(fstype: 'int') -> "char const *": + return _audit.audit_fstype_to_name(fstype) +audit_fstype_to_name = _audit.audit_fstype_to_name + def audit_number_to_errmsg(errnumber: 'int', opt: 'char const *') -> "void": return _audit.audit_number_to_errmsg(errnumber, opt) audit_number_to_errmsg = _audit.audit_number_to_errmsg diff -Nru audit-2.7.7/bindings/swig/python3/Makefile.in audit-2.8.2/bindings/swig/python3/Makefile.in --- audit-2.7.7/bindings/swig/python3/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/bindings/swig/python3/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/bindings/swig/src/Makefile.in audit-2.8.2/bindings/swig/src/Makefile.in --- audit-2.7.7/bindings/swig/src/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/bindings/swig/src/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/ChangeLog audit-2.8.2/ChangeLog --- audit-2.7.7/ChangeLog 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/ChangeLog 2017-12-14 16:46:49.000000000 +0000 @@ -1,3 +1,64 @@ +2.8.2 +- Update tables for 4.14 kernel +- Fixup ipv6 server side binding +- AVC report from aureport was missing result column header (#1511606) +- Add SOFTWARE_UPDATE event +- In ausearch/report pickup any path and new-disk fields as a file +- Fix value returned by auditctl --reset-lost (Richard Guy Briggs) +- In auparse, fix expr_create_timestamp_comparison_ex to be numeric field +- Fix building on old systems without linux/fanotify.h +- Fix shell portability issues reported by shellcheck +- Auditd validate_email should not use gethostbyname + +2.8.1 +- Fix NULL ptr dereference in audispd plugin_dir parser +- Signed/unsigned cleanup + +2.8 +- Add support for ambient capability fields (Richard Guy Briggs) +- Update auparse-normalizer to support TTY events +- Add auparse_normalize_object_primary2 API +- In ausearch text format, add 'to xxx' for mount operations +- In ausearch add new --extra-obj2 option for CSV output +- In auparse_normalize, pick up second file name for rename syscalls +- In auparse_normalize, pick up permission & ownership changes as obj2 +- In auparse_normalize, pick up uid/gid for setuid/gid syscalls as obj2 +- In auparse_normalize, pick up link for symlink syscalls as obj2 +- In auparse_normalize, correct mount records based on success +- In auparse_normalize, correct object for USER_MGMT, ACCT_LOCK, & ACCT_UNLOCK +- Add default port to auditd.conf (#1455598) +- Fix auvirt to report AVC's (#982154) +- Add sockaddr accessor functions in auparse +- In ausearch, use auparse_interpret_sock_address for text mode output +- In remote logging, inform client auditd is suspended and please disconnect +- Auditd and audisp-remote now supports IPv6 +- In auparse function auparse_goto_record_num, make it positioned on first field +- In auparse_normalize, finish support for MAC_STATUS and MAC_CONFIG events +- Add support for filesystem filter type (Richard Guy Briggs) +- Add file system type table for fstype lookup +- Add command line option to auditd & audispd for config dir path (Dan Born) +- Fix auparse serial parsing of event when system time < 9 characters (kruvin) +- In auparse, allow non-equality comparisons for uid & gid fields (#1399314) +- In auparse_normalize, add support for USER_DEVICE events +- In audispd.conf, add new plugin_dir config item to customize plugin location +- Add support for FANOTIFY event +- Improve auparse_normalize support for SECCOMP events +- In auparse_normalize, pick up comm for successful memory allocations + +2.7.8 +- Add config option to auditd to not verify email addr domain (#1406887) +- When auditd forwards events to disptcher, calculate protocol each event +- In auditd, restore umask after creating log file (Avi Yeger) +- Add a realpath interpretation function that resolves whole path in auparse +- In audispd, strip out EOE events for syslog plugin +- In python 2 bindings, fix AUSOURCE_FILE_POINTER to use new FILE * (#1475998) +- In python bindings, check NULL return for auparse_get_type_name (#1482121) +- Make auparse more robust against misuse of the API (#1482121) +- Add USER_DEVICE record type +- In auditd, do not use '?' for auid when signal sender is unknown +- In ausearch, write checkpoint inode in decimal to be easier to use +- In auparse-normalizer, correct attr's collected for mount object + 2.7.7 - Make ausearch a little more robust to bad time values - Aureport's login report was corrected to print the loginuid (#1448526) diff -Nru audit-2.7.7/compile audit-2.8.2/compile --- audit-2.7.7/compile 2017-06-16 19:01:46.000000000 +0000 +++ audit-2.8.2/compile 2017-12-14 16:46:54.000000000 +0000 @@ -1,9 +1,9 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2012-10-14.11; # UTC +scriptversion=2016-01-11.22; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2017 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify @@ -255,7 +255,8 @@ echo "compile $scriptversion" exit $? ;; - cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ + icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) func_cl_wrapper "$@" # Doesn't return... ;; esac @@ -342,6 +343,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -Nru audit-2.7.7/config.guess audit-2.8.2/config.guess --- audit-2.7.7/config.guess 2017-06-16 19:01:46.000000000 +0000 +++ audit-2.8.2/config.guess 2017-12-14 16:46:54.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2017 Free Software Foundation, Inc. -timestamp='2015-01-01' +timestamp='2017-08-08' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -27,7 +27,7 @@ # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # # Please send patches to . @@ -50,7 +50,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2017 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -168,19 +168,29 @@ # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" - UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ - /usr/sbin/$sysctl 2>/dev/null || echo unknown)` + UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ + /sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || \ + echo unknown)` case "${UNAME_MACHINE_ARCH}" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; + earmv*) + arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'` + machine=${arch}${endian}-unknown + ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched - # to ELF recently, or will in the future. + # to ELF recently (or will in the future) and ABI. case "${UNAME_MACHINE_ARCH}" in + earm*) + os=netbsdelf + ;; arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ @@ -197,6 +207,13 @@ os=netbsd ;; esac + # Determine ABI tags. + case "${UNAME_MACHINE_ARCH}" in + earm*) + expr='s/^earmv[0-9]/-eabi/;s/eb$//' + abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"` + ;; + esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need @@ -207,13 +224,13 @@ release='-gnu' ;; *) - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}" + echo "${machine}-${os}${release}${abi}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` @@ -223,6 +240,10 @@ UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; @@ -235,6 +256,12 @@ *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; + *:Sortix:*:*) + echo ${UNAME_MACHINE}-unknown-sortix + exit ;; + *:Redox:*:*) + echo ${UNAME_MACHINE}-unknown-redox + exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) @@ -251,42 +278,42 @@ ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV4.5 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "LCA4 (21066/21068)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV5 (21164)") - UNAME_MACHINE="alphaev5" ;; + UNAME_MACHINE=alphaev5 ;; "EV5.6 (21164A)") - UNAME_MACHINE="alphaev56" ;; + UNAME_MACHINE=alphaev56 ;; "EV5.6 (21164PC)") - UNAME_MACHINE="alphapca56" ;; + UNAME_MACHINE=alphapca56 ;; "EV5.7 (21164PC)") - UNAME_MACHINE="alphapca57" ;; + UNAME_MACHINE=alphapca57 ;; "EV6 (21264)") - UNAME_MACHINE="alphaev6" ;; + UNAME_MACHINE=alphaev6 ;; "EV6.7 (21264A)") - UNAME_MACHINE="alphaev67" ;; + UNAME_MACHINE=alphaev67 ;; "EV6.8CB (21264C)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8AL (21264B)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8CX (21264D)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.9A (21264/EV69A)") - UNAME_MACHINE="alphaev69" ;; + UNAME_MACHINE=alphaev69 ;; "EV7 (21364)") - UNAME_MACHINE="alphaev7" ;; + UNAME_MACHINE=alphaev7 ;; "EV7.9 (21364A)") - UNAME_MACHINE="alphaev79" ;; + UNAME_MACHINE=alphaev79 ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 @@ -359,16 +386,16 @@ exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build - SUN_ARCH="i386" + SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then - SUN_ARCH="x86_64" + SUN_ARCH=x86_64 fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` @@ -393,7 +420,7 @@ exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} @@ -618,13 +645,13 @@ sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi @@ -663,11 +690,11 @@ exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = "hppa2.0w" ] + if [ ${HP_ARCH} = hppa2.0w ] then eval $set_cc_for_build @@ -680,12 +707,12 @@ # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 - if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then - HP_ARCH="hppa2.0w" + HP_ARCH=hppa2.0w else - HP_ARCH="hppa64" + HP_ARCH=hppa64 fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} @@ -790,14 +817,14 @@ echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) @@ -813,10 +840,11 @@ UNAME_PROCESSOR=`/usr/bin/uname -p` case ${UNAME_PROCESSOR} in amd64) - echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; - *) - echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=x86_64 ;; + i386) + UNAME_PROCESSOR=i586 ;; esac + echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin @@ -879,7 +907,7 @@ exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix @@ -902,7 +930,7 @@ EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="gnulibc1" ; fi + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) @@ -933,6 +961,9 @@ crisv32:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; + e2k:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; frv:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; @@ -945,6 +976,9 @@ ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; + k1om:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; @@ -970,6 +1004,9 @@ eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; + mips64el:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; openrisc*:Linux:*:*) echo or1k-unknown-linux-${LIBC} exit ;; @@ -1002,6 +1039,9 @@ ppcle:Linux:*:*) echo powerpcle-unknown-linux-${LIBC} exit ;; + riscv32:Linux:*:* | riscv64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; @@ -1021,7 +1061,7 @@ echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} @@ -1100,7 +1140,7 @@ # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub - # prints for the "djgpp" host, or else GDB configury will decide that + # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; @@ -1249,6 +1289,9 @@ SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; + SX-ACE:SUPER-UX:*:*) + echo sxace-nec-superux${UNAME_RELEASE} + exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; @@ -1262,16 +1305,23 @@ UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi + # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc + if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_PPC >/dev/null + then + UNAME_PROCESSOR=powerpc + fi fi elif test "$UNAME_PROCESSOR" = i386 ; then # Avoid executing cc on OS X 10.9, as it ships with a stub @@ -1286,7 +1336,7 @@ exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` - if test "$UNAME_PROCESSOR" = "x86"; then + if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi @@ -1295,15 +1345,18 @@ *:QNX:*:4*) echo i386-pc-qnx exit ;; - NEO-?:NONSTOP_KERNEL:*:*) + NEO-*:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; - NSR-?:NONSTOP_KERNEL:*:*) + NSR-*:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit ;; + NSX-*:NONSTOP_KERNEL:*:*) + echo nsx-tandem-nsk${UNAME_RELEASE} + exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux exit ;; @@ -1317,7 +1370,7 @@ # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. - if test "$cputype" = "386"; then + if test "$cputype" = 386; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" @@ -1359,7 +1412,7 @@ echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos @@ -1370,23 +1423,25 @@ x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; + amd64:Isilon\ OneFS:*:*) + echo x86_64-unknown-onefs + exit ;; esac cat >&2 < in order to provide the needed -information to handle your system. +If $0 has already been updated, send the following data and any +information you think might be pertinent to config-patches@gnu.org to +provide the necessary information to handle your system. config.guess timestamp = $timestamp diff -Nru audit-2.7.7/config.h.in audit-2.8.2/config.h.in --- audit-2.7.7/config.h.in 2017-06-16 19:01:46.000000000 +0000 +++ audit-2.8.2/config.h.in 2017-12-14 16:46:54.000000000 +0000 @@ -157,6 +157,9 @@ /* Define to 1 if you can safely include both and . */ #undef TIME_WITH_SYS_TIME +/* Defined when fanotify headers are found */ +#undef USE_FANOTIFY + /* Define if you want to use GSSAPI */ #undef USE_GSSAPI diff -Nru audit-2.7.7/config.sub audit-2.8.2/config.sub --- audit-2.7.7/config.sub 2017-06-16 19:01:46.000000000 +0000 +++ audit-2.8.2/config.sub 2017-12-14 16:46:54.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2017 Free Software Foundation, Inc. -timestamp='2015-01-01' +timestamp='2017-04-02' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -33,7 +33,7 @@ # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -53,8 +53,7 @@ me=`echo "$0" | sed -e 's,.*/,,'` usage="\ -Usage: $0 [OPTION] CPU-MFR-OPSYS - $0 [OPTION] ALIAS +Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. @@ -68,7 +67,7 @@ version="\ GNU config.sub ($timestamp) -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2017 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -117,8 +116,8 @@ case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ - knetbsd*-gnu* | netbsd*-gnu* | \ - kopensolaris*-gnu* | \ + knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ + kopensolaris*-gnu* | cloudabi*-eabi* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` @@ -255,15 +254,16 @@ | arc | arceb \ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ | avr | avr32 \ + | ba \ | be32 | be64 \ | bfin \ | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ - | epiphany \ + | e2k | epiphany \ | fido | fr30 | frv | ft32 \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | hexagon \ - | i370 | i860 | i960 | ia64 \ + | i370 | i860 | i960 | ia16 | ia64 \ | ip2k | iq2000 \ | k1om \ | le32 | le64 \ @@ -301,11 +301,12 @@ | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ + | pru \ | pyramid \ | riscv32 | riscv64 \ | rl78 | rx \ | score \ - | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ @@ -314,6 +315,7 @@ | ubicom32 \ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | visium \ + | wasm32 \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) @@ -376,17 +378,18 @@ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ + | ba-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ - | elxsi-* \ + | e2k-* | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | hexagon-* \ - | i*86-* | i860-* | i960-* | ia64-* \ + | i*86-* | i860-* | i960-* | ia16-* | ia64-* \ | ip2k-* | iq2000-* \ | k1om-* \ | le32-* | le64-* \ @@ -427,13 +430,15 @@ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ + | pru-* \ | pyramid-* \ + | riscv32-* | riscv64-* \ | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile*-* \ @@ -442,6 +447,7 @@ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ | vax-* \ | visium-* \ + | wasm32-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ @@ -518,6 +524,9 @@ basic_machine=i386-pc os=-aros ;; + asmjs) + basic_machine=asmjs-unknown + ;; aux) basic_machine=m68k-apple os=-aux @@ -638,6 +647,14 @@ basic_machine=m68k-bull os=-sysv3 ;; + e500v[12]) + basic_machine=powerpc-unknown + os=$os"spe" + ;; + e500v[12]-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + os=$os"spe" + ;; ebmon29k) basic_machine=a29k-amd os=-ebmon @@ -933,6 +950,9 @@ nsr-tandem) basic_machine=nsr-tandem ;; + nsx-tandem) + basic_machine=nsx-tandem + ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf @@ -1017,7 +1037,7 @@ ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - ppcle | powerpclittle | ppc-le | powerpc-little) + ppcle | powerpclittle) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) @@ -1027,7 +1047,7 @@ ;; ppc64-* | ppc64p7-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - ppc64le | powerpc64little | ppc64-le | powerpc64-little) + ppc64le | powerpc64little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) @@ -1228,6 +1248,9 @@ basic_machine=a29k-wrs os=-vxworks ;; + wasm32) + basic_machine=wasm32-unknown + ;; w65*) basic_machine=w65-wdc os=-none @@ -1373,18 +1396,18 @@ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* | -aros* \ + | -aos* | -aros* | -cloudabi* | -sortix* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -bitrig* | -openbsd* | -solidbsd* \ + | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* | -cegcc* \ + | -chorusos* | -chorusrdb* | -cegcc* | -glidix* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ @@ -1393,7 +1416,8 @@ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ + | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1525,6 +1549,8 @@ ;; -nacl*) ;; + -ios) + ;; -none) ;; *) @@ -1620,6 +1646,9 @@ sparc-* | *-sun) os=-sunos4.1.1 ;; + pru-*) + os=-elf + ;; *-be) os=-beos ;; diff -Nru audit-2.7.7/configure audit-2.8.2/configure --- audit-2.7.7/configure 2017-06-16 19:01:46.000000000 +0000 +++ audit-2.8.2/configure 2017-12-14 16:46:53.000000000 +0000 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision: 1.3 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for audit 2.7.7. +# Generated by GNU Autoconf 2.69 for audit 2.8.2. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -588,8 +588,8 @@ # Identity of this package. PACKAGE_NAME='audit' PACKAGE_TARNAME='audit' -PACKAGE_VERSION='2.7.7' -PACKAGE_STRING='audit 2.7.7' +PACKAGE_VERSION='2.8.2' +PACKAGE_STRING='audit 2.8.2' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1392,7 +1392,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures audit 2.7.7 to adapt to many kinds of systems. +\`configure' configures audit 2.8.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1463,7 +1463,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of audit 2.7.7:";; + short | recursive ) echo "Configuration of audit 2.8.2:";; esac cat <<\_ACEOF @@ -1590,7 +1590,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -audit configure 2.7.7 +audit configure 2.8.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2241,7 +2241,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by audit $as_me 2.7.7, which was +It was created by audit $as_me 2.8.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3220,7 +3220,7 @@ # Define the identity of the package. PACKAGE='audit' - VERSION='2.7.7' + VERSION='2.8.2' cat >>confdefs.h <<_ACEOF @@ -14738,7 +14738,7 @@ # Find any Python interpreter. if test -z "$PYTHON"; then - for ac_prog in python python2 python3 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 + for ac_prog in python python2 python3 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 @@ -15340,6 +15340,16 @@ fi +# linux/fanotify.h +ac_fn_c_check_header_mongrel "$LINENO" "linux/fanotify.h" "ac_cv_header_linux_fanotify_h" "$ac_includes_default" +if test "x$ac_cv_header_linux_fanotify_h" = xyes; then : + +$as_echo "#define USE_FANOTIFY /**/" >>confdefs.h + +fi + + + withval="" ALLDEBUG="-g" @@ -16510,7 +16520,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by audit $as_me 2.7.7, which was +This file was extended by audit $as_me 2.8.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16576,7 +16586,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -audit config.status 2.7.7 +audit config.status 2.8.