diff -Nru audit-3.0/ChangeLog audit-3.0.7/ChangeLog --- audit-3.0/ChangeLog 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/ChangeLog 2022-01-23 19:36:56.000000000 +0000 @@ -1,3 +1,64 @@ +3.0.7 +- Add support for the OPENAT2 record type (Richard Guy Briggs) +- In auditd, close the logging file descriptor when logging is suspended +- Update the capabilities lookup table to match 5.16 kernel +- Improve interpretation of renamat & faccessat family of syscalls +- Update syscall table for the 5.16 kernel +- Reduce dependency from initscripts to initscripts-service + +3.0.6 +- Fixed various issues when dealing with corrupted logs +- Make IPX packet interpretation dependent on the ipx header file existing +- Add b32/b64 support to ausyscall (Egor Ignatov) +- Add support for armv8l (Egor Ignatov) +- Fix auditctl list of syscalls in PPC (Egor Ignatov) +- auditd.service now restarts auditd under some conditions (Timothée Ravier) + +3.0.5 +- In auditd, flush uid/gid caches when user/group added/deleted/modified +- Fixed various issues when dealing with corrupted logs +- In auditd, check if log_file is valid before closing handle + +3.0.4 +- Apply performance speedups to auparse library +- Optimize rule loading in auditctl +- Fix an auparse memory leak caused by glibc-2.33 by replacing realpath +- Update syscall table to the 5.14 kernel +- Fixed various issues when dealing with corrupted logs + +3.0.3 +- Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined +- Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids +- Change auparse_feed_has_data in auparse to include incomplete events +- Auditd, stop linking against -lrt +- Add ProtectHome and RestrictRealtime to auditd.service +- In auditd, read up to 3 netlink packets in a row +- In auditd, do not validate path to plugin unless active +- In auparse, only emit config errors when AUPARSE_DEBUG env variable exists + +3.0.2 +- In audispd-statsd plugin, use struct sockaddr_storage (Ville Heikkinen) +- Optionally interpret auid in auditctl -l +- Update some syscall argument interpretations +- In auditd, do not allow spaces in the hostname name format +- Big documentation cleanup (MIZUTA Takeshi) +- Update syscall table to the 5.12 kernel +- Update the auparse normalizer for new event types +- Fix compiler warnings in ids subsystem +- Block a couple signals from flush & reconfigure threads +- In auditd, don't wait on flush thread when exiting +- Output error message if the path of input files are too long ausearch/report + +3.0.1 +- Update syscall table to the 5.11 kernel +- Add new --eoe-timeout option to ausearch and aureport (Burn Alting) +- Only enable periodic timers when listening on the network +- Upgrade libev to 4.33 +- Add auparse_new_buffer function to auparse library +- Use the select libev backend unless aggregating events +- Add sudoers to some base audit rules +- Update the auparse normalizer for some new syscalls and event types + 3.0 - Generate checkpoint file even when no results are returned (Burn Alting) - Fix log file creation when file logging is disabled entirely (Vlad Glagolev) @@ -54,7 +115,7 @@ - Update to libev-4.25 - Fix ausearch when checkpointing a single file (Burn Alting) - Fix scripting in 31-privileged.rules wrt filecap (#1662516) -- In ausearch, do not checkpt if stdin is input source +- In ausearch, do not checkpoint if stdin is input source - In libev, remove __cold__ attribute for functions to allow proper hardening - Add tests to configure.ac for openldap support - Make systemd support files use /run rather than /var/run (Christian Hesse) @@ -62,7 +123,7 @@ - Allow exclude and user filter by executable name (Ondrej Mosnacek) - Fix auditd regression where keep_logs is limited by rotate_logs 2 file test - In ausearch/report fix --end to use midnight time instead of now (#1671338) -- Add substitue functions for strndupa & rawmemchr +- Add substitute functions for strndupa & rawmemchr - Fix memleak in auparse caused by corrected event ordering - Fix legacy reload script to reload audit rules when daemon is reloaded - Support for unescaping in trusted messages (Dmitry Voronin) @@ -90,7 +151,7 @@ - Add error messages for watch permissions - If audit rules file doesn't exist log error message instead of info message - Revise error message for unmatched options in auditctl -- In audisp-remote, fixup remote endpoint disappearin in ascii format +- In audisp-remote, fixup remote endpoint disappearing in ascii format - Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) - In auditctl, add support for sending a signal to auditd diff -Nru audit-3.0/Makefile.am audit-3.0.7/Makefile.am --- audit-3.0/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/Makefile.in audit-3.0.7/Makefile.in --- audit-3.0/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -370,6 +371,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/README audit-3.0.7/README --- audit-3.0/README 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/README 2022-01-23 19:36:56.000000000 +0000 @@ -8,7 +8,7 @@ BUILDING ======== -See the README-install File. +See the Install(.tmp) file. USAGE ===== diff -Nru audit-3.0/TODO audit-3.0.7/TODO --- audit-3.0/TODO 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/TODO 2022-01-23 19:36:56.000000000 +0000 @@ -1,19 +1,18 @@ Future roadmap (subject to change): =================================== -3.0 -* If searching user/group doesn't map to uid/gid, do