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru audit-2.7.7/configure.ac audit-2.8.2/configure.ac --- audit-2.7.7/configure.ac 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/configure.ac 2017-12-14 16:46:49.000000000 +0000 @@ -29,7 +29,7 @@ ]) AC_REVISION($Revision: 1.3 $)dnl -AC_INIT(audit,2.7.7) +AC_INIT(audit,2.8.2) AC_PREREQ(2.12)dnl AM_CONFIG_HEADER(config.h) @@ -250,6 +250,10 @@ ) AM_CONDITIONAL(ENABLE_SYSTEMD, test x$want_systemd = xyes) +# linux/fanotify.h +AC_CHECK_HEADER(linux/fanotify.h, [ AC_DEFINE(USE_FANOTIFY, [], + [Defined when fanotify headers are found]) ]) + withval="" ALLDEBUG="-g" AC_ARG_WITH(debug, diff -Nru audit-2.7.7/debian/changelog audit-2.8.2/debian/changelog --- audit-2.7.7/debian/changelog 2017-08-05 16:22:00.000000000 +0000 +++ audit-2.8.2/debian/changelog 2018-02-07 23:59:52.000000000 +0000 @@ -1,3 +1,52 @@ +audit (1:2.8.2-1ubuntu1) bionic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/rules: Disable auditd network listener, with --disable-listener, + to reduce the risk of a remote attack on auditd, which runs as root + + -- Steve Langasek Wed, 07 Feb 2018 15:59:52 -0800 + +audit (1:2.8.2-1) unstable; urgency=medium + + * New bugfix upstream release + - debian/libaudit1.symbols: Add newly exported symbol + * debian/control: Bump Standards-Version to 4.1.2 (no further changes) + * debian/watch: Use https:// instead of http:// + + -- Laurent Bigonville Mon, 18 Dec 2017 09:13:02 +0100 + +audit (1:2.8.1-2) unstable; urgency=medium + + * Make auditd logs readable by the adm group by default (Closes: #759604) + + -- Laurent Bigonville Wed, 08 Nov 2017 18:39:12 +0100 + +audit (1:2.8.1-1) unstable; urgency=medium + + * New bugfix upstream release + * debian/control: Move all packages from Priority: extra (which is + deprecated) to Priority: optional + + -- Laurent Bigonville Sun, 15 Oct 2017 13:06:41 +0200 + +audit (1:2.8-1) unstable; urgency=low + + * New upstream release + - debian/libaudit1.symbols, debian/libauparse0.symbols: Add newly exported + symbols + + -- Laurent Bigonville Thu, 12 Oct 2017 14:25:12 +0200 + +audit (1:2.7.8-1) unstable; urgency=medium + + * New upstream release + - debian/libauparse0.symbols: Add newly exported symbol + * debian/control: Bump Standards-Version to 4.1.1 (no further changes) + * Bump debhelper compatibility to 10, drop dh-systemd and dh-autoreconf + build-dep, these are not needed anymore + + -- Laurent Bigonville Tue, 03 Oct 2017 16:10:39 +0200 + audit (1:2.7.7-1ubuntu2) artful; urgency=medium * No-change rebuild to build to drop python3.5. diff -Nru audit-2.7.7/debian/compat audit-2.8.2/debian/compat --- audit-2.7.7/debian/compat 2017-06-30 18:49:54.000000000 +0000 +++ audit-2.8.2/debian/compat 2017-12-18 15:43:36.000000000 +0000 @@ -1 +1 @@ -9 +10 diff -Nru audit-2.7.7/debian/control audit-2.8.2/debian/control --- audit-2.7.7/debian/control 2017-06-30 18:49:54.000000000 +0000 +++ audit-2.8.2/debian/control 2018-02-07 23:59:52.000000000 +0000 @@ -1,10 +1,8 @@ Source: audit -Priority: extra +Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Laurent Bigonville -Build-Depends: debhelper (>= 9), - dh-autoreconf, - dh-systemd (>= 1.4), +Build-Depends: debhelper (>= 10), dh-python , # dh-golang, dpkg-dev (>= 1.16.1~), @@ -22,7 +20,7 @@ libpython3-all-dev , swig Build-Depends-Indep: golang-go -Standards-Version: 4.0.0 +Standards-Version: 4.1.2 Section: libs Homepage: https://people.redhat.com/sgrubb/audit/ Vcs-Git: https://anonscm.debian.org/git/collab-maint/audit.git @@ -44,7 +42,6 @@ Package: libauparse0 Architecture: linux-any -Priority: optional Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, ${shlibs:Depends} Breaks: libaudit0, libaudit1 (<< 1:2.2.1-2) @@ -71,7 +68,6 @@ Package: libaudit1 Architecture: linux-any -Priority: optional Pre-Depends: ${misc:Pre-Depends} Depends: libaudit-common (>= ${source:Version}), ${misc:Depends}, @@ -84,7 +80,6 @@ Package: libaudit-common Architecture: all -Priority: optional Depends: ${misc:Depends} Breaks: libaudit0, libaudit1 (<< 1:2.2.1-2) Replaces: libaudit0, libaudit1 (<< 1:2.2.1-2) diff -Nru audit-2.7.7/debian/libaudit1.symbols audit-2.8.2/debian/libaudit1.symbols --- audit-2.7.7/debian/libaudit1.symbols 2017-06-30 18:49:54.000000000 +0000 +++ audit-2.8.2/debian/libaudit1.symbols 2017-12-18 15:43:36.000000000 +0000 @@ -1,8 +1,10 @@ libaudit.so.1 libaudit1 #MINVER# * Build-Depends-Package: libaudit-dev + __audit_send@Base 1:2.8.2 _audit_archadded@Base 1:2.2.1 _audit_elf@Base 1:2.2.1 _audit_exeadded@Base 1:2.5.1 + _audit_filterfsadded@Base 1:2.8 _audit_permadded@Base 1:2.2.1 _audit_syscalladded@Base 1:2.2.1 audit_action_to_name@Base 1:2.2.1 @@ -23,6 +25,7 @@ audit_errno_to_name@Base 1:2.2.1 audit_field_to_name@Base 1:2.2.1 audit_flag_to_name@Base 1:2.2.1 + audit_fstype_to_name@Base 1:2.8 audit_ftype_to_name@Base 1:2.2.1 audit_get_features@Base 1:2.5.1 audit_get_reply@Base 1:2.2.1 @@ -44,6 +47,7 @@ audit_name_to_errno@Base 1:2.2.1 audit_name_to_field@Base 1:2.2.1 audit_name_to_flag@Base 1:2.2.1 + audit_name_to_fstype@Base 1:2.8 audit_name_to_ftype@Base 1:2.2.1 audit_name_to_machine@Base 1:2.2.1 audit_name_to_msg_type@Base 1:2.2.1 diff -Nru audit-2.7.7/debian/libauparse0.symbols audit-2.8.2/debian/libauparse0.symbols --- audit-2.7.7/debian/libauparse0.symbols 2017-06-30 18:49:54.000000000 +0000 +++ audit-2.8.2/debian/libauparse0.symbols 2017-12-18 15:43:36.000000000 +0000 @@ -39,6 +39,10 @@ auparse_init@Base 1:2.2.1 auparse_interp_adjust_type@Base 1:2.3.1 auparse_interpret_field@Base 1:2.2.1 + auparse_interpret_realpath@Base 1:2.7.8 + auparse_interpret_sock_address@Base 1:2.8 + auparse_interpret_sock_family@Base 1:2.8 + auparse_interpret_sock_port@Base 1:2.8 auparse_next_event@Base 1:2.2.1 auparse_next_field@Base 1:2.2.1 auparse_next_record@Base 1:2.2.1 @@ -52,6 +56,7 @@ auparse_normalize_object_first_attribute@Base 1:2.7.7 auparse_normalize_object_kind@Base 1:2.7.7 auparse_normalize_object_next_attribute@Base 1:2.7.7 + auparse_normalize_object_primary2@Base 1:2.8 auparse_normalize_object_primary@Base 1:2.7.7 auparse_normalize_object_secondary@Base 1:2.7.7 auparse_normalize_session@Base 1:2.7.7 diff -Nru audit-2.7.7/debian/patches/03-Set-log_group-adm.patch audit-2.8.2/debian/patches/03-Set-log_group-adm.patch --- audit-2.7.7/debian/patches/03-Set-log_group-adm.patch 1970-01-01 00:00:00.000000000 +0000 +++ audit-2.8.2/debian/patches/03-Set-log_group-adm.patch 2017-12-18 08:13:02.000000000 +0000 @@ -0,0 +1,21 @@ +From: Nicolas Braud-Santoni +Date: Thu, 28 Jul 2016 16:49:18 +0200 +Subject: Set log_group=adm + +--- + init.d/auditd.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init.d/auditd.conf b/init.d/auditd.conf +index 900af73..6838c8b 100644 +--- a/init.d/auditd.conf ++++ b/init.d/auditd.conf +@@ -5,7 +5,7 @@ + local_events = yes + write_logs = yes + log_file = /var/log/audit/audit.log +-log_group = root ++log_group = adm + log_format = RAW + flush = INCREMENTAL_ASYNC + freq = 50 diff -Nru audit-2.7.7/debian/patches/series audit-2.8.2/debian/patches/series --- audit-2.7.7/debian/patches/series 2017-07-03 05:20:22.000000000 +0000 +++ audit-2.8.2/debian/patches/series 2017-12-18 15:43:36.000000000 +0000 @@ -1,2 +1,3 @@ 01-no-refusemanualstop.patch 02-restorecon-path.patch +03-Set-log_group-adm.patch diff -Nru audit-2.7.7/debian/rules audit-2.8.2/debian/rules --- audit-2.7.7/debian/rules 2017-06-30 18:49:54.000000000 +0000 +++ audit-2.8.2/debian/rules 2017-12-18 15:43:36.000000000 +0000 @@ -146,6 +146,7 @@ #chmod o-wx debian/auditd/sbin/autrace #chmod 750 debian/auditd/sbin/audispd chmod -R o-rwx debian/auditd/var/log/audit + chgrp adm debian/auditd/var/log/audit chmod -R o-rwx debian/auditd/etc/audit debian/auditd/etc/audisp debian/auditd/etc/audisp/plugins.d get-orig-source: diff -Nru audit-2.7.7/debian/watch audit-2.8.2/debian/watch --- audit-2.7.7/debian/watch 2017-06-30 18:49:54.000000000 +0000 +++ audit-2.8.2/debian/watch 2017-12-18 15:43:36.000000000 +0000 @@ -1,2 +1,2 @@ version=3 -http://people.redhat.com/sgrubb/audit/ audit-([\d\.]*)\.tar\.gz +https://people.redhat.com/sgrubb/audit/ audit-([\d\.]*)\.tar\.gz diff -Nru audit-2.7.7/depcomp audit-2.8.2/depcomp --- audit-2.7.7/depcomp 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/depcomp 2017-12-14 16:46:55.000000000 +0000 @@ -1,9 +1,9 @@ #! /bin/sh # depcomp - compile a program generating dependencies as side-effects -scriptversion=2013-05-30.07; # UTC +scriptversion=2016-01-11.22; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2017 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -786,6 +786,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -Nru audit-2.7.7/docs/audispd.8 audit-2.8.2/docs/audispd.8 --- audit-2.7.7/docs/audispd.8 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/audispd.8 2017-12-14 16:46:49.000000000 +0000 @@ -3,6 +3,7 @@ audispd \- an event multiplexor .SH SYNOPSIS .B audispd +.RB [ \-c\ ]\ .SH DESCRIPTION \fBaudispd\fP is an audit event multiplexor. It has to be started by the audit daemon in order to get events. It takes audit events and distributes them to child programs that want to analyze events in realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes that signal to the dispatcher, too. The dispatcher in turn passes those signals to its child processes. diff -Nru audit-2.7.7/docs/audispd.conf.5 audit-2.8.2/docs/audispd.conf.5 --- audit-2.7.7/docs/audispd.conf.5 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/audispd.conf.5 2017-12-14 16:46:49.000000000 +0000 @@ -46,5 +46,8 @@ .TP .I name This is the admin defined string that identifies the machine if user is given as the name_format option. +.TP +.I plugin_dir +This is the location that audispd will use to search for its plugin configuration files. .SH "SEE ALSO" .BR audispd (8) diff -Nru audit-2.7.7/docs/audit_add_rule_data.3 audit-2.8.2/docs/audit_add_rule_data.3 --- audit-2.7.7/docs/audit_add_rule_data.3 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/audit_add_rule_data.3 2017-12-14 16:46:49.000000000 +0000 @@ -21,7 +21,11 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit. This is the main filter that is used for syscalls and filesystem watches. Normally all syscall do not trigger events, so this is normally used to specify events that are of interest. .TP \(bu -AUDIT_FILTER_TYPE - Apply rule at audit_log_start. This is the exclude filter which discards any records that match. +AUDIT_FILTER_TYPE - Apply rule at audit_log_start. This is the exclude filter which discards any records that match. The action type is ignored for this filter, defaulting to "never". +.LP +.TP +\(bu +AUDIT_FILTER_FS - Apply rule when adding PATH auxiliary records to SYSCALL events. This is the filesystem filter. This is used to ignore PATH records that are not of interest. .LP .PP diff -Nru audit-2.7.7/docs/auditctl.8 audit-2.8.2/docs/auditctl.8 --- audit-2.7.7/docs/auditctl.8 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/auditctl.8 2017-12-14 16:46:49.000000000 +0000 @@ -81,7 +81,7 @@ Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded. .TP .B exclude -Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, message type or subject context +Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, message type or subject context. The action is ignored and uses its default of "never". .RE The following describes the valid \fIactions\fP for the rule: diff -Nru audit-2.7.7/docs/auditd.8 audit-2.8.2/docs/auditd.8 --- audit-2.7.7/docs/auditd.8 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/auditd.8 2017-12-14 16:46:49.000000000 +0000 @@ -3,7 +3,7 @@ auditd \- The Linux Audit daemon .SH SYNOPSIS .B auditd -.RB [ \-f ]\ [ \-l ]\ [ \-n ]\ [ \-s\ disable|enable|nochange ] +.RB [ \-f ]\ [ \-l ]\ [ \-n ]\ [ \-s\ disable|enable|nochange ]\ [ \-c\ ] .SH DESCRIPTION \fBauditd\fP is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the .B ausearch @@ -29,6 +29,10 @@ .TP .B \-s=\fIENABLE_STATE\fR specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "disable", "enable" or "nochange". The default is to enable (and disable when auditd terminates). The value of the enabled flag may be changed during the lifetime of auditd using 'auditctl \-e'. +.TP +.B \-c +Specify alternate config file directory. Note that this same directory will +be passed to the dispatcher. (default: /etc/audit/) .SH SIGNALS .TP SIGHUP diff -Nru audit-2.7.7/docs/auditd.conf.5 audit-2.8.2/docs/auditd.conf.5 --- audit-2.7.7/docs/auditd.conf.5 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/auditd.conf.5 2017-12-14 16:46:49.000000000 +0000 @@ -129,6 +129,13 @@ .I space_left_action if the volume fills up. This is best used in combination with an external script used to archive logs on a periodic basis. .TP +.I verify_email +This option determines if the email address given in +.IR action_mail_acct +is checked to see if the domain name can be resolved. This option must be given before +.IR action_mail_acct +or the default value of yes will be used. +.TP .I action_mail_acct This option should contain a valid email address or alias. The default address is root. If the email address is not local to the machine, you must make sure you have email properly configured on your machine and network. Also, this option requires that /usr/lib/sendmail exists on the machine. .TP diff -Nru audit-2.7.7/docs/audit.rules.7 audit-2.8.2/docs/audit.rules.7 --- audit-2.7.7/docs/audit.rules.7 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/audit.rules.7 2017-12-14 16:46:49.000000000 +0000 @@ -9,7 +9,7 @@ Control commands generally involve configuring the audit system rather than telling it what to watch for. These commands typically include deleting all rules, setting the size of the kernel's backlog queue, setting the failure mode, setting the event rate limit, or to tell auditctl to ignore syntax errors in the rules and continue loading. Generally, these rules are at the top of the rules file. .SS File System -File System rules are sometimes called watches. These rules are used to audit access to particular files or directories that you may be interested in. If the path given in the rule is a directory, then the rule used is recursive to the bottom of the directory tree excluding any directories that may be mount points. The syntax of these rules generally follow this format: +File System rules are sometimes called watches. These rules are used to audit access to particular files or directories that you may be interested in. If the path given in a watch rule is a directory, then the rule used is recursive to the bottom of the directory tree excluding any directories that may be mount points. The syntax of these watch rules generally follow this format: .nf .B \-w path-to-file \-p permissions \-k keyname @@ -31,6 +31,15 @@ .B a - change in the file's attribute .RE + +Watches can also be created using the syscall format described below which allow for greater flexibility and options. Using syscall rules you can choose between +.B path +and +.B dir +which is against a specific inode or directory tree respectively. It should also be noted that the recursive directory watch will stop if there is a mount point below the parent directory. There is an option to make the mounted subdirectory equivalent by using a +.B -q +rule. + .SS System Call The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. @@ -40,7 +49,7 @@ The user filter is used to filter (remove) some events that originate in user space. By default, any event originating in user space is allowed. So, if there are some events that you do not want to see, then this is a place where some can be removed. See auditctl(8) for fields that are valid. -The exclude filter is used to exclude certain events from being emitted. The msgtype field is used to tell the kernel which message types you do not want to record. This filter can remove the event as a whole and is not selective about any other attribute. The user and exit filters are better suited to selectively auditing events. +The exclude filter is used to exclude certain events from being emitted. The msgtype and a number of subject attribute fields can be used to tell the kernel which message types you do not want to record. This filter can remove the event as a whole and is not selective about any other attribute. The user and exit filters are better suited to selectively auditing events. The action is ignored for this filter, defaulting to "never". Syscall rules take the general form of: diff -Nru audit-2.7.7/docs/auparse_get_field_num.3 audit-2.8.2/docs/auparse_get_field_num.3 --- audit-2.7.7/docs/auparse_get_field_num.3 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/auparse_get_field_num.3 2017-12-14 16:46:49.000000000 +0000 @@ -7,7 +7,7 @@ unsigned int auparse_get_field_num(auparse_state_t *au); .SH "DESCRIPTION" -auparse_get_field_num will retreive the internal library cursors current field location in the current record. Fields within the same record are numbered starting from 0. This is generally not needed but there are some cases where one may want to know the exact field being looked at. +auparse_get_field_num will retrieve the internal library cursors current field location in the current record. Fields within the same record are numbered starting from 0. This is generally not needed but there are some cases where one may want to know the exact field being looked at. .SH "RETURN VALUE" diff -Nru audit-2.7.7/docs/auparse_get_record_num.3 audit-2.8.2/docs/auparse_get_record_num.3 --- audit-2.7.7/docs/auparse_get_record_num.3 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/auparse_get_record_num.3 2017-12-14 16:46:49.000000000 +0000 @@ -7,7 +7,7 @@ unsigned int auparse_get_record_num(auparse_state_t *au); .SH "DESCRIPTION" -auparse_get_record_num will retreive the internal library cursors current record location in the current event. Records within the same event are numbered starting from 0. This is generally not needed but there are some cases where one may want to know the exact record being looked at. +auparse_get_record_num will retrieve the internal library cursors current record location in the current event. Records within the same event are numbered starting from 0. This is generally not needed but there are some cases where one may want to know the exact record being looked at. .SH "RETURN VALUE" diff -Nru audit-2.7.7/docs/auparse_interpret_field.3 audit-2.8.2/docs/auparse_interpret_field.3 --- audit-2.7.7/docs/auparse_interpret_field.3 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/auparse_interpret_field.3 2017-12-14 16:46:49.000000000 +0000 @@ -1,24 +1,46 @@ -.TH "AUPARSE_INTERPRET_FIELD" "3" "July 2016" "Red Hat" "Linux Audit API" +.TH "AUPARSE_INTERPRET_FIELD" "3" "August 2017" "Red Hat" "Linux Audit API" .SH NAME -auparse_interpret_field \- get current field's value interpreted +.nf +auparse_interpret_field, auparse_interpret_realpath,auparse_interpret_sock_family,auparse_interpret_sock_port,auparse_interpret_sock_address \- get current field's interpreted value +.fi .SH "SYNOPSIS" +.nf .B #include .sp const char *auparse_interpret_field(auparse_state_t *au); +const char *auparse_interpret_realpath(auparse_state_t *au); +const char *auparse_interpret_sock_family(auparse_state_t *au); +const char *auparse_interpret_sock_port(auparse_state_t *au); +const char *auparse_interpret_sock_address(auparse_state_t *au); .SH "DESCRIPTION" -auparse_interpret_field allows access to the interpreted value in the current field of the current record in the current event. The returned string is escaped using the chosen method. The returned value will be destroyed if you call this function again. If you need to interpret another field and keep this value, you will have to copy it for later use. +.B auparse_interpret_field +allows access to the interpreted value in the current field of the current record in the current event. The returned string is escaped using the chosen method. The returned value will be destroyed if you call this function again. If you need to interpret another field and keep this value, you will have to copy it for later use. Examples of things that could be interpreted are: uid, gid, syscall numbers, exit codes, file paths, socket addresses, permissions, modes, and capabilities. There are likely to be more in the future. If a value cannot be interpreted, its original value is returned. +.B auparse_interpret_realpath +is like auparse_interpret_field except that it will call realpath on the results of gluing the cwd and file together. This also implies