translated string search -* audisp-remote, add config to say what home network is so laptops don't try if their not on a network that can reach the server. -* Container support - 3.1 -* Support TLS PSK as remote logging transport * Basic HIDS based on reactive audit component -* Support multiple time streams when searching -* In audispd, look into non-blocking handling of write to plugins * Add keywords for time: month-ago, this-hour, last-hour +* If searching user/group doesn't map to uid/gid, do translated string search +* In auditd, look into non-blocking handling of write to plugins +* Support multiple time streams when searching -3.1.1 +3.2 +* Multi-thread audisp-remote +* Container support +* Support TLS PSK as remote logging transport * Add rule verify to detect mismatch between in-kernel and on-disk rules +* audisp-remote, add config to say what home network is so laptops don't try if their not on a network that can reach the server. * Fix audit.pc.in to use Requires.private * Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME * Fix SIGHUP for auditd network settings diff -Nru audit-3.0/aclocal.m4 audit-3.0.7/aclocal.m4 --- audit-3.0/aclocal.m4 2020-12-16 20:44:38.000000000 +0000 +++ audit-3.0.7/aclocal.m4 2022-01-23 19:36:59.000000000 +0000 @@ -909,12 +909,14 @@ m4_default([$3], [AC_MSG_ERROR([no suitable Python interpreter found])]) else - dnl Query Python for its version number. Getting [:3] seems to be - dnl the best way to do this; it's what "site.py" does in the standard - dnl library. + dnl Query Python for its version number. Although site.py simply uses + dnl sys.version[:3], printing that failed with Python 3.10, since the + dnl trailing zero was eliminated. So now we output just the major + dnl and minor version numbers, as numbers. Apparently the tertiary + dnl version is not of interest. AC_CACHE_CHECK([for $am_display_PYTHON version], [am_cv_python_version], - [am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[[:3]])"`]) + [am_cv_python_version=`$PYTHON -c "import sys; print('%u.%u' % sys.version_info[[:2]])"`]) AC_SUBST([PYTHON_VERSION], [$am_cv_python_version]) dnl Use the values of $prefix and $exec_prefix for the corresponding diff -Nru audit-3.0/audisp/Makefile.am audit-3.0.7/audisp/Makefile.am --- audit-3.0/audisp/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -23,13 +24,13 @@ SUBDIRS = plugins CONFIG_CLEAN_FILES = *.rej *.orig AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src -I${top_srcdir}/src/libev -LIBS = -L${top_builddir}/lib -laudit +LIBS = ${top_builddir}/lib/libaudit.la LDADD = -lpthread noinst_HEADERS = audispd-pconfig.h audispd-llist.h audispd-config.h \ queue.h audispd-builtins.h libdisp.h -libdisp_a_SOURCES = audispd.c audispd-pconfig.c queue.c \ +libdisp_la_SOURCES = audispd.c audispd-pconfig.c queue.c \ audispd-llist.c audispd-builtins.c -libdisp_a_CFLAGS = -fno-strict-aliasing -noinst_LIBRARIES = libdisp.a - +libdisp_la_CFLAGS = -fno-strict-aliasing +libdisp_la_LDFLAGS = -no-undefined -static +noinst_LTLIBRARIES = libdisp.la diff -Nru audit-3.0/audisp/Makefile.in audit-3.0.7/audisp/Makefile.in --- audit-3.0/audisp/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/audisp/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -126,19 +127,19 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_VPATH_FILES = -LIBRARIES = $(noinst_LIBRARIES) -ARFLAGS = cru -AM_V_AR = $(am__v_AR_@AM_V@) -am__v_AR_ = $(am__v_AR_@AM_DEFAULT_V@) -am__v_AR_0 = @echo " AR " $@; -am__v_AR_1 = -libdisp_a_AR = $(AR) $(ARFLAGS) -libdisp_a_LIBADD = -am_libdisp_a_OBJECTS = libdisp_a-audispd.$(OBJEXT) \ - libdisp_a-audispd-pconfig.$(OBJEXT) libdisp_a-queue.$(OBJEXT) \ - libdisp_a-audispd-llist.$(OBJEXT) \ - libdisp_a-audispd-builtins.$(OBJEXT) -libdisp_a_OBJECTS = $(am_libdisp_a_OBJECTS) +LTLIBRARIES = $(noinst_LTLIBRARIES) +libdisp_la_LIBADD = +am_libdisp_la_OBJECTS = libdisp_la-audispd.lo \ + libdisp_la-audispd-pconfig.lo libdisp_la-queue.lo \ + libdisp_la-audispd-llist.lo libdisp_la-audispd-builtins.lo +libdisp_la_OBJECTS = $(am_libdisp_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libdisp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(libdisp_la_CFLAGS) \ + $(CFLAGS) $(libdisp_la_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -154,16 +155,12 @@ DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/libdisp_a-audispd-builtins.Po \ - ./$(DEPDIR)/libdisp_a-audispd-llist.Po \ - ./$(DEPDIR)/libdisp_a-audispd-pconfig.Po \ - ./$(DEPDIR)/libdisp_a-audispd.Po \ - ./$(DEPDIR)/libdisp_a-queue.Po +am__depfiles_remade = ./$(DEPDIR)/libdisp_la-audispd-builtins.Plo \ + ./$(DEPDIR)/libdisp_la-audispd-llist.Plo \ + ./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo \ + ./$(DEPDIR)/libdisp_la-audispd.Plo \ + ./$(DEPDIR)/libdisp_la-queue.Plo am__mv = mv -f -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -182,8 +179,8 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libdisp_a_SOURCES) -DIST_SOURCES = $(libdisp_a_SOURCES) +SOURCES = $(libdisp_la_SOURCES) +DIST_SOURCES = $(libdisp_la_SOURCES) RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ @@ -298,7 +295,7 @@ LDFLAGS = @LDFLAGS@ LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ LIBOBJS = @LIBOBJS@ -LIBS = -L${top_builddir}/lib -laudit +LIBS = ${top_builddir}/lib/libaudit.la LIBTOOL = @LIBTOOL@ LIBTOOL_DEPS = @LIBTOOL_DEPS@ LIBWRAP_LIBS = @LIBWRAP_LIBS@ @@ -394,6 +391,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -414,11 +412,12 @@ noinst_HEADERS = audispd-pconfig.h audispd-llist.h audispd-config.h \ queue.h audispd-builtins.h libdisp.h -libdisp_a_SOURCES = audispd.c audispd-pconfig.c queue.c \ +libdisp_la_SOURCES = audispd.c audispd-pconfig.c queue.c \ audispd-llist.c audispd-builtins.c -libdisp_a_CFLAGS = -fno-strict-aliasing -noinst_LIBRARIES = libdisp.a +libdisp_la_CFLAGS = -fno-strict-aliasing +libdisp_la_LDFLAGS = -no-undefined -static +noinst_LTLIBRARIES = libdisp.la all: all-recursive .SUFFIXES: @@ -453,13 +452,19 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -clean-noinstLIBRARIES: - -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } -libdisp.a: $(libdisp_a_OBJECTS) $(libdisp_a_DEPENDENCIES) $(EXTRA_libdisp_a_DEPENDENCIES) - $(AM_V_at)-rm -f libdisp.a - $(AM_V_AR)$(libdisp_a_AR) libdisp.a $(libdisp_a_OBJECTS) $(libdisp_a_LIBADD) - $(AM_V_at)$(RANLIB) libdisp.a +libdisp.la: $(libdisp_la_OBJECTS) $(libdisp_la_DEPENDENCIES) $(EXTRA_libdisp_la_DEPENDENCIES) + $(AM_V_CCLD)$(libdisp_la_LINK) $(libdisp_la_OBJECTS) $(libdisp_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -467,11 +472,11 @@ distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-audispd-builtins.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-audispd-llist.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-audispd-pconfig.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-audispd.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-queue.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd-builtins.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd-llist.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-queue.Plo@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -500,75 +505,40 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< -libdisp_a-audispd.o: audispd.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-audispd.o -MD -MP -MF $(DEPDIR)/libdisp_a-audispd.Tpo -c -o libdisp_a-audispd.o `test -f 'audispd.c' || echo '$(srcdir)/'`audispd.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-audispd.Tpo $(DEPDIR)/libdisp_a-audispd.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd.c' object='libdisp_a-audispd.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-audispd.o `test -f 'audispd.c' || echo '$(srcdir)/'`audispd.c - -libdisp_a-audispd.obj: audispd.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-audispd.obj -MD -MP -MF $(DEPDIR)/libdisp_a-audispd.Tpo -c -o libdisp_a-audispd.obj `if test -f 'audispd.c'; then $(CYGPATH_W) 'audispd.c'; else $(CYGPATH_W) '$(srcdir)/audispd.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-audispd.Tpo $(DEPDIR)/libdisp_a-audispd.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd.c' object='libdisp_a-audispd.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-audispd.obj `if test -f 'audispd.c'; then $(CYGPATH_W) 'audispd.c'; else $(CYGPATH_W) '$(srcdir)/audispd.c'; fi` - -libdisp_a-audispd-pconfig.o: audispd-pconfig.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-audispd-pconfig.o -MD -MP -MF $(DEPDIR)/libdisp_a-audispd-pconfig.Tpo -c -o libdisp_a-audispd-pconfig.o `test -f 'audispd-pconfig.c' || echo '$(srcdir)/'`audispd-pconfig.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-audispd-pconfig.Tpo $(DEPDIR)/libdisp_a-audispd-pconfig.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-pconfig.c' object='libdisp_a-audispd-pconfig.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-audispd-pconfig.o `test -f 'audispd-pconfig.c' || echo '$(srcdir)/'`audispd-pconfig.c - -libdisp_a-audispd-pconfig.obj: audispd-pconfig.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-audispd-pconfig.obj -MD -MP -MF $(DEPDIR)/libdisp_a-audispd-pconfig.Tpo -c -o libdisp_a-audispd-pconfig.obj `if test -f 'audispd-pconfig.c'; then $(CYGPATH_W) 'audispd-pconfig.c'; else $(CYGPATH_W) '$(srcdir)/audispd-pconfig.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-audispd-pconfig.Tpo $(DEPDIR)/libdisp_a-audispd-pconfig.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-pconfig.c' object='libdisp_a-audispd-pconfig.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-audispd-pconfig.obj `if test -f 'audispd-pconfig.c'; then $(CYGPATH_W) 'audispd-pconfig.c'; else $(CYGPATH_W) '$(srcdir)/audispd-pconfig.c'; fi` - -libdisp_a-queue.o: queue.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-queue.o -MD -MP -MF $(DEPDIR)/libdisp_a-queue.Tpo -c -o libdisp_a-queue.o `test -f 'queue.c' || echo '$(srcdir)/'`queue.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-queue.Tpo $(DEPDIR)/libdisp_a-queue.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='queue.c' object='libdisp_a-queue.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-queue.o `test -f 'queue.c' || echo '$(srcdir)/'`queue.c - -libdisp_a-queue.obj: queue.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-queue.obj -MD -MP -MF $(DEPDIR)/libdisp_a-queue.Tpo -c -o libdisp_a-queue.obj `if test -f 'queue.c'; then $(CYGPATH_W) 'queue.c'; else $(CYGPATH_W) '$(srcdir)/queue.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-queue.Tpo $(DEPDIR)/libdisp_a-queue.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='queue.c' object='libdisp_a-queue.obj' libtool=no @AMDEPBACKSLASH@ +libdisp_la-audispd.lo: audispd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -MT libdisp_la-audispd.lo -MD -MP -MF $(DEPDIR)/libdisp_la-audispd.Tpo -c -o libdisp_la-audispd.lo `test -f 'audispd.c' || echo '$(srcdir)/'`audispd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_la-audispd.Tpo $(DEPDIR)/libdisp_la-audispd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd.c' object='libdisp_la-audispd.