that it only valid to be called for the file name given in a PATH record. + +.B auparse_interpret_sock_family +will only return the socket family portion of a socket address. + +.B auparse_interpret_sock_port +will only return the port portion of a socket address. Not all socket families have a port. If that is the case, you will get a NULL value in which case your best option is to use the normal interpretation function. + +.B auparse_interpret_sock_address +will only return the address portion of a socket address. Not all socket families have an ip address. If that is the case, you will get a NULL value in which case your best option is to use the normal interpretation function. + .SH "RETURN VALUE" Returns NULL if there is an error otherwise a pointer to the interpreted value. .SH "SEE ALSO" -.BR auparse_get_field_int (3), auparse_get_field_str (3), auparse_set_escape_mode (3). +.BR auparse_get_field_int (3), +.BR auparse_get_field_str (3), +.BR auparse_set_escape_mode (3). .SH AUTHOR Steve Grubb diff -Nru audit-2.7.7/docs/auparse_normalize_functions.3 audit-2.8.2/docs/auparse_normalize_functions.3 --- audit-2.7.7/docs/auparse_normalize_functions.3 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/auparse_normalize_functions.3 2017-12-14 16:46:49.000000000 +0000 @@ -1,7 +1,7 @@ .TH "AUPARSE_NORMALIZE_FUNCTIONS" "3" "March 2017" "Red Hat" "Linux Audit API" .SH NAME .nf -auparse_normalize_get_event_kind, auparse_normalize_subject_kind, auparse_normalize_get_action, auparse_normalize_object_kind, auparse_normalize_how, auparse_normalize_session, auparse_normalize_subject_primary, auparse_normalize_subject_secondary, auparse_normalize_subject_first_attribute, auparse_normalize_subject_next_attribute, auparse_normalize_object_primary, auparse_normalize_object_secondary, auparse_normalize_object_first_attribute, auparse_normalize_object_next_attribute, auparse_normalize_get_results, auparse_normalize_key \- Access normalized fields +auparse_normalize_get_event_kind, auparse_normalize_subject_kind, auparse_normalize_get_action, auparse_normalize_object_kind, auparse_normalize_how, auparse_normalize_session, auparse_normalize_subject_primary, auparse_normalize_subject_secondary, auparse_normalize_subject_first_attribute, auparse_normalize_subject_next_attribute, auparse_normalize_object_primary, auparse_normalize_object_secondary, auparse_normalize_object_primary2, auparse_normalize_object_first_attribute, auparse_normalize_object_next_attribute, auparse_normalize_get_results, auparse_normalize_key \- Access normalized fields .fi .SH "SYNOPSIS" .nf @@ -22,6 +22,7 @@ .B int auparse_normalize_subject_next_attribute(auparse_state_t *au); .B int auparse_normalize_object_primary(auparse_state_t *au); .B int auparse_normalize_object_secondary(auparse_state_t *au); +.B int auparse_normalize_object_primary2(auparse_state_t *au); .B int auparse_normalize_object_first_attribute(auparse_state_t *au); .B int auparse_normalize_object_next_attribute(auparse_state_t *au); .B int auparse_normalize_get_results(auparse_state_t *au); diff -Nru audit-2.7.7/docs/ausearch.8 audit-2.8.2/docs/ausearch.8 --- audit-2.7.7/docs/ausearch.8 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/docs/ausearch.8 2017-12-14 16:46:49.000000000 +0000 @@ -61,6 +61,9 @@ .BR \-\-extra-labels \ When the \fIformat\fP mode is \fIcsv\fP, this option will add columns of information about subject and object labels when they exist. .TP +.BR \-\-extra-obj2 \ +When the \fIformat\fP mode is \fIcsv\fP, this option will add columns of information about a second object when it exists. It's rare that a second object is part of a record. Some examples are when a file is renamed from one name to another or when a device is mounted to a path. +.TP .BR \-\-extra-time \ When the \fIformat\fP mode is \fIcsv\fP, this option will add columns of information about broken down time to make subsetting easier. .TP diff -Nru audit-2.7.7/docs/Makefile.in audit-2.8.2/docs/Makefile.in --- audit-2.7.7/docs/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/docs/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/init.d/audispd.conf audit-2.8.2/init.d/audispd.conf --- audit-2.7.7/init.d/audispd.conf 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/init.d/audispd.conf 2017-12-14 16:46:49.000000000 +0000 @@ -9,4 +9,4 @@ max_restarts = 10 name_format = HOSTNAME #name = mydomain - +plugin_dir = /etc/audisp/plugins.d/ diff -Nru audit-2.7.7/init.d/auditd.conf audit-2.8.2/init.d/auditd.conf --- audit-2.7.7/init.d/auditd.conf 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/init.d/auditd.conf 2017-12-14 16:46:49.000000000 +0000 @@ -19,13 +19,14 @@ max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG +verify_email = yes action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND use_libwrap = yes -##tcp_listen_port = +##tcp_listen_port = 60 tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 diff -Nru audit-2.7.7/init.d/auditd.init audit-2.8.2/init.d/auditd.init --- audit-2.7.7/init.d/auditd.init 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/init.d/auditd.init 2017-12-14 16:46:49.000000000 +0000 @@ -50,7 +50,7 @@ test -x /sbin/auditd || exit 5 test -f /etc/audit/auditd.conf || exit 6 - echo -n $"Starting $prog: " + printf "Starting $prog: " # Localization for auditd is controlled in /etc/synconfig/auditd if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then @@ -85,7 +85,7 @@ } stop(){ - echo -n $"Stopping $prog: " + printf "Stopping $prog: " killproc $prog RETVAL=$? echo @@ -102,7 +102,7 @@ reload(){ test -f /etc/audit/auditd.conf || exit 6 - echo -n $"Reloading configuration: " + printf "Reloading configuration: " killproc $prog -HUP RETVAL=$? echo @@ -110,7 +110,7 @@ } rotate(){ - echo -n $"Rotating logs: " + printf "Rotating logs: " killproc $prog -USR1 RETVAL=$? echo @@ -118,7 +118,7 @@ } resume(){ - echo -n $"Resuming logging: " + printf "Resuming logging: " killproc $prog -USR2 RETVAL=$? echo @@ -161,7 +161,7 @@ condrestart ;; *) - echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|rotate|resume}" + echo "Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|rotate|resume}" RETVAL=3 esac diff -Nru audit-2.7.7/init.d/auditd.resume audit-2.8.2/init.d/auditd.resume --- audit-2.7.7/init.d/auditd.resume 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/init.d/auditd.resume 2017-12-14 16:46:49.000000000 +0000 @@ -7,9 +7,9 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -source /etc/init.d/functions +. /etc/init.d/functions -echo -n $"Resuming logging: " +printf "Resuming logging: " killproc $prog -USR2 RETVAL=$? echo diff -Nru audit-2.7.7/init.d/auditd.rotate audit-2.8.2/init.d/auditd.rotate --- audit-2.7.7/init.d/auditd.rotate 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/init.d/auditd.rotate 2017-12-14 16:46:49.000000000 +0000 @@ -7,9 +7,9 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -source /etc/init.d/functions +. /etc/init.d/functions -echo -n $"Rotating logs: " +printf "Rotating logs: " killproc $prog -USR1 RETVAL=$? echo diff -Nru audit-2.7.7/init.d/auditd.stop audit-2.8.2/init.d/auditd.stop --- audit-2.7.7/init.d/auditd.stop 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/init.d/auditd.stop 2017-12-14 16:46:49.000000000 +0000 @@ -7,9 +7,9 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -source /etc/init.d/functions +. /etc/init.d/functions -echo -n $"Stopping logging: " +printf "Stopping logging: " killproc $prog -TERM RETVAL=$? echo diff -Nru audit-2.7.7/init.d/augenrules audit-2.8.2/init.d/augenrules --- audit-2.7.7/init.d/augenrules 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/init.d/augenrules 2017-12-14 16:46:49.000000000 +0000 @@ -76,7 +76,7 @@ echo "## This file is automatically generated from $SourceRulesDir" >> ${TmpRules} for rules in $(/bin/ls -1v ${SourceRulesDir} | grep "\.rules$") ; do cat ${SourceRulesDir}/${rules} -done | awk '\ +done | awk ' BEGIN { minus_e = ""; minus_D = ""; diff -Nru audit-2.7.7/init.d/Makefile.in audit-2.8.2/init.d/Makefile.in --- audit-2.7.7/init.d/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/init.d/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/INSTALL audit-2.8.2/INSTALL --- audit-2.7.7/INSTALL 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/INSTALL 2017-12-14 16:46:55.000000000 +0000 @@ -1,11 +1,30 @@ -To build the package, try this: rpmbuild --rebuild audit-1.7.5-1.src.rpm -substituting the proper version. -If you insist on doing it the hard way: -./configure --sbindir=/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes +To build audit from github, cd to the place where you want everything to be. +Then do this: + +git clone https://github.com/linux-audit/audit-userspace.git +cd audit-userspace +./autogen.sh +./configure +make dist + +This will result in a tar file. This can then be used with the packaging +system for your OS. This is the recommended way to do it. + +If you do not want use a packaging system, read the options from +./configure --help and choose appropriately. For example, you may want +to do something like this as root: + +./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin \ +--sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share \ +--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec \ +--localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man \ +--infodir=/usr/share/info --sbindir=/sbin --libdir=/lib64 \ +--with-python=yes --with-python3=yes --with-libwrap --enable-tcp=yes \ +--enable-gssapi-krb5=yes --with-arm --with-aarch64 --with-libcap-ng=yes \ +--without-golang --enable-systemd + make make install -If you want to do this from a git copy, precede the above with: -./autogen.sh diff -Nru audit-2.7.7/install-sh audit-2.8.2/install-sh --- audit-2.7.7/install-sh 2017-06-16 19:01:46.000000000 +0000 +++ audit-2.8.2/install-sh 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2013-12-25.23; # UTC +scriptversion=2016-01-11.22; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -496,6 +496,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -Nru audit-2.7.7/lib/arm_table.h audit-2.8.2/lib/arm_table.h --- audit-2.7.7/lib/arm_table.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/arm_table.h 2017-12-14 16:46:49.000000000 +0000 @@ -380,3 +380,4 @@ _S(394, "pkey_mprotect") _S(395, "pkey_alloc") _S(396, "pkey_free") +_S(397, "statx") diff -Nru audit-2.7.7/lib/errormsg.h audit-2.8.2/lib/errormsg.h --- audit-2.7.7/lib/errormsg.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/errormsg.h 2017-12-14 16:46:49.000000000 +0000 @@ -1,6 +1,6 @@ /* errormsg.h -- * Copyright 2008 FUJITSU Inc. - * Copyright 2012-16 Red Hat + * Copyright 2012-17 Red Hat * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -20,6 +20,7 @@ * Authors: * Zhang Xiliang * Steve Grubb + * Richard Guy Briggs */ struct msg_tab { @@ -66,6 +67,9 @@ #define EAU_FIELDNOFILTER 31 #define EAU_FILTERMISSING 32 #define EAU_COMPINCOMPAT 33 +#define EAU_FIELDUNAVAIL 34 +#define EAU_FILTERNOSUPPORT 35 +#define EAU_FSTYPEUNKNOWN 36 static const struct msg_tab err_msgtab[] = { { -EAU_OPMISSING, 2, "-F missing operation for" }, { -EAU_FIELDUNKNOWN, 2, "-F unknown field:" }, @@ -100,5 +104,8 @@ { -EAU_FIELDNOFILTER, 1, "must be used with exclude, user, or exit filter" }, { -EAU_FILTERMISSING, 0, "filter is missing from rule" }, { -EAU_COMPINCOMPAT, 2, "-C incompatible comparison" }, + { -EAU_FIELDUNAVAIL, 1, "field is not valid for the filter" }, + { -EAU_FILTERNOSUPPORT, 1, "filter is not supported by the kernel" }, + { -EAU_FSTYPEUNKNOWN, 2, "file system type is unknown for field:" }, }; #endif diff -Nru audit-2.7.7/lib/fieldtab.h audit-2.8.2/lib/fieldtab.h --- audit-2.7.7/lib/fieldtab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/fieldtab.h 2017-12-14 16:46:49.000000000 +0000 @@ -18,6 +18,7 @@ * * Authors: * Steve Grubb + * Richard Guy Briggs */ _S(AUDIT_PID, "pid" ) @@ -56,6 +57,7 @@ _S(AUDIT_PERM, "perm" ) _S(AUDIT_DIR, "dir" ) _S(AUDIT_FILETYPE, "filetype" ) +_S(AUDIT_FSTYPE, "fstype" ) _S(AUDIT_OBJ_UID, "obj_uid" ) _S(AUDIT_OBJ_GID, "obj_gid" ) _S(AUDIT_FIELD_COMPARE, "field_compare" ) diff -Nru audit-2.7.7/lib/flagtab.h audit-2.8.2/lib/flagtab.h --- audit-2.7.7/lib/flagtab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/flagtab.h 2017-12-14 16:46:49.000000000 +0000 @@ -18,8 +18,10 @@ * * Authors: * Steve Grubb + * Richard Guy Briggs */ -_S(AUDIT_FILTER_TASK, "task" ) -_S(AUDIT_FILTER_EXIT, "exit" ) -_S(AUDIT_FILTER_USER, "user" ) -_S(AUDIT_FILTER_EXCLUDE, "exclude" ) +_S(AUDIT_FILTER_TASK, "task" ) +_S(AUDIT_FILTER_EXIT, "exit" ) +_S(AUDIT_FILTER_USER, "user" ) +_S(AUDIT_FILTER_EXCLUDE, "exclude" ) +_S(AUDIT_FILTER_FS, "filesystem") diff -Nru audit-2.7.7/lib/fstypetab.h audit-2.8.2/lib/fstypetab.h --- audit-2.7.7/lib/fstypetab.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-2.8.2/lib/fstypetab.h 2017-12-14 16:46:49.000000000 +0000 @@ -0,0 +1,26 @@ +/* fstypetab.h -- + * Copyright 2017 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb + * + * Source of info: /usr/include/linux/magic.h + * + */ +_S(0x74726163, "tracefs" ) +_S(0x64626720, "debugfs" ) diff -Nru audit-2.7.7/lib/libaudit.c audit-2.8.2/lib/libaudit.c --- audit-2.7.7/lib/libaudit.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/libaudit.c 2017-12-14 16:46:49.000000000 +0000 @@ -19,6 +19,7 @@ * Authors: * Steve Grubb * Rickard E. (Rik) Faith + * Richard Guy Briggs */ #include "config.h" @@ -85,6 +86,7 @@ int _audit_archadded = 0; int _audit_syscalladded = 0; int _audit_exeadded = 0; +int _audit_filterfsadded = 0; unsigned int _audit_elf = 0U; static struct libaudit_conf config; @@ -517,6 +519,7 @@ int audit_reset_lost(int fd) { int rc; + int seq; struct audit_status s; if ((audit_get_features() & AUDIT_FEATURE_BITMAP_LOST_RESET) == 0) @@ -525,7 +528,7 @@ memset(&s, 0, sizeof(s)); s.mask = AUDIT_STATUS_LOST; s.lost = 0; - rc = audit_send(fd, AUDIT_SET, &s, sizeof(s)); + rc = __audit_send(fd, AUDIT_SET, &s, sizeof(s), &seq); if (rc < 0) audit_msg(audit_priority(errno), "Error sending lost reset request (%s)", @@ -672,7 +675,7 @@ int audit_update_watch_perms(struct audit_rule_data *rule, int perms) { - int i, done=0; + unsigned int i, done=0; if (rule->field_count < 1) return -1; @@ -835,7 +838,7 @@ } /* - * This function will retreive the loginuid or -1 if there + * This function will retrieve the loginuid or -1 if there * is an error. */ uid_t audit_getloginuid(void) @@ -899,7 +902,7 @@ } /* - * This function will retreive the login session or -2 if there + * This function will retrieve the login session or -2 if there * is an error. */ uint32_t audit_get_session(void) @@ -1466,6 +1469,14 @@ } } + /* FS filter can be used only with FSTYPE field */ + if (flags == AUDIT_FILTER_FS) { + uint32_t features = audit_get_features(); + if ((features & AUDIT_FEATURE_BITMAP_FILTER_FS) == 0) { + return -EAU_FILTERNOSUPPORT; + } + } + rule->fields[rule->field_count] = field; rule->fieldflags[rule->field_count] = op; switch (field) @@ -1580,7 +1591,8 @@ } if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded || - _audit_exeadded)) + _audit_exeadded || + _audit_filterfsadded)) return -EAU_KEYDEP; vlen = strlen(v); if (field == AUDIT_FILTERKEY && @@ -1677,6 +1689,22 @@ return -EAU_FILETYPEUNKNOWN; } break; + case AUDIT_FSTYPE: + if (!(flags == AUDIT_FILTER_FS)) + return -EAU_FIELDUNAVAIL; + if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL)) + return -EAU_OPEQNOTEQ; + if (isdigit((char)*(v))) + rule->values[rule->field_count] = + strtoul(v, NULL, 0); + else + rule->values[rule->field_count] = + audit_name_to_fstype(v); + if ((int)rule->values[rule->field_count] == -1) { + return -EAU_FSTYPEUNKNOWN; + } + _audit_filterfsadded = 1; + break; case AUDIT_ARG0...AUDIT_ARG3: vlen = strlen(v); if (isdigit((char)*(v))) diff -Nru audit-2.7.7/lib/libaudit.h audit-2.8.2/lib/libaudit.h --- audit-2.7.7/lib/libaudit.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/libaudit.h 2017-12-14 16:46:49.000000000 +0000 @@ -96,6 +96,8 @@ #define AUDIT_MAC_CHECK 1134 /* User space MAC decision results */ #define AUDIT_ACCT_LOCK 1135 /* User's account locked by admin */ #define AUDIT_ACCT_UNLOCK 1136 /* User's account unlocked by admin */ +#define AUDIT_USER_DEVICE 1137 /* User space hotplug device changes */ +#define AUDIT_SOFTWARE_UPDATE 1138 /* Software update event */ #define AUDIT_FIRST_DAEMON 1200 #define AUDIT_LAST_DAEMON 1299 @@ -269,6 +271,10 @@ #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ #endif +#ifndef AUDIT_FANOTIFY +#define AUDIT_FANOTIFY 1331 /* Fanotify access decision */ +#endif + #ifndef AUDIT_ANOM_LINK #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ #endif @@ -277,6 +283,9 @@ #define AUDIT_KEY_SEPARATOR 0x01 /* These are used in filter control */ +#ifndef AUDIT_FILTER_FS +#define AUDIT_FILTER_FS 0x06 /* FS record filter in __audit_inode_child */ +#endif #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE #define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */ #define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */ @@ -305,6 +314,9 @@ #ifndef AUDIT_FEATURE_BITMAP_LOST_RESET #define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 #endif +#ifndef AUDIT_FEATURE_BITMAP_FILTER_FS +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 +#endif /* Defines for interfield comparison update */ #ifndef AUDIT_OBJ_UID @@ -324,6 +336,10 @@ #define AUDIT_SESSIONID 25 #endif +#ifndef AUDIT_FSTYPE +#define AUDIT_FSTYPE 26 +#endif + #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 #endif @@ -553,6 +569,8 @@ extern const char *audit_errno_to_name(int error); extern int audit_name_to_ftype(const char *name); extern const char *audit_ftype_to_name(int ftype); +extern int audit_name_to_fstype(const char *name); +extern const char *audit_fstype_to_name(int fstype); extern void audit_number_to_errmsg(int errnumber, const char *opt); /* AUDIT_GET */ diff -Nru audit-2.7.7/lib/lookup_table.c audit-2.8.2/lib/lookup_table.c --- audit-2.7.7/lib/lookup_table.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/lookup_table.c 2017-12-14 16:46:49.000000000 +0000 @@ -51,6 +51,7 @@ #include "s390x_tables.h" #include "x86_64_tables.h" #include "errtabs.h" +#include "fstypetabs.h" #include "ftypetabs.h" #include "fieldtabs.h" #endif @@ -345,5 +346,25 @@ #else return NULL; #endif +} + +int audit_name_to_fstype(const char *name) +{ + int res; + +#ifndef NO_TABLES + if (fstype_s2i(name, &res) != 0) + return res; +#endif + return -1; +} + +const char *audit_fstype_to_name(int fstype) +{ +#ifndef NO_TABLES + return fstype_i2s(fstype); +#else + return NULL; +#endif } diff -Nru audit-2.7.7/lib/Makefile.am audit-2.8.2/lib/Makefile.am --- audit-2.7.7/lib/Makefile.am 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/Makefile.am 2017-12-14 16:46:49.000000000 +0000 @@ -43,7 +43,7 @@ nodist_libaudit_la_SOURCES = $(BUILT_SOURCES) BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \ - ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \ + fstypetabs.h ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \ msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \ s390x_tables.h x86_64_tables.h if USE_ALPHA @@ -56,7 +56,7 @@ BUILT_SOURCES += aarch64_tables.h endif noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \ - gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \ + gen_flagtabs_h gen_fstypetabs_h gen_ftypetabs_h gen_i386_tables_h \ gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \ gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \ gen_s390x_tables_h gen_x86_64_tables_h @@ -166,6 +166,19 @@ flagtabs.h: gen_flagtabs_h Makefile ./gen_flagtabs_h --lowercase --i2s --s2i flag > $@ +gen_fstypetabs_h_SOURCES = gen_tables.c gen_tables.h fstypetab.h +gen_fstypetabs_h_CFLAGS = '-DTABLE_H="fstypetab.h"' +$(gen_fstypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_fstypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_fstypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +$(gen_fstypetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD) +gen_fstypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_fstypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_fstypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_fstypetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) +fstypetabs.h: gen_fstypetabs_h Makefile + ./gen_fstypetabs_h --lowercase --i2s --s2i fstype > $@ + gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h gen_ftypetabs_h_CFLAGS = '-DTABLE_H="ftypetab.h"' $(gen_ftypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) diff -Nru audit-2.7.7/lib/Makefile.in audit-2.8.2/lib/Makefile.in --- audit-2.7.7/lib/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/lib/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -119,12 +119,13 @@ @USE_AARCH64_TRUE@am__append_3 = aarch64_tables.h noinst_PROGRAMS = gen_actiontabs_h$(EXEEXT) gen_errtabs_h$(EXEEXT) \ gen_fieldtabs_h$(EXEEXT) gen_flagtabs_h$(EXEEXT) \ - gen_ftypetabs_h$(EXEEXT) gen_i386_tables_h$(EXEEXT) \ - gen_ia64_tables_h$(EXEEXT) gen_machinetabs_h$(EXEEXT) \ - gen_msg_typetabs_h$(EXEEXT) gen_optabs_h$(EXEEXT) \ - gen_ppc_tables_h$(EXEEXT) gen_s390_tables_h$(EXEEXT) \ - gen_s390x_tables_h$(EXEEXT) gen_x86_64_tables_h$(EXEEXT) \ - $(am__EXEEXT_1) $(am__EXEEXT_2) $(am__EXEEXT_3) + gen_fstypetabs_h$(EXEEXT) gen_ftypetabs_h$(EXEEXT) \ + gen_i386_tables_h$(EXEEXT) gen_ia64_tables_h$(EXEEXT) \ + gen_machinetabs_h$(EXEEXT) gen_msg_typetabs_h$(EXEEXT) \ + gen_optabs_h$(EXEEXT) gen_ppc_tables_h$(EXEEXT) \ + gen_s390_tables_h$(EXEEXT) gen_s390x_tables_h$(EXEEXT) \ + gen_x86_64_tables_h$(EXEEXT) $(am__EXEEXT_1) $(am__EXEEXT_2) \ + $(am__EXEEXT_3) @USE_ALPHA_TRUE@am__append_4 = gen_alpha_tables_h @USE_ARM_TRUE@am__append_5 = gen_arm_tables_h @USE_AARCH64_TRUE@am__append_6 = gen_aarch64_tables_h @@ -248,6 +249,13 @@ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(gen_flagtabs_h_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o \ $@ +am_gen_fstypetabs_h_OBJECTS = gen_fstypetabs_h-gen_tables.$(OBJEXT) +gen_fstypetabs_h_OBJECTS = $(am_gen_fstypetabs_h_OBJECTS) +gen_fstypetabs_h_LDADD = $(LDADD) +gen_fstypetabs_h_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(gen_fstypetabs_h_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ am_gen_ftypetabs_h_OBJECTS = gen_ftypetabs_h-gen_tables.$(OBJEXT) gen_ftypetabs_h_OBJECTS = $(am_gen_ftypetabs_h_OBJECTS) gen_ftypetabs_h_LDADD = $(LDADD) @@ -358,23 +366,24 @@ $(gen_aarch64_tables_h_SOURCES) $(gen_actiontabs_h_SOURCES) \ $(gen_alpha_tables_h_SOURCES) $(gen_arm_tables_h_SOURCES) \ $(gen_errtabs_h_SOURCES) $(gen_fieldtabs_h_SOURCES) \ - $(gen_flagtabs_h_SOURCES) $(gen_ftypetabs_h_SOURCES) \ - $(gen_i386_tables_h_SOURCES) $(gen_ia64_tables_h_SOURCES) \ - $(gen_machinetabs_h_SOURCES) $(gen_msg_typetabs_h_SOURCES) \ - $(gen_optabs_h_SOURCES) $(gen_ppc_tables_h_SOURCES) \ - $(gen_s390_tables_h_SOURCES) $(gen_s390x_tables_h_SOURCES) \ - $(gen_x86_64_tables_h_SOURCES) + $(gen_flagtabs_h_SOURCES) $(gen_fstypetabs_h_SOURCES) \ + $(gen_ftypetabs_h_SOURCES) $(gen_i386_tables_h_SOURCES) \ + $(gen_ia64_tables_h_SOURCES) $(gen_machinetabs_h_SOURCES) \ + $(gen_msg_typetabs_h_SOURCES) $(gen_optabs_h_SOURCES) \ + $(gen_ppc_tables_h_SOURCES) $(gen_s390_tables_h_SOURCES) \ + $(gen_s390x_tables_h_SOURCES) $(gen_x86_64_tables_h_SOURCES) DIST_SOURCES = $(libaudit_la_SOURCES) \ $(am__gen_aarch64_tables_h_SOURCES_DIST) \ $(gen_actiontabs_h_SOURCES) \ $(am__gen_alpha_tables_h_SOURCES_DIST) \ $(am__gen_arm_tables_h_SOURCES_DIST) $(gen_errtabs_h_SOURCES) \ $(gen_fieldtabs_h_SOURCES) $(gen_flagtabs_h_SOURCES) \ - $(gen_ftypetabs_h_SOURCES) $(gen_i386_tables_h_SOURCES) \ - $(gen_ia64_tables_h_SOURCES) $(gen_machinetabs_h_SOURCES) \ - $(gen_msg_typetabs_h_SOURCES) $(gen_optabs_h_SOURCES) \ - $(gen_ppc_tables_h_SOURCES) $(gen_s390_tables_h_SOURCES) \ - $(gen_s390x_tables_h_SOURCES) $(gen_x86_64_tables_h_SOURCES) + $(gen_fstypetabs_h_SOURCES) $(gen_ftypetabs_h_SOURCES) \ + $(gen_i386_tables_h_SOURCES) $(gen_ia64_tables_h_SOURCES) \ + $(gen_machinetabs_h_SOURCES) $(gen_msg_typetabs_h_SOURCES) \ + $(gen_optabs_h_SOURCES) $(gen_ppc_tables_h_SOURCES) \ + $(gen_s390_tables_h_SOURCES) $(gen_s390x_tables_h_SOURCES) \ + $(gen_x86_64_tables_h_SOURCES) RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ @@ -623,10 +632,10 @@ libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO) nodist_libaudit_la_SOURCES = $(BUILT_SOURCES) BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \ - ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \ - msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \ - s390x_tables.h x86_64_tables.h $(am__append_1) $(am__append_2) \ - $(am__append_3) + fstypetabs.h ftypetabs.h i386_tables.h ia64_tables.h \ + machinetabs.h msg_typetabs.h optabs.h ppc_tables.h \ + s390_tables.h s390x_tables.h x86_64_tables.h $(am__append_1) \ + $(am__append_2) $(am__append_3) gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h gen_actiontabs_h_CFLAGS = '-DTABLE_H="actiontab.h"' @USE_ALPHA_TRUE@gen_alpha_tables_h_SOURCES = gen_tables.c gen_tables.h alpha_table.h @@ -641,6 +650,8 @@ gen_fieldtabs_h_CFLAGS = '-DTABLE_H="fieldtab.h"' gen_flagtabs_h_SOURCES = gen_tables.c gen_tables.h flagtab.h gen_flagtabs_h_CFLAGS = '-DTABLE_H="flagtab.h"' +gen_fstypetabs_h_SOURCES = gen_tables.c gen_tables.h fstypetab.h +gen_fstypetabs_h_CFLAGS = '-DTABLE_H="fstypetab.h"' gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h gen_ftypetabs_h_CFLAGS = '-DTABLE_H="ftypetab.h"' gen_i386_tables_h_SOURCES = gen_tables.c gen_tables.h i386_table.h @@ -773,6 +784,10 @@ @rm -f gen_flagtabs_h$(EXEEXT) $(AM_V_CCLD)$(gen_flagtabs_h_LINK) $(gen_flagtabs_h_OBJECTS) $(gen_flagtabs_h_LDADD) $(LIBS) +gen_fstypetabs_h$(EXEEXT): $(gen_fstypetabs_h_OBJECTS) $(gen_fstypetabs_h_DEPENDENCIES) $(EXTRA_gen_fstypetabs_h_DEPENDENCIES) + @rm -f gen_fstypetabs_h$(EXEEXT) + $(AM_V_CCLD)$(gen_fstypetabs_h_LINK) $(gen_fstypetabs_h_OBJECTS) $(gen_fstypetabs_h_LDADD) $(LIBS) + gen_ftypetabs_h$(EXEEXT): $(gen_ftypetabs_h_OBJECTS) $(gen_ftypetabs_h_DEPENDENCIES) $(EXTRA_gen_ftypetabs_h_DEPENDENCIES) @rm -f gen_ftypetabs_h$(EXEEXT) $(AM_V_CCLD)$(gen_ftypetabs_h_LINK) $(gen_ftypetabs_h_OBJECTS) $(gen_ftypetabs_h_LDADD) $(LIBS) @@ -828,6 +843,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_errtabs_h-gen_tables.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_fieldtabs_h-gen_tables.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_flagtabs_h-gen_tables.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_fstypetabs_h-gen_tables.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_ftypetabs_h-gen_tables.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_i386_tables_h-gen_tables.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_ia64_tables_h-gen_tables.Po@am__quote@ @@ -963,6 +979,20 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_flagtabs_h_CFLAGS) $(CFLAGS) -c -o gen_flagtabs_h-gen_tables.obj `if test -f 'gen_tables.c'; then $(CYGPATH_W) 'gen_tables.c'; else $(CYGPATH_W) '$(srcdir)/gen_tables.c'; fi` +gen_fstypetabs_h-gen_tables.o: gen_tables.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_fstypetabs_h_CFLAGS) $(CFLAGS) -MT gen_fstypetabs_h-gen_tables.o -MD -MP -MF $(DEPDIR)/gen_fstypetabs_h-gen_tables.Tpo -c -o gen_fstypetabs_h-gen_tables.o `test -f 'gen_tables.c' || echo '$(srcdir)/'`gen_tables.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_fstypetabs_h-gen_tables.Tpo $(DEPDIR)/gen_fstypetabs_h-gen_tables.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gen_tables.c' object='gen_fstypetabs_h-gen_tables.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_fstypetabs_h_CFLAGS) $(CFLAGS) -c -o gen_fstypetabs_h-gen_tables.o `test -f 'gen_tables.c' || echo '$(srcdir)/'`gen_tables.c + +gen_fstypetabs_h-gen_tables.obj: gen_tables.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_fstypetabs_h_CFLAGS) $(CFLAGS) -MT gen_fstypetabs_h-gen_tables.obj -MD -MP -MF $(DEPDIR)/gen_fstypetabs_h-gen_tables.Tpo -c -o gen_fstypetabs_h-gen_tables.obj `if test -f 'gen_tables.c'; then $(CYGPATH_W) 'gen_tables.c'; else $(CYGPATH_W) '$(srcdir)/gen_tables.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_fstypetabs_h-gen_tables.Tpo $(DEPDIR)/gen_fstypetabs_h-gen_tables.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gen_tables.c' object='gen_fstypetabs_h-gen_tables.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_fstypetabs_h_CFLAGS) $(CFLAGS) -c -o gen_fstypetabs_h-gen_tables.obj `if test -f 'gen_tables.c'; then $(CYGPATH_W) 'gen_tables.c'; else $(CYGPATH_W) '$(srcdir)/gen_tables.c'; fi` + gen_ftypetabs_h-gen_tables.o: gen_tables.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_ftypetabs_h_CFLAGS) $(CFLAGS) -MT gen_ftypetabs_h-gen_tables.o -MD -MP -MF $(DEPDIR)/gen_ftypetabs_h-gen_tables.Tpo -c -o gen_ftypetabs_h-gen_tables.o `test -f 'gen_tables.c' || echo '$(srcdir)/'`gen_tables.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_ftypetabs_h-gen_tables.Tpo $(DEPDIR)/gen_ftypetabs_h-gen_tables.Po @@ -1513,6 +1543,16 @@ gen_flagtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) flagtabs.h: gen_flagtabs_h Makefile ./gen_flagtabs_h --lowercase --i2s --s2i flag > $@ +$(gen_fstypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_fstypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_fstypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +$(gen_fstypetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD) +gen_fstypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_fstypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_fstypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_fstypetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) +fstypetabs.h: gen_fstypetabs_h Makefile + ./gen_fstypetabs_h --lowercase --i2s --s2i fstype > $@ $(gen_ftypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) $(gen_ftypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) $(gen_ftypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) diff -Nru audit-2.7.7/lib/msg_typetab.h audit-2.8.2/lib/msg_typetab.h --- audit-2.7.7/lib/msg_typetab.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/msg_typetab.h 2017-12-14 16:46:49.000000000 +0000 @@ -74,6 +74,8 @@ _S(AUDIT_MAC_CHECK, "MAC_CHECK" ) _S(AUDIT_ACCT_LOCK, "ACCT_LOCK" ) _S(AUDIT_ACCT_UNLOCK, "ACCT_UNLOCK" ) +_S(AUDIT_USER_DEVICE, "USER_DEVICE" ) +_S(AUDIT_SOFTWARE_UPDATE, "SOFTWARE_UPDATE" ) _S(AUDIT_SYSTEM_BOOT, "SYSTEM_BOOT" ) _S(AUDIT_SYSTEM_SHUTDOWN, "SYSTEM_SHUTDOWN" ) _S(AUDIT_SYSTEM_RUNLEVEL, "SYSTEM_RUNLEVEL" ) @@ -120,6 +122,7 @@ _S(AUDIT_PROCTITLE, "PROCTITLE" ) _S(AUDIT_FEATURE_CHANGE, "FEATURE_CHANGE" ) _S(AUDIT_KERN_MODULE, "KERN_MODULE" ) +_S(AUDIT_FANOTIFY, "FANOTIFY" ) _S(AUDIT_AVC, "AVC" ) _S(AUDIT_SELINUX_ERR, "SELINUX_ERR" ) _S(AUDIT_AVC_PATH, "AVC_PATH" ) diff -Nru audit-2.7.7/lib/netlink.c audit-2.8.2/lib/netlink.c --- audit-2.7.7/lib/netlink.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/netlink.c 2017-12-14 16:46:49.000000000 +0000 @@ -36,7 +36,7 @@ #endif static int adjust_reply(struct audit_reply *rep, int len); -static int check_ack(int fd, int seq); +static int check_ack(int fd); /* * This function opens a connection to the kernel's audit @@ -203,7 +203,7 @@ * error: -errno * short: 0 */ -int audit_send(int fd, int type, const void *data, unsigned int size) +int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq) { static int sequence = 0; struct audit_message req; @@ -224,6 +224,7 @@ if (++sequence < 0) sequence = 1; + *seq = sequence; memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = NLMSG_SPACE(size); @@ -241,24 +242,35 @@ retval = sendto(fd, &req, req.nlh.nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); } while (retval < 0 && errno == EINTR); - if (retval == (int)req.nlh.nlmsg_len) { - if ((retval = check_ack(fd, sequence)) == 0) - return sequence; - else - return retval; - } - if (retval < 0) + if (retval == (int)req.nlh.nlmsg_len) + return check_ack(fd); + if (retval < 0) { return -errno; + } else if (retval > 0) { + errno = EINVAL; + return -errno; + } return 0; } +int audit_send(int fd, int type, const void *data, unsigned int size) +{ + int rc; + int seq; + + rc = __audit_send(fd, type, data, size, &seq); + if (rc == 0) + rc = seq; + return rc; +} + /* * This function will take a peek into the next packet and see if there's * an error. If so, the error is returned and its non-zero. Otherwise a * zero is returned indicating that we don't know of any problems. */ -static int check_ack(int fd, int seq) +static int check_ack(int fd) { int rc, retries = 80; struct audit_reply rep; diff -Nru audit-2.7.7/lib/private.h audit-2.8.2/lib/private.h --- audit-2.7.7/lib/private.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/private.h 2017-12-14 16:46:49.000000000 +0000 @@ -62,7 +62,7 @@ /* If set, this reply indicates success but with some warnings. */ #define AUDIT_RMW_TYPE_WARNMASK 0x10000000 /* This part of the message type is the details for the above. */ -#define AUDIT_RMW_TYPE_DETAILMASK 0x0fffffff +#define AUDIT_RMW_TYPE_DETAILMASK 0x000FFFFF /* Version 0 messages. */ #define AUDIT_RMW_TYPE_MESSAGE 0x00000000 @@ -121,6 +121,7 @@ #endif extern int audit_send(int fd, int type, const void *data, unsigned int size); +extern int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq); AUDIT_HIDDEN_START @@ -139,6 +140,7 @@ extern int _audit_archadded; extern int _audit_syscalladded; extern int _audit_exeadded; +extern int _audit_filterfsadded; extern unsigned int _audit_elf; #ifdef __cplusplus diff -Nru audit-2.7.7/lib/test/lookup_test.c audit-2.8.2/lib/test/lookup_test.c --- audit-2.7.7/lib/test/lookup_test.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/lib/test/lookup_test.c 2017-12-14 16:46:49.000000000 +0000 @@ -334,6 +334,22 @@ } static void +test_fstypetab(void) +{ + static const struct entry t[] = { +#include "../fstypetab.h" + }; + + printf("Testing fstypetab...\n"); +#define I2S(I) audit_fstype_to_name(I) +#define S2I(S) audit_name_to_fstype(S) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void test_ftypetab(void) { static const struct entry t[] = { @@ -421,6 +437,7 @@ test_errtab(); test_fieldtab(); test_flagtab(); + test_fstypetab(); test_ftypetab(); test_machinetab(); test_msg_typetab(); diff -Nru audit-2.7.7/lib/test/Makefile.in audit-2.8.2/lib/test/Makefile.in --- audit-2.7.7/lib/test/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/lib/test/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/m4/Makefile.in audit-2.8.2/m4/Makefile.in --- audit-2.7.7/m4/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/m4/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/Makefile.in audit-2.8.2/Makefile.in --- audit-2.7.7/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/Makefile.in 2017-12-14 16:46:54.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/missing audit-2.8.2/missing --- audit-2.7.7/missing 2017-06-16 19:01:46.000000000 +0000 +++ audit-2.8.2/missing 2017-12-14 16:46:54.000000000 +0000 @@ -1,9 +1,9 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2013-10-28.13; # UTC +scriptversion=2016-01-11.22; # UTC -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2017 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify @@ -210,6 +210,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -Nru audit-2.7.7/py-compile audit-2.8.2/py-compile --- audit-2.7.7/py-compile 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/py-compile 2017-12-14 16:46:54.000000000 +0000 @@ -1,9 +1,9 @@ #!/bin/sh # py-compile - Compile a Python program -scriptversion=2011-06-08.12; # UTC +scriptversion=2016-01-11.22; # UTC -# Copyright (C) 2000-2014 Free Software Foundation, Inc. +# Copyright (C) 2000-2017 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -165,6 +165,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -Nru audit-2.7.7/rules/23-ignore-filesystems.rules audit-2.8.2/rules/23-ignore-filesystems.rules --- audit-2.7.7/rules/23-ignore-filesystems.rules 1970-01-01 00:00:00.000000000 +0000 +++ audit-2.8.2/rules/23-ignore-filesystems.rules 2017-12-14 16:46:49.000000000 +0000 @@ -0,0 +1,8 @@ +# This rule supresses events that originate on the below file systems. +# Typically you would use this in conjunction with rules to monitor +# kernel modules. The filesystem listed are known to cause hundreds of +# path records during kernel module load. As an aside, if you do see the +# tracefs or debugfs module load and this is a production system, you really +# should look into why its getting loaded and prevent it if possible. +-a never,filesystem -F fstype=tracefs +-a never,filesystem -F fstype=debugfs diff -Nru audit-2.7.7/rules/40-local.rules audit-2.8.2/rules/40-local.rules --- audit-2.7.7/rules/40-local.rules 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/rules/40-local.rules 2017-12-14 16:46:49.000000000 +0000 @@ -1,4 +1,4 @@ ## Put your own watches after this point # -a exit,always -F path=file -F perm=rwxa -F key=text -# -a exit,always -F dir=directory -F perm-rwxa -F key=text +# -a exit,always -F dir=directory -F perm=rwxa -F key=text diff -Nru audit-2.7.7/rules/43-module-load.rules audit-2.8.2/rules/43-module-load.rules --- audit-2.7.7/rules/43-module-load.rules 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/rules/43-module-load.rules 2017-12-14 16:46:49.000000000 +0000 @@ -1,4 +1,5 @@ ## These rules watch for kernel module insertion +-w /sbin/kmod -p x -k modules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules diff -Nru audit-2.7.7/rules/Makefile.am audit-2.8.2/rules/Makefile.am --- audit-2.7.7/rules/Makefile.am 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/rules/Makefile.am 2017-12-14 16:46:49.000000000 +0000 @@ -1,5 +1,5 @@ # Makefile.am -- -# Copyright 2016 Red Hat Inc., Durham, North Carolina. +# Copyright 2016-17 Red Hat Inc., Durham, North Carolina. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -25,6 +25,7 @@ EXTRA_DIST = 10-base-config.rules 10-no-audit.rules 11-loginuid.rules \ 12-ignore-error.rules 12-cont-fail.rules \ 20-dont-audit.rules 21-no32bit.rules 22-ignore-chrony.rules \ +23-ignore-filesystems.rules \ 30-nispom.rules 30-stig.rules 30-pci-dss-v31.rules \ 31-privileged.rules 32-power-abuse.rules \ 40-local.rules 41-containers.rules 42-injection.rules 43-module-load.rules \ diff -Nru audit-2.7.7/rules/Makefile.in audit-2.8.2/rules/Makefile.in --- audit-2.7.7/rules/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/rules/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,7 @@ @SET_MAKE@ # Makefile.am -- -# Copyright 2016 Red Hat Inc., Durham, North Carolina. +# Copyright 2016-17 Red Hat Inc., Durham, North Carolina. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -305,6 +305,7 @@ EXTRA_DIST = 10-base-config.rules 10-no-audit.rules 11-loginuid.rules \ 12-ignore-error.rules 12-cont-fail.rules \ 20-dont-audit.rules 21-no32bit.rules 22-ignore-chrony.rules \ +23-ignore-filesystems.rules \ 30-nispom.rules 30-stig.rules 30-pci-dss-v31.rules \ 31-privileged.rules 32-power-abuse.rules \ 40-local.rules 41-containers.rules 42-injection.rules 43-module-load.rules \ diff -Nru audit-2.7.7/src/auditctl.c audit-2.8.2/src/auditctl.c --- audit-2.7.7/src/auditctl.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/auditctl.c 2017-12-14 16:46:49.000000000 +0000 @@ -19,6 +19,7 @@ * Authors: * Steve Grubb * Rickard E. (Rik) Faith + * Richard Guy Briggs */ #include "config.h" @@ -32,6 +33,8 @@ #include #include #include +#include +#include #include #include #include /* For basename */ @@ -74,6 +77,7 @@ _audit_permadded = 0; _audit_archadded = 0; _audit_exeadded = 0; + _audit_filterfsadded = 0; _audit_elf = 0; add = AUDIT_FILTER_UNSET; del = AUDIT_FILTER_UNSET; @@ -151,6 +155,8 @@ *filter = AUDIT_FILTER_EXIT; else if (strcmp(str, "user") == 0) *filter = AUDIT_FILTER_USER; + else if (strcmp(str, "filesystem") == 0) + *filter = AUDIT_FILTER_FS; else if (strcmp(str, "exclude") == 0) { *filter = AUDIT_FILTER_EXCLUDE; exclude = 1; @@ -760,6 +766,13 @@ audit_msg(LOG_ERR, "Error: syscall auditing being added to user list"); return -1; + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_FS || (del & + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_FS)) { + audit_msg(LOG_ERR, + "Error: syscall auditing being added to filesystem list"); + return -1; } else if (exclude) { audit_msg(LOG_ERR, "Error: syscall auditing cannot be put on exclude list"); @@ -936,8 +949,9 @@ break; case 'k': if (!