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-queue.obj `if test -f 'queue.c'; then $(CYGPATH_W) 'queue.c'; else $(CYGPATH_W) '$(srcdir)/queue.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -c -o libdisp_la-audispd.lo `test -f 'audispd.c' || echo '$(srcdir)/'`audispd.c -libdisp_a-audispd-llist.o: audispd-llist.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-audispd-llist.o -MD -MP -MF $(DEPDIR)/libdisp_a-audispd-llist.Tpo -c -o libdisp_a-audispd-llist.o `test -f 'audispd-llist.c' || echo '$(srcdir)/'`audispd-llist.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-audispd-llist.Tpo $(DEPDIR)/libdisp_a-audispd-llist.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-llist.c' object='libdisp_a-audispd-llist.o' libtool=no @AMDEPBACKSLASH@ +libdisp_la-audispd-pconfig.lo: audispd-pconfig.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -MT libdisp_la-audispd-pconfig.lo -MD -MP -MF $(DEPDIR)/libdisp_la-audispd-pconfig.Tpo -c -o libdisp_la-audispd-pconfig.lo `test -f 'audispd-pconfig.c' || echo '$(srcdir)/'`audispd-pconfig.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_la-audispd-pconfig.Tpo $(DEPDIR)/libdisp_la-audispd-pconfig.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-pconfig.c' object='libdisp_la-audispd-pconfig.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-audispd-llist.o `test -f 'audispd-llist.c' || echo '$(srcdir)/'`audispd-llist.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -c -o libdisp_la-audispd-pconfig.lo `test -f 'audispd-pconfig.c' || echo '$(srcdir)/'`audispd-pconfig.c -libdisp_a-audispd-llist.obj: audispd-llist.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-audispd-llist.obj -MD -MP -MF $(DEPDIR)/libdisp_a-audispd-llist.Tpo -c -o libdisp_a-audispd-llist.obj `if test -f 'audispd-llist.c'; then $(CYGPATH_W) 'audispd-llist.c'; else $(CYGPATH_W) '$(srcdir)/audispd-llist.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-audispd-llist.Tpo $(DEPDIR)/libdisp_a-audispd-llist.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-llist.c' object='libdisp_a-audispd-llist.obj' libtool=no @AMDEPBACKSLASH@ +libdisp_la-queue.lo: queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -MT libdisp_la-queue.lo -MD -MP -MF $(DEPDIR)/libdisp_la-queue.Tpo -c -o libdisp_la-queue.lo `test -f 'queue.c' || echo '$(srcdir)/'`queue.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_la-queue.Tpo $(DEPDIR)/libdisp_la-queue.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='queue.c' object='libdisp_la-queue.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-audispd-llist.obj `if test -f 'audispd-llist.c'; then $(CYGPATH_W) 'audispd-llist.c'; else $(CYGPATH_W) '$(srcdir)/audispd-llist.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -c -o libdisp_la-queue.lo `test -f 'queue.c' || echo '$(srcdir)/'`queue.c -libdisp_a-audispd-builtins.o: audispd-builtins.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-audispd-builtins.o -MD -MP -MF $(DEPDIR)/libdisp_a-audispd-builtins.Tpo -c -o libdisp_a-audispd-builtins.o `test -f 'audispd-builtins.c' || echo '$(srcdir)/'`audispd-builtins.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-audispd-builtins.Tpo $(DEPDIR)/libdisp_a-audispd-builtins.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-builtins.c' object='libdisp_a-audispd-builtins.o' libtool=no @AMDEPBACKSLASH@ +libdisp_la-audispd-llist.lo: audispd-llist.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -MT libdisp_la-audispd-llist.lo -MD -MP -MF $(DEPDIR)/libdisp_la-audispd-llist.Tpo -c -o libdisp_la-audispd-llist.lo `test -f 'audispd-llist.c' || echo '$(srcdir)/'`audispd-llist.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_la-audispd-llist.Tpo $(DEPDIR)/libdisp_la-audispd-llist.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-llist.c' object='libdisp_la-audispd-llist.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-audispd-builtins.o `test -f 'audispd-builtins.c' || echo '$(srcdir)/'`audispd-builtins.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -c -o libdisp_la-audispd-llist.lo `test -f 'audispd-llist.c' || echo '$(srcdir)/'`audispd-llist.c -libdisp_a-audispd-builtins.obj: audispd-builtins.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -MT libdisp_a-audispd-builtins.obj -MD -MP -MF $(DEPDIR)/libdisp_a-audispd-builtins.Tpo -c -o libdisp_a-audispd-builtins.obj `if test -f 'audispd-builtins.c'; then $(CYGPATH_W) 'audispd-builtins.c'; else $(CYGPATH_W) '$(srcdir)/audispd-builtins.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_a-audispd-builtins.Tpo $(DEPDIR)/libdisp_a-audispd-builtins.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-builtins.c' object='libdisp_a-audispd-builtins.obj' libtool=no @AMDEPBACKSLASH@ +libdisp_la-audispd-builtins.lo: audispd-builtins.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -MT libdisp_la-audispd-builtins.lo -MD -MP -MF $(DEPDIR)/libdisp_la-audispd-builtins.Tpo -c -o libdisp_la-audispd-builtins.lo `test -f 'audispd-builtins.c' || echo '$(srcdir)/'`audispd-builtins.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_la-audispd-builtins.Tpo $(DEPDIR)/libdisp_la-audispd-builtins.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-builtins.c' object='libdisp_la-audispd-builtins.