(_audit_syscalladded || _audit_permadded || - _audit_exeadded) || (add==AUDIT_FILTER_UNSET && - del==AUDIT_FILTER_UNSET)) { + _audit_exeadded || + _audit_filterfsadded) || + (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) { audit_msg(LOG_ERR, "key option needs a watch or syscall given prior to it"); retval = -1; diff -Nru audit-2.7.7/src/auditctl-listing.c audit-2.8.2/src/auditctl-listing.c --- audit-2.7.7/src/auditctl-listing.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/auditctl-listing.c 2017-12-14 16:46:49.000000000 +0000 @@ -41,7 +41,7 @@ */ int key_match(const struct audit_rule_data *r) { - int i; + unsigned int i; size_t boffset = 0; if (key[0] == 0) @@ -77,7 +77,7 @@ */ static int is_watch(const struct audit_rule_data *r) { - int i, perm = 0, all = 1; + unsigned int i, perm = 0, all = 1; for (i = 0; i < r->field_count; i++) { int field = r->fields[i] & ~AUDIT_OPERATORS; @@ -91,7 +91,8 @@ if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) && ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) && - ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) { + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) && + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_FS)) { for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) { if (r->mask[i] != (uint32_t)~0) { all = 0; @@ -139,7 +140,8 @@ /* Rules on the following filters do not take a syscall */ if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) || ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) || - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE)) + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) || + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_FS)) return 0; /* See if its all or specific syscalls */ @@ -169,7 +171,7 @@ if (ptr) printf("%s%s", !count ? "" : ",", ptr); else - printf("%s%d", !count ? "" : ",", i); + printf("%s%u", !count ? "" : ",", i); count++; *sc = i; } @@ -422,6 +424,7 @@ id.a0 = a0; id.a1 = a1; id.name = name; + id.cwd = NULL; snprintf(val, 32, "%x", r->values[i]); id.val = val; type = auparse_interp_adjust_type( @@ -446,6 +449,16 @@ printf(" -F %s%s%d", name, audit_operator_to_symbol(op), (int)r->values[i]); + } else if (field == AUDIT_FSTYPE) { + if (!audit_fstype_to_name(r->values[i])) + printf(" -F %s%s%d", name, + audit_operator_to_symbol(op), + r->values[i]); + else + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + audit_fstype_to_name( + r->values[i])); } else { // The default is signed decimal printf(" -F %s%s%d", name, diff -Nru audit-2.7.7/src/auditd.c audit-2.8.2/src/auditd.c --- audit-2.7.7/src/auditd.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/auditd.c 2017-12-14 16:46:49.000000000 +0000 @@ -1,5 +1,5 @@ /* auditd.c -- - * Copyright 2004-09,2011,2013,2016 Red Hat Inc., Durham, North Carolina. + * Copyright 2004-09,2011,2013,2016-17 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -68,7 +68,7 @@ static struct daemon_conf config; static const char *pidfile = "/var/run/auditd.pid"; static int init_pipe[2]; -static int do_fork = 1, opt_aggregate_only = 0; +static int do_fork = 1, opt_aggregate_only = 0, config_dir_set = 0; static struct auditd_event *cur_event = NULL, *reconfig_ev = NULL; static int hup_info_requested = 0; static int usr1_info_requested = 0, usr2_info_requested = 0; @@ -91,7 +91,9 @@ */ static void usage(void) { - fprintf(stderr, "Usage: auditd [-f] [-l] [-n] [-s %s|%s|%s]\n", + fprintf(stderr, + "Usage: auditd [-f] [-l] [-n] [-s %s|%s|%s] " + "[-c ]\n", startup_states[startup_disable], startup_states[startup_enable], startup_states[startup_nochange]); @@ -127,7 +129,7 @@ rc = audit_request_signal_info(fd); if (rc < 0) send_audit_event(AUDIT_DAEMON_CONFIG, - "op=hup-info auid=? pid=? subj=? res=failed"); + "op=hup-info auid=-1 pid=-1 subj=? res=failed"); else hup_info_requested = 1; } @@ -143,7 +145,7 @@ rc = audit_request_signal_info(fd); if (rc < 0) send_audit_event(AUDIT_DAEMON_ROTATE, - "op=usr1-info auid=? pid=? subj=? res=failed"); + "op=usr1-info auid=-1 pid=-1 subj=? res=failed"); else usr1_info_requested = 1; } @@ -159,7 +161,7 @@ if (rc < 0) { resume_logging(); send_audit_event(AUDIT_DAEMON_RESUME, - "op=resume-logging auid=? pid=? subj=? res=success"); + "op=resume-logging auid=-1 pid=-1 subj=? res=success"); } else usr2_info_requested = 1; } @@ -207,15 +209,28 @@ void distribute_event(struct auditd_event *e) { - int attempt = 0, route = 1; + int attempt = 0, route = 1, proto; + + if (config.log_format == LF_ENRICHED) + proto = AUDISP_PROTOCOL_VER2; + else + proto = AUDISP_PROTOCOL_VER; /* If type is 0, then its a network originating event */ if (e->reply.type == 0) { // See if we are distributing network originating events if (!dispatch_network_events()) route = 0; - else // We only need the original type if its being routed + else { // We only need the original type if its being routed e->reply.type = extract_type(e->reply.message); + char *p = strchr(e->reply.message, + AUDIT_INTERP_SEPARATOR); + if (p) + proto = AUDISP_PROTOCOL_VER2; + else + proto = AUDISP_PROTOCOL_VER; + + } } else if (e->reply.type != AUDIT_DAEMON_RECONFIG) // All other events need formatting format_event(e); @@ -223,7 +238,7 @@ route = 0; // Don't DAEMON_RECONFIG events until after enqueue /* Make first attempt to send to plugins */ - if (route && dispatch_event(&e->reply, attempt) == 1) + if (route && dispatch_event(&e->reply, attempt, proto) == 1) attempt++; /* Failed sending, retry after writing to disk */ /* End of Event is for realtime interface - skip local logging of it */ @@ -232,7 +247,7 @@ /* Last chance to send...maybe the pipe is empty now. */ if ((attempt && route) || (e->reply.type == AUDIT_DAEMON_RECONFIG)) - dispatch_event(&e->reply, attempt); + dispatch_event(&e->reply, attempt, proto); /* Free msg and event memory */ cleanup_event(e); @@ -267,7 +282,7 @@ tv.tv_sec, (unsigned)(tv.tv_usec/1000), seq_num, str); } else { e->reply.len = snprintf((char *)e->reply.msg.data, - DMSG_SIZE, "audit(%lu.%03u:%u): %s", + DMSG_SIZE, "audit(%lu.%03d:%u): %s", (unsigned long)time(NULL), 0, seq_num, str); } // Point message at the netlink buffer like normal events @@ -467,7 +482,7 @@ send_audit_event( AUDIT_DAEMON_CONFIG, "op=reconfigure state=no-change " - "auid=? pid=? subj=? res=failed"); + "auid=-1 pid=-1 subj=? res=failed"); } cur_event = NULL; hup_info_requested = 0; @@ -475,7 +490,7 @@ char usr1[MAX_AUDIT_MESSAGE_LENGTH]; if (cur_event->reply.len == 24) { snprintf(usr1, sizeof(usr1), - "op=rotate-logs auid=? pid=? subj=?"); + "op=rotate-logs auid=-1 pid=-1 subj=?"); } else { snprintf(usr1, sizeof(usr1), "op=rotate-logs auid=%u pid=%d subj=%s", @@ -489,8 +504,8 @@ char usr2[MAX_AUDIT_MESSAGE_LENGTH]; if (cur_event->reply.len == 24) { snprintf(usr2, sizeof(usr2), - "op=resume-logging auid=? " - "pid=? subj=? res=success"); + "op=resume-logging auid=-1 " + "pid=-1 subj=? res=success"); } else { snprintf(usr2, sizeof(usr2), "op=resume-logging " @@ -544,6 +559,14 @@ struct sigaction sa; struct rlimit limit; int i, c, rc; + static const struct option opts[] = { + {"foreground", no_argument, NULL, 'f'}, + {"allow_links", no_argument, NULL, 'l'}, + {"disable_fork", no_argument, NULL, 'n'}, + {"enable_state", required_argument, NULL, 's'}, + {"config_file", required_argument, NULL, 'c'}, + {NULL, 0, NULL, 0} + }; int opt_foreground = 0, opt_allow_links = 0; enum startup_state opt_startup = startup_enable; extern char *optarg; @@ -558,7 +581,7 @@ struct ev_signal sigchld_watcher; /* Get params && set mode */ - while ((c = getopt(argc, argv, "aflns:")) != -1) { + while ((c = getopt_long(argc, argv, "flns:c:", opts, NULL)) != -1) { switch (c) { case 'f': opt_foreground = 1; @@ -583,6 +606,12 @@ usage(); } break; + case 'c': + if (set_config_dir(optarg) != 0) { + usage(); + } + config_dir_set = 1; + break; default: usage(); } @@ -692,7 +721,7 @@ return 1; } - if (init_dispatcher(&config)) { + if (init_dispatcher(&config, config_dir_set)) { if (pidfile) unlink(pidfile); tell_parent(FAILURE); @@ -920,7 +949,7 @@ } if (rc <= 0) send_audit_event(AUDIT_DAEMON_END, - "op=terminate auid=? pid=? subj=? res=success"); + "op=terminate auid=-1 pid=-1 subj=? res=success"); free(cur_event); // Tear down IO watchers Part 2 @@ -1041,4 +1070,3 @@ subj[num_read] = '\0'; return subj; } - diff -Nru audit-2.7.7/src/auditd-config.c audit-2.8.2/src/auditd-config.c --- audit-2.7.7/src/auditd-config.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/auditd-config.c 2017-12-14 16:46:49.000000000 +0000 @@ -100,6 +100,8 @@ struct daemon_conf *config); static int action_mail_acct_parser(struct nv_pair *nv, int line, struct daemon_conf *config); +static int verify_email_parser(struct nv_pair *nv, int line, + struct daemon_conf *config); static int admin_space_left_parser(struct nv_pair *nv, int line, struct daemon_conf *config); static int admin_space_left_action_parser(struct nv_pair *nv, int line, @@ -151,6 +153,7 @@ {"space_left", space_left_parser, 0 }, {"space_left_action", space_action_parser, 1 }, {"action_mail_acct", action_mail_acct_parser, 0 }, + {"verify_email", verify_email_parser, 0 }, {"admin_space_left", admin_space_left_parser, 0 }, {"admin_space_left_action", admin_space_left_action_parser, 1 }, {"disk_full_action", disk_full_action_parser, 1 }, @@ -237,6 +240,8 @@ const char *email_command = "/usr/lib/sendmail"; static int allow_links = 0; +static const char *config_dir = NULL; +static char *config_file = NULL; void set_allow_links(int allow) @@ -244,6 +249,26 @@ allow_links = allow; } +int set_config_dir(const char *val) +{ + config_dir = strdup(val); + if (config_dir == NULL) + return 1; + if (asprintf(&config_file, "%s/auditd.conf", config_dir) < 0) + return 1; + return 0; +} + +const char *get_config_dir(void) +{ + /* This function is used to determine if audispd is started with + * a -c parameter followed by the config_dir location. If we are + * using the standard location, do not pass back a location. */ + if (config_file && strcmp(config_file, CONFIG_FILE) == 0) + return NULL; + return config_dir; +} + /* * Set everything to its default value */ @@ -271,6 +296,7 @@ config->space_left_action = FA_IGNORE; config->space_left_exe = NULL; config->action_mail_acct = strdup("root"); + config->verify_email = 1; config->admin_space_left= 0L; config->admin_space_left_action = FA_IGNORE; config->admin_space_left_exe = NULL; @@ -301,12 +327,14 @@ clear_config(config); log_test = lt; + if (config_file == NULL) + config_file = strdup(CONFIG_FILE); /* open the file */ mode = O_RDONLY; if (allow_links == 0) mode |= O_NOFOLLOW; - rc = open(CONFIG_FILE, mode); + rc = open(config_file, mode); if (rc < 0) { if (errno != ENOENT) { audit_msg(LOG_ERR, "Error opening config file (%s)", @@ -314,7 +342,7 @@ return 1; } audit_msg(LOG_WARNING, - "Config file %s doesn't exist, skipping", CONFIG_FILE); + "Config file %s doesn't exist, skipping", config_file); return 0; } fd = rc; @@ -323,7 +351,7 @@ * not symlink. */ audit_msg(LOG_DEBUG, "Config file %s opened for parsing", - CONFIG_FILE); + config_file); if (fstat(fd, &st) < 0) { audit_msg(LOG_ERR, "Error fstat'ing config file (%s)", strerror(errno)); @@ -332,19 +360,19 @@ } if (st.st_uid != 0) { audit_msg(LOG_ERR, "Error - %s isn't owned by root", - CONFIG_FILE); + config_file); close(fd); return 1; } if ((st.st_mode & S_IWOTH) == S_IWOTH) { audit_msg(LOG_ERR, "Error - %s is world writable", - CONFIG_FILE); + config_file); close(fd); return 1; } if (!S_ISREG(st.st_mode)) { audit_msg(LOG_ERR, "Error - %s is not a regular file", - CONFIG_FILE); + config_file); close(fd); return 1; } @@ -358,7 +386,7 @@ return 1; } - while (get_line(f, buf, sizeof(buf), &lineno, CONFIG_FILE)) { + while (get_line(f, buf, sizeof(buf), &lineno, config_file)) { // convert line into name-value pair const struct kw_pair *kw; struct nv_pair nv; @@ -369,17 +397,17 @@ case 1: // not the right number of tokens. audit_msg(LOG_ERR, "Wrong number of arguments for line %d in %s", - lineno, CONFIG_FILE); + lineno, config_file); break; case 2: // no '=' sign audit_msg(LOG_ERR, "Missing equal sign for line %d in %s", - lineno, CONFIG_FILE); + lineno, config_file); break; default: // something else went wrong... audit_msg(LOG_ERR, "Unknown error for line %d in %s", - lineno, CONFIG_FILE); + lineno, config_file); break; } if (nv.name == NULL) { @@ -390,7 +418,7 @@ fclose(f); audit_msg(LOG_ERR, "Not processing any more lines in %s", - CONFIG_FILE); + config_file); return 1; } @@ -399,7 +427,7 @@ if (kw->name == NULL) { audit_msg(LOG_ERR, "Unknown keyword \"%s\" in line %d of %s", - nv.name, lineno, CONFIG_FILE); + nv.name, lineno, config_file); fclose(f); return 1; } @@ -409,7 +437,7 @@ audit_msg(LOG_ERR, "Keyword \"%s\" has invalid option " "\"%s\" in line %d of %s", - nv.name, nv.option, lineno, CONFIG_FILE); + nv.name, nv.option, lineno, config_file); fclose(f); return 1; } @@ -1069,7 +1097,9 @@ if ((ptr1 = strchr(acct, '@'))) { char *ptr2; - struct hostent *t_addr; + int rc2; + struct addrinfo *ai; + struct addrinfo hints; ptr2 = strrchr(acct, '.'); // get last dot - sb after @ if ((ptr2 == NULL) || (ptr1 > ptr2)) { @@ -1078,21 +1108,26 @@ return 2; } - t_addr = gethostbyname(ptr1+1); - if (t_addr == 0) { + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_ADDRCONFIG | AI_CANONNAME; + hints.ai_socktype = SOCK_STREAM; + + rc2 = getaddrinfo(ptr1+1, NULL, &hints, &ai); + freeaddrinfo(ai); + if (rc2 != 0) { if ((h_errno == HOST_NOT_FOUND) || - (h_errno == NO_RECOVERY)) { - audit_msg(LOG_ERR, - "validate_email: failed looking up host for %s", - ptr1+1); - // FIXME: gethostbyname is having trouble - // telling when we have a temporary vs permanent - // dns failure. So, for now, treat all as temp - return 1; - } else if (h_errno == TRY_AGAIN) + (h_errno == NO_RECOVERY)) { + audit_msg(LOG_ERR, + "validate_email: failed looking up host for %s (%s)", + ptr1+1, gai_strerror(rc2)); + // FIXME: How can we tell that we truly have + // a permanent failure and what is that? For + // now treat all as temp failure. + } else if (h_errno == TRY_AGAIN) { audit_msg(LOG_DEBUG, "validate_email: temporary failure looking up domain for %s", ptr1+1); + } return 1; } } @@ -1110,7 +1145,7 @@ if (tmail == NULL) return 1; - if (validate_email(tmail) > 1) { + if (config->verify_email && validate_email(tmail) > 1) { free(tmail); return 1; } @@ -1122,6 +1157,24 @@ return 0; } +static int verify_email_parser(struct nv_pair *nv, int line, + struct daemon_conf *config) +{ + unsigned long i; + audit_msg(LOG_DEBUG, "verify_email_parser called with: %s", + nv->value); + + + for (i=0; yes_no_values[i].name != NULL; i++) { + if (strcasecmp(nv->value, yes_no_values[i].name) == 0) { + config->verify_email = yes_no_values[i].option; + return 0; + } + } + audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line); + return 1; +} + static int admin_space_left_parser(struct nv_pair *nv, int line, struct daemon_conf *config) { @@ -1702,12 +1755,14 @@ int create_log_file(const char *val) { int fd; + mode_t u; - umask(S_IRWXO); + u = umask(S_IRWXO); fd = open(val, O_CREAT|O_EXCL|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP); if (fd < 0) audit_msg(LOG_ERR, "Unable to create %s (%s)", val, strerror(errno)); + umask(u); return fd; } @@ -1724,6 +1779,8 @@ free((void *)config->disk_error_exe); free((void *)config->krb5_principal); free((void *)config->krb5_key_file); + free((void *)config_dir); + free(config_file); } int resolve_node(struct daemon_conf *config) @@ -1768,7 +1825,7 @@ if (rc2 != 0) { audit_msg(LOG_ERR, "Cannot resolve hostname %s (%s)", - tmp_name, gai_strerror(rc)); + tmp_name, gai_strerror(rc2)); rc = -1; break; } @@ -1816,4 +1873,3 @@ config->node_name); return rc; } - diff -Nru audit-2.7.7/src/auditd-config.h audit-2.8.2/src/auditd-config.h --- audit-2.7.7/src/auditd-config.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/auditd-config.h 2017-12-14 16:46:49.000000000 +0000 @@ -65,6 +65,7 @@ failure_action_t space_left_action; const char *space_left_exe; const char *action_mail_acct; + unsigned int verify_email; unsigned long admin_space_left; failure_action_t admin_space_left_action; const char *admin_space_left_exe; @@ -86,6 +87,11 @@ }; void set_allow_links(int allow); + +/* Return 0 on success. */ +int set_config_dir(const char *val); +const char *get_config_dir(void); + int load_config(struct daemon_conf *config, log_test_t lt); void clear_config(struct daemon_conf *config); const char *audit_lookup_format(int fmt); @@ -100,4 +106,3 @@ void free_config(struct daemon_conf *config); #endif - diff -Nru audit-2.7.7/src/auditd-dispatch.c audit-2.8.2/src/auditd-dispatch.c --- audit-2.7.7/src/auditd-dispatch.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/auditd-dispatch.c 2017-12-14 16:46:49.000000000 +0000 @@ -1,5 +1,5 @@ /* auditd-dispatch.c -- - * Copyright 2005-07,2013,2016 Red Hat Inc., Durham, North Carolina. + * Copyright 2005-07,2013,2016-17 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -38,7 +38,6 @@ static int disp_pipe[2] = {-1, -1}; static volatile pid_t pid = 0; static int n_errs = 0; -static int protocol_ver = AUDISP_PROTOCOL_VER; #define REPORT_LIMIT 10 int dispatcher_pid(void) @@ -91,7 +90,7 @@ } /* This function returns 1 on error & 0 on success */ -int init_dispatcher(const struct daemon_conf *config) +int init_dispatcher(const struct daemon_conf *config, int config_dir_set) { if (config->dispatcher == NULL) return 0; @@ -107,12 +106,6 @@ return 1; } - /* If the events have enriched data, we are protocol 2 */ - if (config->log_format == LF_ENRICHED) - protocol_ver = AUDISP_PROTOCOL_VER2; - else - protocol_ver = AUDISP_PROTOCOL_VER; - /* Make both disp_pipe non-blocking if requested */ if (config->qos == QOS_NON_BLOCKING) { if (set_flags(disp_pipe[0], O_NONBLOCK) < 0 || @@ -125,12 +118,23 @@ // do the fork pid = fork(); switch(pid) { - case 0: // child + case 0: { // child if (disp_pipe[0] != 0) dup2(disp_pipe[0], 0); - execl(config->dispatcher, config->dispatcher, NULL); + + const char *config_dir = NULL; + if (config_dir_set) + config_dir = get_config_dir(); + + if (config_dir == NULL) + execl(config->dispatcher, config->dispatcher, + NULL); + else + execl(config->dispatcher, config->dispatcher, + "-c", config_dir, NULL); audit_msg(LOG_ERR, "exec() failed"); exit(1); + } break; case -1: // error return 1; @@ -166,18 +170,14 @@ void reconfigure_dispatcher(const struct daemon_conf *config) { // signal child or start it so it can see if config changed - if (pid) { + if (pid) kill(pid, SIGHUP); - if (config->log_format == LF_ENRICHED) - protocol_ver = AUDISP_PROTOCOL_VER2; - else - protocol_ver = AUDISP_PROTOCOL_VER; - } else - init_dispatcher(config); + else + init_dispatcher(config, 1); // Send 1 and let it figure it out } /* Returns -1 on err, 0 on success, and 1 if eagain occurred and not an err */ -int dispatch_event(const struct audit_reply *rep, int is_err) +int dispatch_event(const struct audit_reply *rep, int is_err, int protocol_ver) { int rc, count = 0; struct iovec vec[2]; diff -Nru audit-2.7.7/src/auditd-dispatch.h audit-2.8.2/src/auditd-dispatch.h --- audit-2.7.7/src/auditd-dispatch.h 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/auditd-dispatch.h 2017-12-14 16:46:49.000000000 +0000 @@ -1,5 +1,5 @@ /* auditd-dispatch.h -- - * Copyright 2005,2007,2013 Red Hat Inc., Durham, North Carolina. + * Copyright 2005,2007,2013,2017 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -29,10 +29,10 @@ int dispatcher_pid(void); void dispatcher_reaped(void); int make_dispatcher_fd_private(void); -int init_dispatcher(const struct daemon_conf *config); +int init_dispatcher(const struct daemon_conf *config, int config_dir_set); void shutdown_dispatcher(void); void reconfigure_dispatcher(const struct daemon_conf *config); -int dispatch_event(const struct audit_reply *rep, int is_err); +int dispatch_event(const struct audit_reply *rep, int is_err, int protocol_ver); #endif diff -Nru audit-2.7.7/src/auditd-event.c audit-2.8.2/src/auditd-event.c --- audit-2.7.7/src/auditd-event.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/auditd-event.c 2017-12-14 16:46:49.000000000 +0000 @@ -542,8 +542,8 @@ } } else if (!config->write_logs) send_ack(e, AUDIT_RMW_TYPE_ACK, ""); - // FIXME: When logging is suspended, what should remote do? - // Should probably be new response type + else if (logging_suspended) + send_ack(e,AUDIT_RMW_TYPE_DISKERROR,"remote logging suspended"); } static void send_ack(const struct auditd_event *e, int ack_type, @@ -916,7 +916,7 @@ i = config->num_logs; rc = 0; while (rc == 0) { - snprintf(name, len, "%s.%d", config->log_file, i++); + snprintf(name, len, "%s.%u", config->log_file, i++); rc=unlink(name); if (rc == 0) audit_msg(LOG_NOTICE, @@ -949,7 +949,7 @@ // Now, for each file... for (i = 1; i < config->num_logs; i++) { int rc; - snprintf(path, len, "%s.%d", config->log_file, i); + snprintf(path, len, "%s.%u", config->log_file, i); rc = chmod(path, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR); if (rc && errno == ENOENT) break; @@ -1010,8 +1010,8 @@ snprintf(oldname, len, "%s.1", config->log_file); for (i=num_logs - 1; i>1; i--) { - snprintf(oldname, len, "%s.%d", config->log_file, i-1); - snprintf(newname, len, "%s.%d", config->log_file, i); + snprintf(oldname, len, "%s.%u", config->log_file, i-1); + snprintf(newname, len, "%s.%u", config->log_file, i); /* if the old file exists */ rc = rename(oldname, newname); if (rc == -1 && errno != ENOENT) { @@ -1062,7 +1062,7 @@ } } -static int last_log = 1; +static unsigned int last_log = 1; static void shift_logs(void) { // The way this has to work is to start scanning from .1 up until @@ -1081,7 +1081,7 @@ // Find last log num_logs = last_log; while (num_logs) { - snprintf(name, len, "%s.%d", config->log_file, + snprintf(name, len, "%s.%u", config->log_file, num_logs); if (access(name, R_OK) != 0) break; @@ -1093,7 +1093,7 @@ audit_msg(LOG_WARNING, "Last known log disappeared (%s)", name); num_logs = last_log = 1; while (num_logs) { - snprintf(name, len, "%s.%d", config->log_file, + snprintf(name, len, "%s.%u", config->log_file, num_logs); if (access(name, R_OK) != 0) break; @@ -1345,7 +1345,7 @@ // Likely errors: ENOMEM do_disk_error_action("reconfig", saved_errno); } - if(init_dispatcher(oconf)) {// dispatcher & qos is used + if(init_dispatcher(oconf,1)) {//dispatcher & qos is used int saved_errno = errno; audit_msg(LOG_WARNING, "Could not start dispatcher %s" @@ -1373,7 +1373,7 @@ // Likely errors: ENOMEM do_disk_error_action("reconfig", saved_errno); } - if(init_dispatcher(oconf)) {// dispatcher & qos is used + if(init_dispatcher(oconf,1)) {// dispatcher& qos is used int saved_errno = errno; audit_msg(LOG_WARNING, "Could not start dispatcher %s" @@ -1544,7 +1544,7 @@ (unsigned)(tv.tv_usec/1000), seq_num); } else { snprintf(date, sizeof(date), - "audit(%lu.%03u:%u)", (unsigned long)time(NULL), + "audit(%lu.%03d:%u)", (unsigned long)time(NULL), 0, seq_num); } diff -Nru audit-2.7.7/src/auditd-listen.c audit-2.8.2/src/auditd-listen.c --- audit-2.7.7/src/auditd-listen.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/auditd-listen.c 2017-12-14 16:46:49.000000000 +0000 @@ -74,7 +74,9 @@ unsigned char buffer [MAX_AUDIT_MESSAGE_LENGTH + 17]; } ev_tcp; -static int listen_socket; +#define N_SOCKS 4 +static int listen_socket[N_SOCKS]; +static int nlsocks; static struct ev_io tcp_listen_watcher; static struct ev_periodic periodic_watcher; static int min_port, max_port, max_per_addr; @@ -112,11 +114,11 @@ static void set_close_on_exec(int fd) { - int flags = fcntl (fd, F_GETFD); + int flags = fcntl(fd, F_GETFD); if (flags == -1) flags = 0; flags |= FD_CLOEXEC; - fcntl (fd, F_SETFD, flags); + fcntl(fd, F_SETFD, flags); } static void release_client(struct ev_tcp *client) @@ -142,11 +144,11 @@ static void close_client(struct ev_tcp *client) { - release_client (client); - free (client); + release_client(client); + free(client); } -static int ar_write (int sock, const void *buf, int len) +static int ar_write(int sock, const void *buf, int len) { int rc = 0, w; while (len > 0) { @@ -165,7 +167,7 @@ } #ifdef USE_GSSAPI -static int ar_read (int sock, void *buf, int len) +static int ar_read(int sock, void *buf, int len) { int rc = 0, r; while (len > 0) { @@ -190,13 +192,13 @@ the tokens. The protocol we use for transferring tokens is to send the length first, four bytes MSB first, then the token data. We return nonzero on error. */ -static int recv_token (int s, gss_buffer_t tok) +static int recv_token(int s, gss_buffer_t tok) { int ret; unsigned char lenbuf[4]; unsigned int len; - ret = ar_read(s, (char *) lenbuf, 4); + ret = ar_read(s, (char *)lenbuf, 4); if (ret < 0) { audit_msg(LOG_ERR, "GSS-API error reading token length"); return -1; @@ -218,13 +220,13 @@ } tok->length = len; - tok->value = (char *) malloc(tok->length ? tok->length : 1); + tok->value = (char *)malloc(tok->length ? tok->length : 1); if (tok->length && tok->value == NULL) { audit_msg(LOG_ERR, "Out of memory allocating token data"); return -1; } - ret = ar_read(s, (char *) tok->value, tok->length); + ret = ar_read(s, (char *)tok->value, tok->length); if (ret < 0) { audit_msg(LOG_ERR, "GSS-API error reading token data"); free(tok->value); @@ -241,7 +243,7 @@ /* Same here. */ int send_token(int s, gss_buffer_t tok) { - int ret; + int ret; unsigned char lenbuf[4]; unsigned int len; @@ -266,7 +268,7 @@ if (ret < 0) { audit_msg(LOG_ERR, "GSS-API error sending token data"); return -1; - } else if (ret != (int) tok->length) { + } else if (ret != (int)tok->length) { audit_msg(LOG_ERR, "GSS-API error sending token data"); return -1; } @@ -275,14 +277,14 @@ } -static void gss_failure_2 (const char *msg, int status, int type) +static void gss_failure_2(const char *msg, int status, int type) { OM_uint32 message_context = 0; OM_uint32 min_status = 0; gss_buffer_desc status_string; do { - gss_display_status (&min_status, + gss_display_status(&min_status, status, type, GSS_C_NO_OID, @@ -296,11 +298,11 @@ } while (message_context != 0); } -static void gss_failure (const char *msg, int major_status, int minor_status) +static void gss_failure(const char *msg, int major_status, int minor_status) { - gss_failure_2 (msg, major_status, GSS_C_GSS_CODE); + gss_failure_2(msg, major_status, GSS_C_GSS_CODE); if (minor_status) - gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); + gss_failure_2(msg, minor_status, GSS_C_MECH_CODE); } #define KCHECK(x,f) if (x) { \ @@ -321,7 +323,7 @@ krb5_context kcontext = NULL; int krberr; - my_service_name = strdup (service_name); + my_service_name = strdup(service_name); name_buf.value = (char *)service_name; name_buf.length = strlen(name_buf.value) + 1; major_status = gss_import_name(&minor_status, &name_buf, @@ -344,9 +346,9 @@ (void) gss_release_name(&minor_status, &server_name); - krberr = krb5_init_context (&kcontext); + krberr = krb5_init_context(&kcontext); KCHECK (krberr, "krb5_init_context"); - krberr = krb5_get_default_realm (kcontext, &my_gss_realm); + krberr = krb5_get_default_realm(kcontext, &my_gss_realm); KCHECK (krberr, "krb5_get_default_realm"); audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name); @@ -358,7 +360,7 @@ the case of Kerberos, this is where the key exchange happens. FIXME: While everything else is strictly nonblocking, this negotiation blocks. */ -static int negotiate_credentials (ev_tcp *io) +static int negotiate_credentials(ev_tcp *io) { gss_buffer_desc send_tok, recv_tok; gss_name_t client; @@ -369,6 +371,7 @@ context = & io->gss_context; *context = GSS_C_NO_CONTEXT; + io->remote_name = NULL; maj_stat = GSS_S_CONTINUE_NEEDED; do { @@ -380,8 +383,11 @@ sockaddr_to_addr4(&io->addr)); return -1; } - if (recv_tok.length == 0) + if (recv_tok.length == 0) { + free(recv_tok.value); + recv_tok.value = NULL; continue; + } /* STEP 2 - let GSS process that token. */ @@ -434,12 +440,12 @@ audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", (char *)recv_tok.value); - io->remote_name = strdup (recv_tok.value); - io->remote_name_len = strlen (recv_tok.value); + io->remote_name = strdup(recv_tok.value); + io->remote_name_len = strlen(recv_tok.value); gss_release_buffer(&min_stat, &recv_tok); - slashptr = strchr (io->remote_name, '/'); - atptr = strchr (io->remote_name, '@'); + slashptr = strchr(io->remote_name, '/'); + atptr = strchr(io->remote_name, '@'); if (!slashptr || !atptr) { audit_msg(LOG_ERR, "Invalid GSS name from remote client: %s", @@ -448,14 +454,14 @@ } *slashptr = 0; - if (strcmp (io->remote_name, my_service_name)) { + if (strcmp(io->remote_name, my_service_name)) { audit_msg(LOG_ERR, "Unauthorized GSS client name: %s (not %s)", io->remote_name, my_service_name); return -1; } *slashptr = '/'; - if (strcmp (atptr+1, my_gss_realm)) { + if (strcmp(atptr+1, my_gss_realm)) { audit_msg(LOG_ERR, "Unauthorized GSS client realm: %s (not %s)", atptr+1, my_gss_realm); return -1; @@ -467,7 +473,7 @@ /* This is called from auditd-event after the message has been logged. The header is already filled in. */ -static void client_ack (void *ack_data, const unsigned char *header, +static void client_ack(void *ack_data, const unsigned char *header, const char *msg) { ev_tcp *io = (ev_tcp *)ack_data; @@ -477,18 +483,18 @@ gss_buffer_desc utok, etok; int rc, mlen; - mlen = strlen (msg); + mlen = strlen(msg); utok.length = AUDIT_RMW_HEADER_SIZE + mlen; - utok.value = malloc (utok.length + 1); + utok.value = malloc(utok.length + 1); - memcpy (utok.value, header, AUDIT_RMW_HEADER_SIZE); - memcpy (utok.value+AUDIT_RMW_HEADER_SIZE, msg, mlen); + memcpy(utok.value, header, AUDIT_RMW_HEADER_SIZE); + memcpy(utok.value+AUDIT_RMW_HEADER_SIZE, msg, mlen); /* Wrapping the message creates a token for the client. Then we just have to worry about sending the token. */ - major_status = gss_wrap (&minor_status, + major_status = gss_wrap(&minor_status, io->gss_context, 1, GSS_C_QOP_DEFAULT, @@ -498,21 +504,21 @@ if (major_status != GSS_S_COMPLETE) { gss_failure("encrypting message", major_status, minor_status); - free (utok.value); + free(utok.value); return; } // FIXME: What were we going to do with rc? - rc = send_token (io->io.fd, &etok); - free (utok.value); + rc = send_token(io->io.fd, &etok); + free(utok.value); (void) gss_release_buffer(&minor_status, &etok); return; } #endif // Send the header and a text error message if it exists - ar_write (io->io.fd, header, AUDIT_RMW_HEADER_SIZE); + ar_write(io->io.fd, header, AUDIT_RMW_HEADER_SIZE); if (msg[0]) - ar_write (io->io.fd, msg, strlen(msg)); + ar_write(io->io.fd, msg, strlen(msg)); } extern void distribute_event(struct auditd_event *e); @@ -534,7 +540,7 @@ unsigned char ack[AUDIT_RMW_HEADER_SIZE]; AUDIT_RMW_PACK_HEADER (ack, 0, AUDIT_RMW_TYPE_ACK, 0, seq); - client_ack (io, ack, ""); + client_ack(io, ack, ""); } else { struct auditd_event *e = create_event( header+AUDIT_RMW_HEADER_SIZE, @@ -546,10 +552,10 @@ } } -static void auditd_tcp_client_handler( struct ev_loop *loop, - struct ev_io *_io, int revents ) +static void auditd_tcp_client_handler(struct ev_loop *loop, + struct ev_io *_io, int revents) { - struct ev_tcp *io = (struct ev_tcp *) _io; + struct ev_tcp *io = (struct ev_tcp *)_io; int i, r; int total_this_call = 0; @@ -580,18 +586,18 @@ otherwise fails, the read will return -1. */ if (r <= 0) { if (r < 0) - audit_msg (LOG_WARNING, + audit_msg(LOG_WARNING, "client %s socket closed unexpectedly", sockaddr_to_addr4(&io->addr)); /* There may have been a final message without a LF. */ if (io->bufptr) { - client_message (io, io->bufptr, io->buffer); + client_message(io, io->bufptr, io->buffer); } - ev_io_stop (loop, _io); - close_client (io); + ev_io_stop(loop, _io); + close_client(io); return; } @@ -629,7 +635,7 @@ /* Unwrapping the token gives us the original message, which we know is already a single record. */ - major_status = gss_unwrap (&minor_status, io->gss_context, + major_status = gss_unwrap(&minor_status, io->gss_context, &etok, &utok, NULL, NULL); if (major_status != GSS_S_COMPLETE) { @@ -639,10 +645,10 @@ /* client_message() wants to NUL terminate it, so copy it to a bigger buffer. Plus, we want to add our own tag. */ - memcpy (msgbuf, utok.value, utok.length); + memcpy(msgbuf, utok.value, utok.length); while (utok.length > 0 && msgbuf[utok.length-1] == '\n') utok.length --; - snprintf (msgbuf + utok.length, + snprintf(msgbuf + utok.length, MAX_AUDIT_MESSAGE_LENGTH - utok.length, " krb5=%s", io->remote_name); utok.length += 6 + io->remote_name_len; @@ -675,7 +681,7 @@ return; /* We have an I-byte message in buffer. Send ACK */ - client_message (io, i, io->buffer); + client_message(io, i, io->buffer); } else { /* At this point, the buffer has IO->BUFPTR+R bytes in it. @@ -695,7 +701,7 @@ i++; /* We have an I-byte message in buffer. Send ACK */ - client_message (io, i, io->buffer); + client_message(io, i, io->buffer); } /* Now copy any remaining bytes to the beginning of the @@ -724,7 +730,7 @@ request_init(&request, RQ_DAEMON, "auditd", RQ_FILE, sock, 0); fromhost(&request); - if (! hosts_access(&request)) + if (!hosts_access(&request)) return 1; return 0; } @@ -753,7 +759,7 @@ } static void auditd_tcp_listen_handler( struct ev_loop *loop, - struct ev_io *_io, int revents ) + struct ev_io *_io, int revents) { int one=1; int afd; @@ -764,7 +770,7 @@ /* Accept the connection and see where it's coming from. */ aaddrlen = sizeof(aaddr); - afd = accept (listen_socket, (struct sockaddr *)&aaddr, &aaddrlen); + afd = accept(_io->fd, (struct sockaddr *)&aaddr, &aaddrlen); if (afd == -1) { audit_msg(LOG_ERR, "Unable to accept TCP connection"); return; @@ -787,8 +793,8 @@ /* Verify it's coming from an authorized port. We assume the firewall * will block attempts from unauthorized machines. */ - if (min_port > ntohs (aaddr.sin_port) || - ntohs (aaddr.sin_port) > max_port) { + if (min_port > ntohs(aaddr.sin_port) || + ntohs(aaddr.sin_port) > max_port) { audit_msg(LOG_ERR, "TCP connection from %s rejected", sockaddr_to_addr4(&aaddr)); snprintf(emsg, sizeof(emsg), @@ -819,41 +825,42 @@ setsockopt(afd, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int)); setsockopt(afd, SOL_SOCKET, SO_KEEPALIVE, (char *)&one, sizeof (int)); setsockopt(afd, IPPROTO_TCP, TCP_NODELAY, (char *)&one, sizeof (int)); - set_close_on_exec (afd); + set_close_on_exec(afd); /* Make the client data structure */ - client = (struct ev_tcp *) malloc (sizeof (struct ev_tcp)); + client = (struct ev_tcp *)malloc (sizeof (struct ev_tcp)); if (client == NULL) { audit_msg(LOG_CRIT, "Unable to allocate TCP client data"); snprintf(emsg, sizeof(emsg), "op=alloc addr=%s port=%d res=no", sockaddr_to_ipv4(&aaddr), - ntohs (aaddr.sin_port)); + ntohs(aaddr.sin_port)); send_audit_event(AUDIT_DAEMON_ACCEPT, emsg); shutdown(afd, SHUT_RDWR); close(afd); return; } - memset (client, 0, sizeof (struct ev_tcp)); + memset(client, 0, sizeof (struct ev_tcp)); client->client_active = 1; // Was watching for EV_ERROR, but libev 3.48 took it away - ev_io_init (&(client->io), auditd_tcp_client_handler, afd, EV_READ); + ev_io_init(&(client->io), auditd_tcp_client_handler, afd, EV_READ); - memcpy (&client->addr, &aaddr, sizeof (struct sockaddr_in)); + memcpy(&client->addr, &aaddr, sizeof (struct sockaddr_in)); #ifdef USE_GSSAPI if (use_gss && negotiate_credentials (client)) { shutdown(afd, SHUT_RDWR); close(afd); + free(client->remote_name); free(client); return; } #endif fcntl(afd, F_SETFL, O_NONBLOCK | O_NDELAY); - ev_io_start (loop, &(client->io)); + ev_io_start(loop, &(client->io)); /* Add the new connection to a linked list of active clients. */ client->next = client_chain; @@ -876,7 +883,7 @@ } static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per, - int revents ) + int revents) { struct daemon_conf *config = (struct daemon_conf *) per->data; struct ev_tcp *ev, *next = NULL; @@ -895,63 +902,127 @@ audit_msg(LOG_NOTICE, "client %s idle too long - closing connection\n", sockaddr_to_addr4(&(ev->addr))); - ev_io_stop (loop, &ev->io); + ev_io_stop(loop, &ev->io); release_client(ev); free(ev); } } -int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) +int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) { - struct sockaddr_in address; - int one = 1; + struct addrinfo *ai, *runp; + struct addrinfo hints; + char local[16]; + int one = 1, rc; + int prefer_ipv6 = 0; - ev_periodic_init (&periodic_watcher, periodic_handler, + ev_periodic_init(&periodic_watcher, periodic_handler, 0, config->tcp_client_max_idle, NULL); periodic_watcher.data = config; if (config->tcp_client_max_idle) - ev_periodic_start (loop, &periodic_watcher); + ev_periodic_start(loop, &periodic_watcher); /* If the port is not set, that means we aren't going to listen for connections. */ if (config->tcp_listen_port == 0) return 0; - listen_socket = socket (AF_INET, SOCK_STREAM, 0); - if (listen_socket < 0) { - audit_msg(LOG_ERR, "Cannot create tcp listener socket"); + memset(&hints, '\0', sizeof(hints)); + hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; + hints.ai_socktype = SOCK_STREAM; + hints.ai_family = AF_UNSPEC; + snprintf(local, sizeof(local), "%ld", config->tcp_listen_port); + + rc = getaddrinfo(NULL, local, &hints, &ai); + if (rc) { + audit_msg(LOG_ERR, "Cannot lookup addresses"); return 1; } - set_close_on_exec (listen_socket); - setsockopt(listen_socket, SOL_SOCKET, SO_REUSEADDR, - (char *)&one, sizeof (int)); - - memset (&address, 0, sizeof(address)); - address.sin_family = AF_INET; - address.sin_port = htons(config->tcp_listen_port); - address.sin_addr.s_addr = htonl(INADDR_ANY); - - /* This avoids problems if auditd needs to be restarted. */ - setsockopt(listen_socket, SOL_SOCKET, SO_REUSEADDR, - (char *)&one, sizeof (int)); - - if (bind(listen_socket, (struct sockaddr *)&address, sizeof(address))){ - audit_msg(LOG_ERR, - "Cannot bind tcp listener socket to port %ld", - config->tcp_listen_port); - close(listen_socket); - return 1; - } + { + int ipv4 = 0, ipv6 = 0; + nlsocks = 0; + runp = ai; + while (runp && nlsocks < N_SOCKS) { + // Let's take a pass through and see what we got. + if (runp->ai_family == AF_INET) + ipv4++; + else if (runp->ai_family == AF_INET6) + ipv6++; + runp = runp->ai_next; + nlsocks++; + } + + if (nlsocks == 2 && ipv4 && ipv6) + prefer_ipv6 = 1; + } + + nlsocks = 0; + runp = ai; + while (runp && nlsocks < N_SOCKS) { + // On linux, ipv6 sockets by default include ipv4 so + // we only need one. + if (runp->ai_family == AF_INET && prefer_ipv6) + goto next_try; + + listen_socket[nlsocks] = socket(runp->ai_family, + runp->ai_socktype, runp->ai_protocol); + if (listen_socket[nlsocks] < 0) { + audit_msg(LOG_ERR, "Cannot create tcp listener socket"); + goto next_try; + } - listen(listen_socket, config->tcp_listen_queue); + /* This avoids problems if auditd needs to be restarted. */ + setsockopt(listen_socket[nlsocks], SOL_SOCKET, SO_REUSEADDR, + (char *)&one, sizeof (int)); + + // If we had more than 2 addresses suggested we'll + // separate the sockets. + if (!prefer_ipv6 && runp->ai_family == AF_INET6) + setsockopt(listen_socket[nlsocks], IPPROTO_IPV6, + IPV6_V6ONLY, &one, sizeof(int)); + + set_close_on_exec(listen_socket[nlsocks]); + + if (bind(listen_socket[nlsocks], runp->ai_addr, + runp->ai_addrlen)) { + if (errno != EADDRINUSE) + audit_msg(LOG_ERR, + "Cannot bind listener socket to port %ld (%s)", + config->tcp_listen_port, strerror(errno)); + close(listen_socket[nlsocks]); + listen_socket[nlsocks] = -1; + goto non_fatal; + } - audit_msg(LOG_DEBUG, "Listening on TCP port %ld", - config->tcp_listen_port); + if (listen(listen_socket[nlsocks], config->tcp_listen_queue)) { + audit_msg(LOG_ERR, "Unable to listen on %ld (%s)", + config->tcp_listen_port, + strerror(errno)); + close(listen_socket[nlsocks]); + listen_socket[nlsocks] = -1; + goto next_try; + } + struct protoent *p = getprotobynumber(runp->ai_protocol); + audit_msg(LOG_DEBUG, "Listening on TCP port %ld, protocol %s", + config->tcp_listen_port, + p ? p->p_name: "?"); + endprotoent(); + + ev_io_init(&tcp_listen_watcher, auditd_tcp_listen_handler, + listen_socket[nlsocks], EV_READ); + ev_io_start(loop, &tcp_listen_watcher); +non_fatal: + nlsocks++; + if (nlsocks == N_SOCKS) + break; +next_try: + runp = runp->ai_next; + } - ev_io_init (&tcp_listen_watcher, auditd_tcp_listen_handler, - listen_socket, EV_READ); - ev_io_start (loop, &tcp_listen_watcher); + freeaddrinfo(ai); + if (nlsocks == 0) + return -1; use_libwrap = config->use_libwrap; auditd_set_ports(config->tcp_client_min_port, @@ -975,7 +1046,7 @@ key_file = "/etc/audit/audit.key"; setenv ("KRB5_KTNAME", key_file, 1); - if (stat (key_file, &st) == 0) { + if (stat(key_file, &st) == 0) { if ((st.st_mode & 07777) != 0400) { audit_msg (LOG_ERR, "%s is not mode 0400 (it's %#o) - compromised key?", @@ -983,7 +1054,7 @@ return -1; } if (st.st_uid != 0) { - audit_msg (LOG_ERR, + audit_msg(LOG_ERR, "%s is not owned by root (it's %d) - compromised key?", key_file, st.st_uid); return -1; @@ -997,15 +1068,17 @@ return 0; } -void auditd_tcp_listen_uninit ( struct ev_loop *loop, - struct daemon_conf *config ) +void auditd_tcp_listen_uninit(struct ev_loop *loop, struct daemon_conf *config) { #ifdef USE_GSSAPI OM_uint32 status; #endif - ev_io_stop ( loop, &tcp_listen_watcher ); - close ( listen_socket ); + ev_io_stop(loop, &tcp_listen_watcher); + while (nlsocks >= 0) { + nlsocks--; + close (listen_socket[nlsocks]); + } #ifdef USE_GSSAPI if (use_gss) { @@ -1018,29 +1091,29 @@ unsigned char ack[AUDIT_RMW_HEADER_SIZE]; AUDIT_RMW_PACK_HEADER (ack, 0, AUDIT_RMW_TYPE_ENDING, 0, 0); - client_ack (client_chain, ack, ""); - ev_io_stop (loop, &client_chain->io); - close_client (client_chain); + client_ack(client_chain, ack, ""); + ev_io_stop(loop, &client_chain->io); + close_client(client_chain); } if (config->tcp_client_max_idle) - ev_periodic_stop (loop, &periodic_watcher); + ev_periodic_stop(loop, &periodic_watcher); } static void periodic_reconfigure(struct daemon_conf *config) { - struct ev_loop *loop = ev_default_loop (EVFLAG_AUTO); + struct ev_loop *loop = ev_default_loop(EVFLAG_AUTO); if (config->tcp_client_max_idle) { - ev_periodic_set (&periodic_watcher, ev_now (loop), + ev_periodic_set(&periodic_watcher, ev_now(loop), config->tcp_client_max_idle, NULL); - ev_periodic_start (loop, &periodic_watcher); + ev_periodic_start(loop, &periodic_watcher); } else { - ev_periodic_stop (loop, &periodic_watcher); + ev_periodic_stop(loop, &periodic_watcher); } } -void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, - struct daemon_conf *oconf ) +void auditd_tcp_listen_reconfigure(struct daemon_conf *nconf, + struct daemon_conf *oconf) { use_libwrap = nconf->use_libwrap; @@ -1065,8 +1138,9 @@ oconf->tcp_listen_queue = nconf->tcp_listen_queue; // FIXME: need to restart the network stuff } - free(oconf->krb5_principal); + free((void *)oconf->krb5_principal); // Copying the config for now. Should compare if the same // and recredential if needed. oconf->krb5_principal = nconf->krb5_principal; } + diff -Nru audit-2.7.7/src/aureport.c audit-2.8.2/src/aureport.c --- audit-2.7.7/src/aureport.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/aureport.c 2017-12-14 16:46:49.000000000 +0000 @@ -275,13 +275,13 @@ strftime(tmp, sizeof(tmp), "%x %T", btm); else strcpy(tmp, "?"); - printf("%s.%03d - ", tmp, first_event.milli); + printf("%s.%03u - ", tmp, first_event.milli); btm = localtime(&last_event.sec); if (btm) strftime(tmp, sizeof(tmp), "%x %T", btm); else strcpy(tmp, "?"); - printf("%s.%03d\n", tmp, last_event.milli); + printf("%s.%03u\n", tmp, last_event.milli); } } diff -Nru audit-2.7.7/src/aureport-options.c audit-2.8.2/src/aureport-options.c --- audit-2.7.7/src/aureport-options.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/aureport-options.c 2017-12-14 16:46:49.000000000 +0000 @@ -157,7 +157,7 @@ static int audit_lookup_option(const char *name) { - int i; + unsigned int i; for (i = 0; i < OPTION_NAMES; i++) if (!strcmp(optiontab[i].name, name)) diff -Nru audit-2.7.7/src/aureport-output.c audit-2.8.2/src/aureport-output.c --- audit-2.7.7/src/aureport-output.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/aureport-output.c 2017-12-14 16:46:49.000000000 +0000 @@ -216,11 +216,11 @@ case RPT_AVC: printf("AVC Report\n"); printf( - "========================================================\n"); + "===============================================================\n"); printf( - "# date time comm subj syscall class permission obj event\n"); + "# date time comm subj syscall class permission obj result event\n"); printf( - "========================================================\n"); + "===============================================================\n"); break; case RPT_CONFIG: printf("Config Change Report\n"); @@ -540,9 +540,9 @@ break; case RPT_LOGIN: // who, addr, terminal, exe, success, event - // Special note...uid is used here because that is - // the way that the message works. This is because - // on failed logins, loginuid is not set. + // Special note...loginuid can be used here for + // successful logins. loginuid is not set on failed + // logins so acct is used in that situation. safe_print_string(((l->s.success == S_FAILED) && l->s.acct) ? l->s.acct : aulookup_uid(l->s.loginuid, @@ -866,13 +866,13 @@ strftime(tmp, sizeof(tmp), "%x %T", btm); else strcpy(tmp, "?"); - printf("%s.%03d - ", tmp, very_first_event.milli); + printf("%s.%03u - ", tmp, very_first_event.milli); btm = localtime(&very_last_event.sec); if (btm) strftime(tmp, sizeof(tmp), "%x %T", btm); else strcpy(tmp, "?"); - printf("%s.%03d\n", tmp, very_last_event.milli); + printf("%s.%03u\n", tmp, very_last_event.milli); } printf("Selected time for report: "); { @@ -899,7 +899,7 @@ if (end_time) printf("%s\n", tmp); else - printf("%s.%03d\n", tmp, very_last_event.milli); + printf("%s.%03u\n", tmp, very_last_event.milli); } printf("Number of changes in configuration: %lu\n", sd.changes); printf("Number of changes to accounts, groups, or roles: %lu\n", diff -Nru audit-2.7.7/src/ausearch.c audit-2.8.2/src/ausearch.c --- audit-2.7.7/src/ausearch.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/ausearch.c 2017-12-14 16:46:49.000000000 +0000 @@ -171,9 +171,9 @@ free(event_type); free(user_file); free((char *)event_key); - free(event_tuid); - free(event_teuid); - free(event_tauid); + free((char *)event_tuid); + free((char *)event_teuid); + free((char *)event_tauid); auparse_destroy(NULL); if (rc) return rc; diff -Nru audit-2.7.7/src/ausearch-checkpt.c audit-2.8.2/src/ausearch-checkpt.c --- audit-2.7.7/src/ausearch-checkpt.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/ausearch-checkpt.c 2017-12-14 16:46:49.000000000 +0000 @@ -128,7 +128,8 @@ checkpt_failure |= CP_STATUSIO; return; } - fprintf(fd, "dev=0x%X\ninode=0x%X\n", + // Write the inode in decimal to make ls -i easier to use. + fprintf(fd, "dev=0x%X\ninode=%u\n", (unsigned int)checkpt_dev, (unsigned int)checkpt_ino); fprintf(fd, "output=%s %lu.%03u:%lu 0x%X\n", last_event.node ? last_event.node : "-", @@ -203,6 +204,7 @@ fn, strerror(errno)); return -2; } + chkpt_input_levent.node = NULL; while (fgets(lbuf, MAX_LN, fd) != NULL) { size_t len = strlen(lbuf); @@ -220,7 +222,7 @@ } } else if (strncmp(lbuf, "inode=", 6) == 0) { errno = 0; - chkpt_input_ino = strtoul(&lbuf[6], NULL, 16); + chkpt_input_ino = strtoul(&lbuf[6], NULL, 0); if (errno) { fprintf(stderr, "Malformed inode checkpoint " "line - [%s]\n", lbuf); @@ -228,6 +230,8 @@ break; } } else if (strncmp(lbuf, "output=", 7) == 0) { + free((void *)chkpt_input_levent.node); + chkpt_input_levent.node = NULL; if (parse_checkpt_event(lbuf, 7, &chkpt_input_levent)) break; } else { diff -Nru audit-2.7.7/src/ausearch-llist.c audit-2.8.2/src/ausearch-llist.c --- audit-2.7.7/src/ausearch-llist.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/ausearch-llist.c 2017-12-14 16:46:49.000000000 +0000 @@ -214,11 +214,11 @@ l->s.uuid = NULL; free(l->s.vmname); l->s.vmname = NULL; - free(l->s.tuid); + free((void *)l->s.tuid); l->s.tuid = NULL; - free(l->s.teuid); + free((void *)l->s.teuid); l->s.teuid = NULL; - free(l->s.tauid); + free((void *)l->s.tauid); l->s.tauid = NULL; l->s.exit = 0; l->s.exit_is_set = 0; diff -Nru audit-2.7.7/src/ausearch-lol.c audit-2.8.2/src/ausearch-lol.c --- audit-2.7.7/src/ausearch-lol.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/ausearch-lol.c 2017-12-14 16:46:49.000000000 +0000 @@ -92,25 +92,27 @@ char *ptr; errno = 0; - ptr = strchr(s+10, ':'); + e->sec = strtoul(s, NULL, 10); + if (errno) + return -1; + ptr = strchr(s, '.'); if (ptr) { - e->serial = strtoul(ptr+1, NULL, 10); - *ptr = 0; + ptr++; + e->milli = strtoul(ptr, NULL, 10); if (errno) return -1; + s = ptr; } else - e->serial = 0; - ptr = strchr(s, '.'); + e->milli = 0; + + ptr = strchr(s, ':'); if (ptr) { - e->milli = strtoul(ptr+1, NULL, 10); - *ptr = 0; + ptr++; + e->serial = strtoul(ptr, NULL, 10); if (errno) return -1; } else - e->milli = 0; - e->sec = strtoul(s, NULL, 10); - if (errno) - return -1; + e->serial = 0; return 0; } diff -Nru audit-2.7.7/src/ausearch-lookup.c audit-2.8.2/src/ausearch-lookup.c --- audit-2.7.7/src/ausearch-lookup.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/ausearch-lookup.c 2017-12-14 16:46:49.000000000 +0000 @@ -80,7 +80,7 @@ sys = _auparse_lookup_interpretation("syscall"); if (sys) { snprintf(buf, size, "%s", sys); - free(sys); + free((void *)sys); return buf; } @@ -135,7 +135,7 @@ static const char *aulookup_socketcall(long sc) { - int i; + unsigned int i; for (i = 0; i < SOCK_NAMES; i++) if (socktab[i].value == sc) @@ -180,7 +180,7 @@ static const char *aulookup_ipccall(long ic) { - int i; + unsigned int i; for (i = 0; i < IPC_NAMES; i++) if (ipctab[i].value == ic) @@ -208,7 +208,7 @@ name = _auparse_lookup_interpretation("auid"); if (name) { snprintf(buf, size, "%s", name); - free(name); + free((void *)name); return buf; } diff -Nru audit-2.7.7/src/ausearch-options.c audit-2.8.2/src/ausearch-options.c --- audit-2.7.7/src/ausearch-options.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/ausearch-options.c 2017-12-14 16:46:49.000000000 +0000 @@ -65,7 +65,7 @@ int line_buffered = 0; int event_debug = 0; int checkpt_timeonly = 0; -int extra_keys = 0, extra_labels = 0, extra_time = 0; +int extra_keys = 0, extra_labels = 0, extra_obj2 = 0, extra_time = 0; const char *event_key = NULL; const char *event_filename = NULL; const char *event_exe = NULL; @@ -92,7 +92,7 @@ S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT, S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT, S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH, S_FORMAT, -S_EXTRA_TIME, S_EXTRA_LABELS, S_EXTRA_KEYS, S_ESCAPE }; +S_EXTRA_TIME, S_EXTRA_LABELS, S_EXTRA_KEYS, S_EXTRA_OBJ2, S_ESCAPE }; static struct nv_pair optiontab[] = { { S_EVENT, "-a" }, @@ -107,6 +107,7 @@ { S_EXIT, "--exit" }, { S_EXTRA_KEYS, "--extra-keys" }, { S_EXTRA_LABELS, "--extra-labels" }, + { S_EXTRA_OBJ2, "--extra-obj2" }, { S_EXTRA_TIME, "--extra-time" }, { S_FILENAME, "-f" }, { S_FILENAME, "--file" }, @@ -182,7 +183,7 @@ static int audit_lookup_option(const char *name) { - int i; + unsigned int i; for (i = 0; i < OPTION_NAMES; i++) if (!strcmp(optiontab[i].name, name)) @@ -355,6 +356,15 @@ if (optarg) { fprintf(stderr, "Argument is NOT required for %s\n", + vars[c]); + retval = -1; + } + break; + case S_EXTRA_OBJ2: + extra_obj2 = 1; + if (optarg) { + fprintf(stderr, + "Argument is NOT required for %s\n", vars[c]); retval = -1; } diff -Nru audit-2.7.7/src/ausearch-parse.c audit-2.8.2/src/ausearch-parse.c --- audit-2.7.7/src/ausearch-parse.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/ausearch-parse.c 2017-12-14 16:46:49.000000000 +0000 @@ -170,6 +170,7 @@ case AUDIT_MMAP: case AUDIT_NETFILTER_CFG: case AUDIT_PROCTITLE: + case AUDIT_KERN_MODULE: // Nothing to parse break; case AUDIT_TTY: @@ -269,7 +270,7 @@ if (errno) return 21; *term = ' '; - if (s->tauid) free(s->tauid); + if (s->tauid) free((void *)s->tauid); s->tauid = lookup_uid("auid", s->loginuid); } // optionally get uid @@ -287,7 +288,7 @@ if (errno) return 24; *term = ' '; - if (s->tuid) free(s->tuid); + if (s->tuid) free((void *)s->tuid); s->tuid = lookup_uid("uid", s->uid); } @@ -947,42 +948,61 @@ *term = saved; } } - if (event_subject) { - str = strstr(term, "vm-ctx="); - if (str != NULL) { - str += 7; - term = strchr(str, ' '); - if (term == NULL) - return 27; - *term = 0; - if (audit_avc_init(s) == 0) { - anode an; - - anode_init(&an); - an.scontext = strdup(str); - alist_append(s->avc, &an); - *term = ' '; - } else - return 28; + if (n->type == AUDIT_VIRT_MACHINE_ID) { + if (event_subject) { + str = strstr(term, "vm-ctx="); + if (str != NULL) { + str += 7; + term = strchr(str, ' '); + if (term == NULL) + return 27; + *term = 0; + if (audit_avc_init(s) == 0) { + anode an; + + anode_init(&an); + an.scontext = strdup(str); + alist_append(s->avc, &an); + *term = ' '; + } else + return 28; + } } - } - if (event_object) { - str = strstr(term, "img-ctx="); - if (str != NULL) { - str += 8; - term = strchr(str, ' '); - if (term == NULL) - return 29; - *term = 0; - if (audit_avc_init(s) == 0) { - anode an; + if (event_object) { + str = strstr(term, "img-ctx="); + if (str != NULL) { + str += 8; + term = strchr(str, ' '); + if (term == NULL) + return 29; + *term = 0; + if (audit_avc_init(s) == 0) { + anode an; - anode_init(&an); - an.tcontext = strdup(str); - alist_append(s->avc, &an); - *term = ' '; - } else - return 30; + anode_init(&an); + an.tcontext = strdup(str); + alist_append(s->avc, &an); + *term = ' '; + } else + return 30; + } + } + } else if (n->type == AUDIT_VIRT_RESOURCE) { + if (event_filename) { + unsigned int incr = 6; + str = strstr(term, " path="); + if (str == NULL) { + incr = 10; + str = strstr(term, " new-disk="); + } + if (str != NULL) { + int rc; + str += incr; + rc = common_path_parser(s, str); + if (rc) + return rc; + term = str; + } } } // optionally get uid - some records the second uid is what we want. @@ -1009,6 +1029,7 @@ if (errno) return 15; *term = saved; + if (s->tuid) free((void *)s->tuid); s->tuid = lookup_uid("uid", s->uid); } } diff -Nru audit-2.7.7/src/ausearch-report.c audit-2.8.2/src/ausearch-report.c --- audit-2.7.7/src/ausearch-report.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/ausearch-report.c 2017-12-14 16:46:49.000000000 +0000 @@ -38,7 +38,7 @@ static void output_raw(llist *l); static void output_default(llist *l); static void output_interpreted(llist *l); -static void output_interpreted_node(const lnode *n, const event *e); +static void output_interpreted_record(const lnode *n, const event *e); static void feed_auparse(llist *l, auparse_callback_ptr callback); static void interpret(char *name, char *val, int comma, int rtype); static void csv_event(auparse_state_t *au, @@ -159,10 +159,10 @@ return; } if (n->type >= AUDIT_DAEMON_START && n->type < AUDIT_SYSCALL) - output_interpreted_node(n, &(l->e)); + output_interpreted_record(n, &(l->e)); else { do { - output_interpreted_node(n, &(l->e)); + output_interpreted_record(n, &(l->e)); } while ((n=list_prev(l))); } } @@ -171,7 +171,7 @@ * This function will cycle through a single record and lookup each field's * value that it finds. */ -static void output_interpreted_node(const lnode *n, const event *e) +static void output_interpreted_record(const lnode *n, const event *e) { char *ptr, *str = n->message; int found, comma = 0; @@ -229,7 +229,7 @@ else strcpy(tmp, "?"); printf("%s", tmp); - printf(".%03d:%lu) ", e->milli, e->serial); + printf(".%03u:%lu) ", e->milli, e->serial); if (n->type == AUDIT_SYSCALL) { a0 = n->a0; @@ -372,6 +372,7 @@ id.a1 = a1; id.name = name; id.val = val; + id.cwd = NULL; char *out = auparse_do_interpretation(type, &id, escape_mode); if (type == AUPARSE_TYPE_UNCLASSIFIED) @@ -403,7 +404,7 @@ /* This function will output a normalized line of audit * fields one line per event in csv format */ static int csv_header_done = 0; -extern int extra_keys, extra_labels, extra_time; +extern int extra_keys, extra_labels, extra_obj2, extra_time; static void csv_event(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data) { @@ -414,9 +415,10 @@ csv_header_done = 1; printf( "NODE,EVENT,DATE,TIME,%sSERIAL_NUM,EVENT_KIND," "SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,%sACTION," - "RESULT,OBJ_PRIME,OBJ_SEC,%sOBJ_KIND,HOW%s\n", + "RESULT,OBJ_PRIME,OBJ_SEC,%s%sOBJ_KIND,HOW%s\n", extra_time ? "YEAR,MONTH,DAY,WEEKDAY,HOUR,GMT_OFFSET," : "", extra_labels ? "SUBJ_LABEL," : "", + extra_obj2 ? "OBJ2," : "", extra_labels ? "OBJ_LABEL," : "", extra_keys ? ",KEY" : ""); } @@ -431,7 +433,7 @@ item = auparse_get_node(au); if (item) { printf("%s", auparse_interpret_field(au)); - free(item); + free((void *)item); } putchar(','); @@ -530,7 +532,7 @@ // SUBJ_PRIME rc = auparse_normalize_subject_primary(au); if (rc == 1) { - char *subj = auparse_interpret_field(au); + const char *subj = auparse_interpret_field(au); if (strcmp(subj, "unset") == 0) subj = "system"; printf("%s", subj); @@ -580,14 +582,24 @@ i = 1; else if (strncmp(item, "suc", 3) == 0) i = 1; + else if (auparse_get_field_type(au) == AUPARSE_TYPE_SECCOMP && + strcmp(item, "allow") == 0) + i = 1; printf("%s", res[i]); } putchar(','); // OBJ_PRIME rc = auparse_normalize_object_primary(au); - if (rc == 1) - printf("%s", auparse_interpret_field(au)); + if (rc == 1) { + const char *val; + + if (auparse_get_field_type(au) == AUPARSE_TYPE_ESCAPED_FILE) + val = auparse_interpret_realpath(au); + else + val = auparse_interpret_field(au); + printf("%s", val); + } putchar(','); // OBJ_SEC @@ -596,6 +608,22 @@ printf("%s", auparse_interpret_field(au)); putchar(','); + // OBJECT 2 + if (extra_obj2) { + rc = auparse_normalize_object_primary2(au); + if (rc == 1) { + const char *val; + + if (auparse_get_field_type(au) == + AUPARSE_TYPE_ESCAPED_FILE) + val = auparse_interpret_realpath(au); + else + val = auparse_interpret_field(au); + printf("%s", val); + } + putchar(','); + } + // OBJ_LABEL if (extra_labels) { rc = auparse_normalize_object_first_attribute(au); @@ -655,7 +683,7 @@ item = auparse_get_node(au); if (item) { printf("On %s at %s ", auparse_interpret_field(au), tmp); - free(item); + free((void *)item); } else printf("At %s ", tmp); @@ -685,6 +713,9 @@ i = 1; else if (strncmp(item, "suc", 3) == 0) i = 1; + else if (auparse_get_field_type(au) == AUPARSE_TYPE_SECCOMP && + strcmp(item, "allow") == 0) + i = 1; printf(" %s ", res[i]); } else putchar(' '); @@ -699,17 +730,37 @@ rc = auparse_normalize_object_primary(au); if (rc == 1) { + const char *val = NULL; + int ftype; + // If we have an object and this is an AVC, add some words if (action && strstr(action, "violated")) - printf("accessing "); - printf("%s ", auparse_interpret_field(au)); + val = "accessing "; + + ftype = auparse_get_field_type(au); + if (ftype == AUPARSE_TYPE_ESCAPED_FILE) + val = auparse_interpret_realpath(au); + else if (ftype == AUPARSE_TYPE_SOCKADDR) { + val = auparse_interpret_sock_address(au); + if (val == NULL) + val = auparse_interpret_sock_family(au); + } + + if (val == NULL) + val = auparse_interpret_field(au); + + printf("%s ", val); } - if ( type == AUDIT_VIRT_RESOURCE || - type == AUDIT_VIRT_CONTROL) { - rc = auparse_normalize_object_secondary(au); - if (rc) - printf("to %s ", auparse_interpret_field(au)); + rc = auparse_normalize_object_primary2(au); + if (rc == 1) { + const char *val; + + if (auparse_get_field_type(au) == AUPARSE_TYPE_ESCAPED_FILE) + val = auparse_interpret_realpath(au); + else + val = auparse_interpret_field(au); + printf("to %s ", val); } how = auparse_normalize_how(au); diff -Nru audit-2.7.7/src/ausearch-time.c audit-2.8.2/src/ausearch-time.c --- audit-2.7.7/src/ausearch-time.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/ausearch-time.c 2017-12-14 16:46:49.000000000 +0000 @@ -59,7 +59,7 @@ int lookup_time(const char *name) { - int i; + unsigned int i; for (i = 0; i < TIME_NAMES; i++) { if (strcmp(timetab[i].name, name) == 0) { @@ -165,7 +165,7 @@ d->tm_sec = 0; /* seconds */ d->tm_min = 0; /* minutes */ d->tm_hour = 0; /* hours */ - t -= (time_t)(tv->tm_wday*SECONDS_IN_DAY); + t -= (time_t)(tv->tm_wday*(time_t)SECONDS_IN_DAY); tv = localtime(&t); replace_date(d, tv); } diff -Nru audit-2.7.7/src/libev/Makefile.in audit-2.8.2/src/libev/Makefile.in --- audit-2.7.7/src/libev/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/src/libev/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/src/Makefile.in audit-2.8.2/src/Makefile.in --- audit-2.7.7/src/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/src/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/src/test/Makefile.in audit-2.8.2/src/test/Makefile.in --- audit-2.7.7/src/test/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/src/test/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/src/test/slist_test.c audit-2.8.2/src/test/slist_test.c --- audit-2.7.7/src/test/slist_test.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/src/test/slist_test.c 2017-12-14 16:46:49.000000000 +0000 @@ -84,7 +84,7 @@ do { node = slist_get_cur(&s); if (node->hits != (4-i)) { - printf("Sort test failed - i:%d != hits:%d\n", i, node->hits); + printf("Sort test failed - i:%d != hits:%u\n", i, node->hits); return 1; } i++; diff -Nru audit-2.7.7/test-driver audit-2.8.2/test-driver --- audit-2.7.7/test-driver 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/test-driver 2017-12-14 16:46:55.000000000 +0000 @@ -1,9 +1,9 @@ #! /bin/sh # test-driver - basic testsuite driver script. -scriptversion=2013-07-13.22; # UTC +scriptversion=2016-01-11.22; # UTC -# Copyright (C) 2011-2014 Free Software Foundation, Inc. +# Copyright (C) 2011-2017 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -143,6 +143,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -Nru audit-2.7.7/TODO audit-2.8.2/TODO --- audit-2.7.7/TODO 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/TODO 2017-12-14 16:46:49.000000000 +0000 @@ -1,51 +1,26 @@ -Things that need to be done: -=========================== -2.7.8 -* Add a realpath variant accessor that resolves whole path in auparse -* ausearch text format, add 'to xxx' for file perm/owner, & uid/gid changes -* Optionally don't verify email address domain -* Add autrace EPERM/EACCES mode - -2.8 +Future roadmap (subject to change): +=================================== +2.8.3 * Look into TLS support -* non-equality comparisons for values other than \timestamp, \timestamp_ex and \record_type in ausearch-expression (#1399314) * Add rule verify to detect mismatch between in-kernel and on-disk rules -* Add sockaddr accessor functions in auparse -* Support multiple time streams when searching -* In audispd, look into non-blocking handling of write to plugins -* Re-write auvirt -* Fix auvirt to report AVC's and --proof for --all-events 2.9 +* Performance improvements for auparse (Memory management) +* If auparse input is a pipe timeout events by wall clock +* In audispd, look into non-blocking handling of write to plugins * Look at pulling audispd into auditd -* auditd.conf space_left sizes can be % -* Add ability to filter events in auditd * Fix audit.pc.in to use Requires.private -* If auparse input is a pipe timeout events by wall clock -* If relative file, use cwd to build (realpath). watch out for (null) and socket -* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME +* Support multiple time streams when searching +* Container support 3.0 -* Basic HIDS -* Support ipv6 remote logging +* Basic HIDS based on reactive audit component * Consolidate linked lists and other functions * Consolidate parsing code between libaudit and auditd-conf.c -* Performance improvements for auparse (Memory management) +* Fix SIGHUP for auditd network settings +* Add ability to filter events in auditd 3.0.1 -* Fix SIGHUP for auditd network settings -* Add gzip format for logs * Add keywords for time: month-ago - -3.0.2 -* Look at adding the direction read/write to file report (threat modelling) -* Changes in uid/gid, failed changes in credentials in aureport - -3.1 -* Allow -F path!=/var/my/app -* Look at openat and why passed dir is not given -* Add SYSLOG data source for auparse. This allows leading text before audit messages, missing type, any line with no = gets thrown away. iow, must have time and 1 field to be valid. -* Fix aureport accounting for avc in permissive mode - -3.1.1 * Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide +* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME diff -Nru audit-2.7.7/tools/aulast/aulast.c audit-2.8.2/tools/aulast/aulast.c --- audit-2.7.7/tools/aulast/aulast.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/tools/aulast/aulast.c 2017-12-14 16:46:49.000000000 +0000 @@ -133,7 +133,7 @@ printf(" ausearch --start %s", start); } if (cur->name == NULL) - printf(" --session %d", cur->session); + printf(" --session %u", cur->session); if (cur->loginuid_proof == 0 && cur->result == 1) // Bad login printf(" -a %lu", cur->user_login_proof); printf("\n\n"); diff -Nru audit-2.7.7/tools/aulast/Makefile.in audit-2.8.2/tools/aulast/Makefile.in --- audit-2.7.7/tools/aulast/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/tools/aulast/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/tools/aulastlog/Makefile.in audit-2.8.2/tools/aulastlog/Makefile.in --- audit-2.7.7/tools/aulastlog/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/tools/aulastlog/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/tools/ausyscall/Makefile.in audit-2.8.2/tools/ausyscall/Makefile.in --- audit-2.7.7/tools/ausyscall/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/tools/ausyscall/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/tools/auvirt/auvirt.8 audit-2.8.2/tools/auvirt/auvirt.8 --- audit-2.7.7/tools/auvirt/auvirt.8 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/tools/auvirt/auvirt.8 2017-12-14 16:46:49.000000000 +0000 @@ -17,9 +17,9 @@ If the option "\-\-all\-events" is given a more detailed output is shown. In this mode other records are shown for guest's stops, resource -assignments, host shutdowns and AVC and anomaly events. The first field +assignments, AVC and anomaly events. The first field indicates the event type and can have the following values: start, stop, -res, avc, anom and down (for host shutdowns). +res, avc, and anom. Resource assignments have the additional fields: resource type, reason and resource. And AVC records have the following additional fields: operation, @@ -58,8 +58,8 @@ \fB--summary\fP Print a summary with information about the events found. The summary contains the considered range of time, the number of guest starts and stops, the number -of resource assignments, the number of AVC and anomaly events, the number of -host shutdowns and the number of failed operations. +of resource assignments, the number of AVC and anomaly events, and the number +of failed operations. .TP .BR \-te ,\ \-\-end \ [\fIend-date\fP]\ [\fIend-time\fP] Search for events with time stamps equal to or before the given end time. The diff -Nru audit-2.7.7/tools/auvirt/auvirt.c audit-2.8.2/tools/auvirt/auvirt.c --- audit-2.7.7/tools/auvirt/auvirt.c 2017-06-16 19:01:41.000000000 +0000 +++ audit-2.8.2/tools/auvirt/auvirt.c 2017-12-14 16:46:49.000000000 +0000 @@ -60,8 +60,7 @@ /* List of events */ enum event_type { - ET_NONE = 0, ET_START, ET_STOP, ET_MACHINE_ID, ET_AVC, ET_RES, ET_ANOM, - ET_DOWN + ET_NONE = 0, ET_START, ET_STOP, ET_MACHINE_ID, ET_AVC, ET_RES, ET_ANOM }; struct record_id { time_t time; @@ -72,7 +71,7 @@ enum event_type type; time_t start; time_t end; - char *user; + const char *user; char *uuid; char *name; int success; @@ -118,7 +117,7 @@ void event_free(struct event *event) { if (event) { - free(event->user); + free((void *)event->user); free(event->uuid); free(event->name); free(event->reason); @@ -291,10 +290,6 @@ } else if (file) { au = auparse_init(AUSOURCE_FILE, file); } else { - if (getuid()) { - fprintf(stderr, - "You probably need to be root for this to work\n"); - } au = auparse_init(AUSOURCE_LOGS, NULL); } if (au == NULL) { @@ -303,73 +298,6 @@ return au; } -/* Create a criteria to search for the virtualization related records */ -int create_search_criteria(auparse_state_t *au) -{ - char *error = NULL; - char expr[1024]; - snprintf(expr, sizeof(expr), - "(\\record_type >= %d && \\record_type <= %d)", - AUDIT_FIRST_VIRT_MSG, AUDIT_LAST_VIRT_MSG); - if (ausearch_add_expression(au, expr, &error, AUSEARCH_RULE_CLEAR)) { - fprintf(stderr, "Criteria error: %s\n", error); - free(error); - return 1; - } - if (uuid) { - if (ausearch_add_item(au, "uuid", "=", uuid, - AUSEARCH_RULE_AND)) { - fprintf(stderr, "Criteria error: uuid\n"); - return 1; - } - } - if (vm) { - if (ausearch_add_interpreted_item(au, "vm", "=", vm, - AUSEARCH_RULE_AND)) { - fprintf(stderr, "Criteria error: id\n"); - return 1; - } - } - if (all_events_flag || summary_flag) { - if (ausearch_add_item(au, "type", "=", "AVC", - AUSEARCH_RULE_OR)) { - fprintf(stderr, "Criteria error: AVC\n"); - return 1; - } - if (ausearch_add_item(au, "type", "=", "SYSTEM_SHUTDOWN", - AUSEARCH_RULE_OR)) { - fprintf(stderr, "Criteria error: shutdown\n"); - return 1; - } - snprintf(expr, sizeof(expr), - "(\\record_type >= %d && \\record_type <= %d) ||" - "(\\record_type >= %d && \\record_type <= %d)", - AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG, - AUDIT_FIRST_KERN_ANOM_MSG, AUDIT_LAST_KERN_ANOM_MSG); - if (ausearch_add_expression(au, expr, &error, - AUSEARCH_RULE_OR)) { - fprintf(stderr, "Criteria error: %s\n", error); - free(error); - return 1; - } - } - if (start_time) { - if (ausearch_add_timestamp_item(au, ">=", start_time, 0, - AUSEARCH_RULE_AND)) { - fprintf(stderr, "Criteria error: start_time\n"); - return 1; - } - } - if (end_time) { - if (ausearch_add_timestamp_item(au, "<=", end_time, 0, - AUSEARCH_RULE_AND)) { - fprintf(stderr, "Criteria error: end_time\n"); - return 1; - } - } - return 0; -} - /* Extract the most common fields from virtualization-related records. */ int extract_virt_fields(auparse_state_t *au, const char **p_uuid, const char **p_user, time_t *p_time, const char **p_name, @@ -380,7 +308,7 @@ /* Order matters */ if (p_user) { - char *t; + const char *t; if (!auparse_find_field(au, field = "uid")) goto error; t = auparse_interpret_field(au); @@ -417,7 +345,7 @@ auparse_get_serial(au)); } if (p_user) - free(*p_user); + free((void *) *p_user); return 1; } @@ -462,6 +390,40 @@ return 0; } +// This returns -1 if we don't want the event and 0 if we do +int filter_event(auparse_state_t *au) +{ + extern time_t start_time, end_time; + time_t current = auparse_get_time(au); + + if (start_time == 0 || current >= start_time) { + if (end_time == 0 || current <= end_time) { + + if (vm) { + const char *v = auparse_find_field(au, "vm"); + if (v) { + const char *v_text = + auparse_interpret_field(au); + if (v_text && strcmp(vm, v_text)) + return -1; + } + } + if (uuid) { + const char *u = auparse_find_field(au, "uuid"); + if (u) { + const char *u_text = + auparse_interpret_field(au); + if (u_text && strcmp(uuid, u_text)) + return -1; + } + } + auparse_first_record(au); + return 0; + } + } + return -1; +} + /* * machine_id records are used to get the selinux context associated to a * guest. @@ -469,10 +431,13 @@ int process_machine_id_event(auparse_state_t *au) { time_t time; - const char *seclevel, *uuid, *name, *user = NULL; + const char *seclevel, *model, *uuid, *name, *user = NULL; struct event *event; int success; + if (filter_event(au)) + return 0; + seclevel = get_seclevel(auparse_find_field(au, "vm-ctx")); if (seclevel == NULL) { if (debug) @@ -480,12 +445,19 @@ "MACHINE_ID event.\n"); } + // We only need to collect seclevel if model is selinux + model = auparse_find_field(au, "model"); + if (model && strcmp(model, "dac") == 0) + return 0; + if (extract_virt_fields(au, &uuid, &user, &time, &name, &success)) return 0; event = event_alloc(); - if (event == NULL) + if (event == NULL) { + free((void *)user); return 1; + } event->type = ET_MACHINE_ID; event->uuid = copy_str(uuid); event->name = copy_str(name); @@ -539,7 +511,7 @@ start = event_alloc(); if (start == NULL) { - free(user); + free((void *)user); return 1; } start->type = ET_START; @@ -603,14 +575,14 @@ fprintf(stderr, "Couldn't find the correlated start " "record to the stop event.\n"); } - free(user); + free((void *)user); return 0; } /* Create a new stop event */ stop = event_alloc(); if (stop == NULL) { - free(user); + free((void *)user); return 1; } stop->type = ET_STOP; @@ -624,7 +596,7 @@ stop->pid = auparse_get_field_int(au); add_proof(stop, au); if (list_append(events, stop) == NULL) { - free(user); + free((void *)user); event_free(stop); return 1; } @@ -641,6 +613,9 @@ { const char *op; + if (filter_event(au)) + return 0; + op = auparse_find_field(au, "op"); if (op == NULL) { if (debug) @@ -675,7 +650,7 @@ const char *res_type, const char *res) { if (!is_resource(res)) { - free(user); + free((void *)user); return 0; } @@ -717,8 +692,7 @@ } int update_resource(auparse_state_t *au, const char *uuid, time_t time, - const char *name, int success, const char *reason, - const char *res_type, const char *res) + int success, const char *res_type, const char *res) { if (!is_resource(res) || !success) return 0; @@ -758,6 +732,9 @@ const char *reason; int success; + if (filter_event(au)) + return 0; + /* Just skip this record if it failed to get some of the fields */ if (extract_virt_fields(au, &uuid, &user, &time, &name, &success)) return 0; @@ -769,7 +746,7 @@ if (res_type == NULL) { if (debug) fprintf(stderr, "Invalid resrc field.\n"); - free(user); + free((void *)user); return 0; } @@ -792,8 +769,8 @@ if (res == NULL && debug) { fprintf(stderr, "Failed to get %s field.\n", field); } else { - rc += update_resource(au, uuid, time, name, - success, reason, res_type, res); + rc += update_resource(au, uuid, time, + success, res_type, res); } /* Resource added */ @@ -803,7 +780,7 @@ res = auparse_interpret_field(au); if (res == NULL && debug) { fprintf(stderr, "Failed to get %s field.\n", field); - free(user); + free((void *)user); } else { rc += add_resource(au, uuid, user, time, name, success, reason, res_type, res); @@ -818,9 +795,9 @@ } else if (debug) { fprintf(stderr, "Found an unknown resource: %s.\n", res_type); - free(user); + free((void *)user); } else - free(user); + free((void *)user); return rc; } @@ -833,23 +810,25 @@ for (it = events->tail; it; it = it->prev) { struct event *event = it->data; if (event->type == ET_MACHINE_ID && - event->seclevel != NULL && - strcmp(event->seclevel, seclevel) == 0) { - machine_id = event; - break; + event->seclevel != NULL) { + if (strcmp(event->seclevel, seclevel) == 0) { + machine_id = event; + break; + } } } return machine_id; } -int process_avc_selinux_context(auparse_state_t *au, const char *context) +/* AVC records are correlated to guest through the selinux context. */ +int process_avc_selinux(auparse_state_t *au) { const char *seclevel, *user = NULL; struct event *machine_id, *avc; time_t time; - seclevel = get_seclevel(auparse_find_field(au, context)); + seclevel = get_seclevel(auparse_find_field(au, "scontext")); if (seclevel == NULL) { if (debug) { fprintf(stderr, "Security context not found " @@ -864,15 +843,18 @@ machine_id = get_machine_id_by_seclevel(seclevel); if (machine_id == NULL) { if (debug) { - fprintf(stderr, "Couldn't get the security " - "level from the AVC event.\n"); + fprintf(stderr, "Couldn't get the machine id " + "based on security level in AVC event.\n"); } + free((void *)user); return 0; } avc = event_alloc(); - if (avc == NULL) + if (avc == NULL) { + free((void *)user); return 1; + } avc->type = ET_AVC; /* Guest info */ @@ -911,19 +893,6 @@ return 0; } -/* AVC records are correlated to guest through the selinux context. */ -int process_avc_selinux(auparse_state_t *au) -{ - const char **context; - const char *contexts[] = { "tcontext", "scontext", NULL }; - - for (context = contexts; context && *context; context++) { - if (process_avc_selinux_context(au, *context)) - return 1; - } - return 0; -} - #ifdef WITH_APPARMOR int process_avc_apparmor_source(auparse_state_t *au) { @@ -950,12 +919,7 @@ for (it = events->tail; it; it = it->prev) { struct event *event = it->data; if (event->success) { - if (event->type == ET_DOWN) { - /* It's just possible to find a matching guest - * session in the current host session. - */ - break; - } else if (event->type == ET_RES && + if (event->type == ET_RES && event->end == 0 && event->res != NULL && strcmp(target, event->res) == 0) { @@ -1072,8 +1036,6 @@ } else if (event->type == ET_STOP) { break; } - } else if (event->type == ET_DOWN) { - break; } } } @@ -1138,9 +1100,11 @@ int process_avc(auparse_state_t *au) { + if (filter_event(au)) + return 0; + /* Check if it is a SELinux AVC record */ - if (auparse_find_field(au, "tcontext")) { - auparse_first_record(au); + if (auparse_find_field(au, "scontext")) { return process_avc_selinux(au); } @@ -1165,6 +1129,9 @@ list_node_t *it; struct event *anom, *start = NULL; + if (filter_event(au)) + return 0; + /* An anomaly record is correlated to a guest by the process id */ if (auparse_find_field(au, "pid")) { pid = auparse_get_field_int(au); @@ -1246,7 +1213,7 @@ anom = event_alloc(); if (anom == NULL) { - free(user); + free((void *)user); return 1; } anom->type = ET_ANOM; @@ -1264,48 +1231,6 @@ return 0; } -int process_shutdown(auparse_state_t *au) -{ - const char *user = NULL; - time_t time = 0; - struct event *down; - list_node_t *it; - int success = 0; - - if (extract_virt_fields(au, NULL, &user, &time, NULL, &success)) - return 0; - - for (it = events->tail; it; it = it->prev) { - struct event *event = it->data; - if (event->success) { - if (event->type == ET_START || event->type == ET_RES) { - if (event->end == 0) { - event->end = time; - add_proof(event, au); - } - } else if (event->type == ET_DOWN) { - break; - } - } - } - - down = event_alloc(); - if (down == NULL) { - free(user); - return 1; - } - down->type = ET_DOWN; - down->user = user; - down->start = time; - down->success = success; - add_proof(down, au); - if (list_append(events, down) == NULL) { - event_free(down); - return 1; - } - return 0; -} - /* Convert record type to a string */ const char *get_rec_type(struct event *e) { @@ -1319,13 +1244,13 @@ case ET_STOP: return "stop"; case ET_RES: - return "res"; + return "resrc"; case ET_AVC: return "avc"; case ET_ANOM: return "anom"; - case ET_DOWN: - return "down"; + default: + break; } snprintf(buf, sizeof(buf), "%d", e->type); @@ -1376,13 +1301,13 @@ return; /* The type of event is shown only when all records are shown */ if (all_events_flag) - printf("%-5.5s ", get_rec_type(event)); + printf("%-6.5s ", get_rec_type(event)); /* Print common fields */ - printf("%-25.25s", N(event->name)); + printf("%-22.22s", N(event->name)); if (uuid_flag) printf("\t%-36.36s", N(event->uuid)); - printf("\t%-11.11s\t%-35.35s", N(event->user), + printf("\t%-11.11s\t%-32.32s", N(event->user), get_time_period(event)); /* Print type specific fields */ @@ -1413,10 +1338,11 @@ printf(" Proof:"); for (i = 0; i < len; i++) { if (event->proof[i].time) { - printf("%s %ld.%03u:%lu", + //printf("%s %ld.%03u:%lu", + printf("%s%lu", (first) ? "" : ",", - event->proof[i].time, - event->proof[i].milli, +// event->proof[i].time, +// event->proof[i].milli, event->proof[i].serial); first = 0; } @@ -1441,8 +1367,7 @@ { /* Summary numbers */ time_t stime = 0, etime = 0; - long start = 0, stop = 0, res = 0, avc = 0, anom = 0, - shutdown = 0, failure = 0; + long start = 0, stop = 0, res = 0, avc = 0, anom = 0, failure = 0; char start_buf[32], end_buf[32]; /* Calculate summary */ @@ -1471,8 +1396,7 @@ case ET_ANOM: anom++; break; - case ET_DOWN: - shutdown++; + default: break; } } @@ -1514,7 +1438,6 @@ printf("Number of resource assignments: %ld\n", res); printf("Number of related AVCs: %ld\n", avc); printf("Number of related anomalies: %ld\n", anom); - printf("Number of host shutdowns: %ld\n", shutdown); printf("Number of failed operations: %ld\n", failure); } @@ -1540,10 +1463,8 @@ au = init_auparse(); if (au == NULL) goto error; - if (create_search_criteria(au)) - goto error; - while (ausearch_next_event(au) > 0) { + while (auparse_next_event(au) > 0) { int err = 0; switch(auparse_get_type(au)) { @@ -1557,20 +1478,20 @@ err = process_resource_event(au); break; case AUDIT_AVC: - err = process_avc(au); + if (all_events_flag || summary_flag) + err = process_avc(au); break; case AUDIT_FIRST_ANOM_MSG ... AUDIT_LAST_ANOM_MSG: case AUDIT_FIRST_KERN_ANOM_MSG ... AUDIT_LAST_KERN_ANOM_MSG: - err = process_anom(au); + if (all_events_flag || summary_flag) + err = process_anom(au); break; - case AUDIT_SYSTEM_SHUTDOWN: - err = process_shutdown(au); + default: break; } if (err) { goto unexpected_error; } - auparse_next_event(au); } /* Show results */ diff -Nru audit-2.7.7/tools/auvirt/Makefile.in audit-2.8.2/tools/auvirt/Makefile.in --- audit-2.7.7/tools/auvirt/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/tools/auvirt/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff -Nru audit-2.7.7/tools/Makefile.in audit-2.8.2/tools/Makefile.in --- audit-2.7.7/tools/Makefile.in 2017-06-16 19:01:47.000000000 +0000 +++ audit-2.8.2/tools/Makefile.in 2017-12-14 16:46:55.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it,