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_a_CFLAGS) $(CFLAGS) -c -o libdisp_a-audispd-builtins.obj `if test -f 'audispd-builtins.c'; then $(CYGPATH_W) 'audispd-builtins.c'; else $(CYGPATH_W) '$(srcdir)/audispd-builtins.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -c -o libdisp_la-audispd-builtins.lo `test -f 'audispd-builtins.c' || echo '$(srcdir)/'`audispd-builtins.c mostlyclean-libtool: -rm -f *.lo @@ -735,7 +705,7 @@ done check-am: all-am check: check-recursive -all-am: Makefile $(LIBRARIES) $(HEADERS) +all-am: Makefile $(LTLIBRARIES) $(HEADERS) installdirs: installdirs-recursive installdirs-am: install: install-recursive @@ -770,15 +740,15 @@ @echo "it deletes files that may require special tools to rebuild." clean: clean-recursive -clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ mostlyclean-am distclean: distclean-recursive - -rm -f ./$(DEPDIR)/libdisp_a-audispd-builtins.Po - -rm -f ./$(DEPDIR)/libdisp_a-audispd-llist.Po - -rm -f ./$(DEPDIR)/libdisp_a-audispd-pconfig.Po - -rm -f ./$(DEPDIR)/libdisp_a-audispd.Po - -rm -f ./$(DEPDIR)/libdisp_a-queue.Po + -rm -f ./$(DEPDIR)/libdisp_la-audispd-builtins.Plo + -rm -f ./$(DEPDIR)/libdisp_la-audispd-llist.Plo + -rm -f ./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo + -rm -f ./$(DEPDIR)/libdisp_la-audispd.Plo + -rm -f ./$(DEPDIR)/libdisp_la-queue.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -824,11 +794,11 @@ installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -f ./$(DEPDIR)/libdisp_a-audispd-builtins.Po - -rm -f ./$(DEPDIR)/libdisp_a-audispd-llist.Po - -rm -f ./$(DEPDIR)/libdisp_a-audispd-pconfig.Po - -rm -f ./$(DEPDIR)/libdisp_a-audispd.Po - -rm -f ./$(DEPDIR)/libdisp_a-queue.Po + -rm -f ./$(DEPDIR)/libdisp_la-audispd-builtins.Plo + -rm -f ./$(DEPDIR)/libdisp_la-audispd-llist.Plo + -rm -f ./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo + -rm -f ./$(DEPDIR)/libdisp_la-audispd.Plo + -rm -f ./$(DEPDIR)/libdisp_la-queue.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -851,7 +821,7 @@ .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ am--depfiles check check-am clean clean-generic clean-libtool \ - clean-noinstLIBRARIES cscopelist-am ctags ctags-am distclean \ + clean-noinstLTLIBRARIES cscopelist-am ctags ctags-am distclean \ distclean-compile distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ diff -Nru audit-3.0/audisp/audispd-pconfig.c audit-3.0.7/audisp/audispd-pconfig.c --- audit-3.0/audisp/audispd-pconfig.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/audispd-pconfig.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ -/* audispd-pconfig.c -- - * Copyright 2007,2010,2015 Red Hat Inc., Durham, North Carolina. +/* audispd-pconfig.c -- + * Copyright 2007,2010,2015,2021 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -18,7 +18,7 @@ * * Authors: * Steve Grubb - * + * */ #include "config.h" @@ -41,7 +41,7 @@ const char *option; }; -struct kw_pair +struct kw_pair { const char *name; int (*parser)(struct nv_pair *, int, plugin_conf_t *); @@ -49,7 +49,7 @@ }; struct nv_list -{ +{ const char *name; int option; }; @@ -162,25 +162,25 @@ * not symlink. */ if (fstat(fd, &st) < 0) { - audit_msg(LOG_ERR, "Error fstat'ing config file (%s)", + audit_msg(LOG_ERR, "Error fstat'ing config file (%s)", strerror(errno)); close(fd); return 1; } if (st.st_uid != 0) { - audit_msg(LOG_ERR, "Error - %s isn't owned by root", + audit_msg(LOG_ERR, "Error - %s isn't owned by root", file); close(fd); return 1; } if ((st.st_mode & S_IWOTH) == S_IWOTH) { - audit_msg(LOG_ERR, "Error - %s is world writable", + audit_msg(LOG_ERR, "Error - %s is world writable", file); close(fd); return 1; } if (!S_ISREG(st.st_mode)) { - audit_msg(LOG_ERR, "Error - %s is not a regular file", + audit_msg(LOG_ERR, "Error - %s is not a regular file", file); close(fd); return 1; @@ -189,7 +189,7 @@ /* it's ok, read line by line */ f = fdopen(fd, "rm"); if (f == NULL) { - audit_msg(LOG_ERR, "Error - fdopen failed (%s)", + audit_msg(LOG_ERR, "Error - fdopen failed (%s)", strerror(errno)); close(fd); return 1; @@ -204,18 +204,18 @@ case 0: // fine break; case 1: // not the right number of tokens. - audit_msg(LOG_ERR, - "Wrong number of arguments for line %d in %s", + audit_msg(LOG_ERR, + "Wrong number of arguments for line %d in %s", lineno, file); break; case 2: // no '=' sign - audit_msg(LOG_ERR, - "Missing equal sign for line %d in %s", + audit_msg(LOG_ERR, + "Missing equal sign for line %d in %s", lineno, file); break; - default: // something else went wrong... - audit_msg(LOG_ERR, - "Unknown error for line %d in %s", + default: // something else went wrong... + audit_msg(LOG_ERR, + "Unknown error for line %d in %s", lineno, file); break; } @@ -231,8 +231,8 @@ /* identify keyword or error */ kw = kw_lookup(nv.name); if (kw->name == NULL) { - audit_msg(LOG_ERR, - "Unknown keyword \"%s\" in line %d of %s", + audit_msg(LOG_ERR, + "Unknown keyword \"%s\" in line %d of %s", nv.name, lineno, file); fclose(f); return 1; @@ -240,9 +240,9 @@ /* Check number of options */ if (kw->max_options == 0 && nv.option != NULL) { - audit_msg(LOG_ERR, + audit_msg(LOG_ERR, "Keyword \"%s\" has invalid option " - "\"%s\" in line %d of %s", + "\"%s\" in line %d of %s", nv.name, nv.option, lineno, file); fclose(f); return 1; @@ -347,8 +347,8 @@ } return &keywords[i]; } - -static int active_parser(struct nv_pair *nv, int line, + +static int active_parser(struct nv_pair *nv, int line, plugin_conf_t *config) { int i; @@ -363,7 +363,7 @@ return 1; } -static int direction_parser(struct nv_pair *nv, int line, +static int direction_parser(struct nv_pair *nv, int line, plugin_conf_t *config) { int i; @@ -382,7 +382,6 @@ plugin_conf_t *config) { char *dir = NULL, *tdir; - struct stat buf; if (nv->value == NULL) { config->path = NULL; @@ -407,35 +406,14 @@ } free((void *)tdir); - /* If the file exists, see that its regular, owned by root, - * and not world anything */ - if (stat(nv->value, &buf) < 0) { - audit_msg(LOG_ERR, "Unable to stat %s (%s)", nv->value, - strerror(errno)); - return 1; - } - if (!S_ISREG(buf.st_mode)) { - audit_msg(LOG_ERR, "%s is not a regular file", nv->value); - return 1; - } - if (buf.st_uid != 0) { - audit_msg(LOG_ERR, "%s is not owned by root", nv->value); - return 1; - } - if ((buf.st_mode & (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) != - (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) { - audit_msg(LOG_ERR, "%s permissions should be 0750", nv->value); - return 1; - } free((void *)config->path); config->path = strdup(nv->value); - config->inode = buf.st_ino; if (config->path == NULL) return 1; return 0; } -static int service_type_parser(struct nv_pair *nv, int line, +static int service_type_parser(struct nv_pair *nv, int line, plugin_conf_t *config) { int i; @@ -466,7 +444,7 @@ return 0; } -static int format_parser(struct nv_pair *nv, int line, +static int format_parser(struct nv_pair *nv, int line, plugin_conf_t *config) { int i; @@ -489,11 +467,45 @@ static int sanity_check(plugin_conf_t *config, const char *file) { /* Error checking */ - if (config->active == A_YES && config->path == NULL) { - audit_msg(LOG_ERR, + if (config->active == A_YES) { + struct stat buf; + + if (config->path == NULL) { + audit_msg(LOG_ERR, "Error - plugin (%s) is active but no path given", file); - return 1; + return 1; + } + // Don't check builtins + if (strncasecmp(config->path, "builtin_", 8) == 0) + goto out; + + /* If the file exists, see that its regular, owned by root, + * and not world anything */ + if (stat(config->path, &buf) < 0) { + audit_msg(LOG_ERR, "Unable to stat %s (%s)", + config->path, strerror(errno)); + return 1; + } + if (!S_ISREG(buf.st_mode)) { + audit_msg(LOG_ERR, "%s is not a regular file", + config->path); + return 1; + } + if (buf.st_uid != 0) { + audit_msg(LOG_ERR, "%s is not owned by root", + config->path); + return 1; + } + if ((buf.st_mode & (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) != + (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) { + audit_msg(LOG_ERR, "%s permissions should be 0750", + config->path); + return 1; + } + // Passes, record inode + config->inode = buf.st_ino; } +out: return 0; } diff -Nru audit-3.0/audisp/audispd.c audit-3.0.7/audisp/audispd.c --- audit-3.0/audisp/audispd.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/audispd.c 2022-01-23 19:36:56.000000000 +0000 @@ -474,7 +474,6 @@ /* Figure out the format for the af_unix socket */ while (stop == 0) { event_t *e; - const char *type; char *v, *ptr, unknown[32]; unsigned int len; lnode *conf; @@ -487,15 +486,17 @@ continue; } - /* Get the event formatted */ - type = audit_msg_type_to_name(e->hdr.type); - if (type == NULL) { - snprintf(unknown, sizeof(unknown), - "UNKNOWN[%u]", e->hdr.type); - type = unknown; - } // Protocol 1 is not formatted if (e->hdr.ver == AUDISP_PROTOCOL_VER) { + const char *type; + + /* Get the event formatted */ + type = audit_msg_type_to_name(e->hdr.type); + if (type == NULL) { + snprintf(unknown, sizeof(unknown), + "UNKNOWN[%u]", e->hdr.type); + type = unknown; + } len = asprintf(&v, "type=%s msg=%.*s\n", type, e->hdr.size, e->data); // Protocol 2 events are already formatted diff -Nru audit-3.0/audisp/plugins/Makefile.am audit-3.0.7/audisp/plugins/Makefile.am --- audit-3.0/audisp/plugins/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ # Makefile.am -- -# Copyright 2007-08,2018 Red Hat Inc., Durham, North Carolina. +# Copyright 2007-08,2018,2021 Red Hat Inc. # All Rights Reserved. # # This library is free software; you can redistribute it and/or @@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -23,6 +24,9 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig SUBDIRS = builtins remote syslog +if ENABLE_EXPERIMENTAL +SUBDIRS += ids statsd +endif if ENABLE_ZOS_REMOTE SUBDIRS += zos-remote endif diff -Nru audit-3.0/audisp/plugins/Makefile.in audit-3.0.7/audisp/plugins/Makefile.in --- audit-3.0/audisp/plugins/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/audisp/plugins/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -15,7 +15,7 @@ @SET_MAKE@ # Makefile.am -- -# Copyright 2007-08,2018 Red Hat Inc., Durham, North Carolina. +# Copyright 2007-08,2018,2021 Red Hat Inc. # All Rights Reserved. # # This library is free software; you can redistribute it and/or @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -110,7 +111,8 @@ build_triplet = @build@ host_triplet = @host@ target_triplet = @target@ -@ENABLE_ZOS_REMOTE_TRUE@am__append_1 = zos-remote +@ENABLE_EXPERIMENTAL_TRUE@am__append_1 = ids statsd +@ENABLE_ZOS_REMOTE_TRUE@am__append_2 = zos-remote subdir = audisp/plugins ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ @@ -178,7 +180,7 @@ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = builtins remote syslog zos-remote +DIST_SUBDIRS = builtins remote syslog ids statsd zos-remote am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ @@ -347,6 +349,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -361,7 +364,7 @@ top_srcdir = @top_srcdir@ use_python3 = @use_python3@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig -SUBDIRS = builtins remote syslog $(am__append_1) +SUBDIRS = builtins remote syslog $(am__append_1) $(am__append_2) all: all-recursive .SUFFIXES: diff -Nru audit-3.0/audisp/plugins/builtins/Makefile.am audit-3.0.7/audisp/plugins/builtins/Makefile.am --- audit-3.0/audisp/plugins/builtins/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/builtins/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/audisp/plugins/builtins/Makefile.in audit-3.0.7/audisp/plugins/builtins/Makefile.in --- audit-3.0/audisp/plugins/builtins/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/audisp/plugins/builtins/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -286,6 +287,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/audisp/plugins/ids/Makefile.am audit-3.0.7/audisp/plugins/ids/Makefile.am --- audit-3.0/audisp/plugins/ids/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,49 @@ +# Makefile.am -- +# Copyright 2021 Steve Grubb +# All Rights Reserved. +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. +# +# Authors: +# Steve Grubb +# + +CONFIG_CLEAN_FILES = *.loT *.rej *.orig +EXTRA_DIST = audisp-ids.conf ids.conf TODO README.md +SUBDIRS = rules +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common -I${top_srcdir}/auparse +prog_confdir = $(sysconfdir)/audit +prog_conf = ids.conf +plugin_confdir=$(prog_confdir)/plugins.d +plugin_conf = audisp-ids.conf +sbin_PROGRAMS = audisp-ids +noinst_HEADERS = account.h avl.h ids_config.h gcc-attributes.h ids.h \ + model_bad_event.h model_behavior.h nvpair.h origin.h \ + reactions.h session.h timer-services.h + +audisp_ids_DEPENDENCIES = ${top_builddir}/common/libaucommon.la +audisp_ids_SOURCES = account.c avl.c ids.c ids_config.c model_bad_event.c \ + model_behavior.c nvpair.c origin.c reactions.c session.c \ + timer-services.c +audisp_ids_CFLAGS = -D_GNU_SOURCE +audisp_ids_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la + +install-data-hook: + mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} + $(INSTALL_DATA) -D -m 640 ${srcdir}/$(plugin_conf) ${DESTDIR}${plugin_confdir} + $(INSTALL_DATA) -D -m 640 ${srcdir}/$(prog_conf) ${DESTDIR}${prog_confdir} + +uninstall-hook: + rm ${DESTDIR}${plugin_confdir}/$(plugin_conf) diff -Nru audit-3.0/audisp/plugins/ids/Makefile.in audit-3.0.7/audisp/plugins/ids/Makefile.in --- audit-3.0/audisp/plugins/ids/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -0,0 +1,1049 @@ +# Makefile.in generated by automake 1.16.2 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2020 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# Makefile.am -- +# Copyright 2021 Steve Grubb +# All Rights Reserved. +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. +# +# Authors: +# Steve Grubb +# + + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +target_triplet = @target@ +sbin_PROGRAMS = audisp-ids$(EXEEXT) +subdir = audisp/plugins/ids +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ + $(top_srcdir)/m4/cap-ng.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/src/libev/libev.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(noinst_HEADERS) \ + $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" +PROGRAMS = $(sbin_PROGRAMS) +am_audisp_ids_OBJECTS = audisp_ids-account.$(OBJEXT) \ + audisp_ids-avl.$(OBJEXT) audisp_ids-ids.$(OBJEXT) \ + audisp_ids-ids_config.$(OBJEXT) \ + audisp_ids-model_bad_event.$(OBJEXT) \ + audisp_ids-model_behavior.$(OBJEXT) \ + audisp_ids-nvpair.$(OBJEXT) audisp_ids-origin.$(OBJEXT) \ + audisp_ids-reactions.$(OBJEXT) audisp_ids-session.$(OBJEXT) \ + audisp_ids-timer-services.$(OBJEXT) +audisp_ids_OBJECTS = $(am_audisp_ids_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +audisp_ids_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(audisp_ids_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/audisp_ids-account.Po \ + ./$(DEPDIR)/audisp_ids-avl.Po ./$(DEPDIR)/audisp_ids-ids.Po \ + ./$(DEPDIR)/audisp_ids-ids_config.Po \ + ./$(DEPDIR)/audisp_ids-model_bad_event.Po \ + ./$(DEPDIR)/audisp_ids-model_behavior.Po \ + ./$(DEPDIR)/audisp_ids-nvpair.Po \ + ./$(DEPDIR)/audisp_ids-origin.Po \ + ./$(DEPDIR)/audisp_ids-reactions.Po \ + ./$(DEPDIR)/audisp_ids-session.Po \ + ./$(DEPDIR)/audisp_ids-timer-services.Po +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(audisp_ids_SOURCES) +DIST_SOURCES = $(audisp_ids_SOURCES) +RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ + ctags-recursive dvi-recursive html-recursive info-recursive \ + install-data-recursive install-dvi-recursive \ + install-exec-recursive install-html-recursive \ + install-info-recursive install-pdf-recursive \ + install-ps-recursive install-recursive installcheck-recursive \ + installdirs-recursive pdf-recursive ps-recursive \ + tags-recursive uninstall-recursive +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +HEADERS = $(noinst_HEADERS) +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +am__recursive_targets = \ + $(RECURSIVE_TARGETS) \ + $(RECURSIVE_CLEAN_TARGETS) \ + $(am__extra_recursive_targets) +AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ + distdir distdir-am +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DIST_SUBDIRS = $(SUBDIRS) +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp TODO +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BUILD_EXEEXT = @BUILD_EXEEXT@ +BUILD_OBJEXT = @BUILD_OBJEXT@ +CAPNG_LDADD = @CAPNG_LDADD@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ +CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CYGPATH_W = @CYGPATH_W@ +DEBUG = @DEBUG@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GOLANG = @GOLANG@ +GOROOT = @GOROOT@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIBTOOL_DEPS = @LIBTOOL_DEPS@ +LIBWRAP_LIBS = @LIBWRAP_LIBS@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PYINCLUDEDIR = @PYINCLUDEDIR@ +PYTHON = @PYTHON@ +PYTHON3 = @PYTHON3@ +PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ +PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ +PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ +PYTHON3_LIBS = @PYTHON3_LIBS@ +PYTHON3_PREFIX = @PYTHON3_PREFIX@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gss_libs = @gss_libs@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +py3execdir = @py3execdir@ +pybind_dir = @pybind_dir@ +pyexecdir = @pyexecdir@ +python3dir = @python3dir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target = @target@ +target_alias = @target_alias@ +target_cpu = @target_cpu@ +target_os = @target_os@ +target_vendor = @target_vendor@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +use_python3 = @use_python3@ +CONFIG_CLEAN_FILES = *.loT *.rej *.orig +EXTRA_DIST = audisp-ids.conf ids.conf TODO README.md +SUBDIRS = rules +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common -I${top_srcdir}/auparse +prog_confdir = $(sysconfdir)/audit +prog_conf = ids.conf +plugin_confdir = $(prog_confdir)/plugins.d +plugin_conf = audisp-ids.conf +noinst_HEADERS = account.h avl.h ids_config.h gcc-attributes.h ids.h \ + model_bad_event.h model_behavior.h nvpair.h origin.h \ + reactions.h session.h timer-services.h + +audisp_ids_DEPENDENCIES = ${top_builddir}/common/libaucommon.la +audisp_ids_SOURCES = account.c avl.c ids.c ids_config.c model_bad_event.c \ + model_behavior.c nvpair.c origin.c reactions.c session.c \ + timer-services.c + +audisp_ids_CFLAGS = -D_GNU_SOURCE +audisp_ids_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la +all: all-recursive + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu audisp/plugins/ids/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu audisp/plugins/ids/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +audisp-ids$(EXEEXT): $(audisp_ids_OBJECTS) $(audisp_ids_DEPENDENCIES) $(EXTRA_audisp_ids_DEPENDENCIES) + @rm -f audisp-ids$(EXEEXT) + $(AM_V_CCLD)$(audisp_ids_LINK) $(audisp_ids_OBJECTS) $(audisp_ids_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-account.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-avl.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-ids.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-ids_config.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-model_bad_event.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-model_behavior.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-nvpair.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-origin.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-reactions.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-session.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_ids-timer-services.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +audisp_ids-account.o: account.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-account.o -MD -MP -MF $(DEPDIR)/audisp_ids-account.Tpo -c -o audisp_ids-account.o `test -f 'account.c' || echo '$(srcdir)/'`account.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-account.Tpo $(DEPDIR)/audisp_ids-account.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='account.c' object='audisp_ids-account.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-account.o `test -f 'account.c' || echo '$(srcdir)/'`account.c + +audisp_ids-account.obj: account.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-account.obj -MD -MP -MF $(DEPDIR)/audisp_ids-account.Tpo -c -o audisp_ids-account.obj `if test -f 'account.c'; then $(CYGPATH_W) 'account.c'; else $(CYGPATH_W) '$(srcdir)/account.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-account.Tpo $(DEPDIR)/audisp_ids-account.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='account.c' object='audisp_ids-account.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-account.obj `if test -f 'account.c'; then $(CYGPATH_W) 'account.c'; else $(CYGPATH_W) '$(srcdir)/account.c'; fi` + +audisp_ids-avl.o: avl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-avl.o -MD -MP -MF $(DEPDIR)/audisp_ids-avl.Tpo -c -o audisp_ids-avl.o `test -f 'avl.c' || echo '$(srcdir)/'`avl.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-avl.Tpo $(DEPDIR)/audisp_ids-avl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='avl.c' object='audisp_ids-avl.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-avl.o `test -f 'avl.c' || echo '$(srcdir)/'`avl.c + +audisp_ids-avl.obj: avl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-avl.obj -MD -MP -MF $(DEPDIR)/audisp_ids-avl.Tpo -c -o audisp_ids-avl.obj `if test -f 'avl.c'; then $(CYGPATH_W) 'avl.c'; else $(CYGPATH_W) '$(srcdir)/avl.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-avl.Tpo $(DEPDIR)/audisp_ids-avl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='avl.c' object='audisp_ids-avl.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-avl.obj `if test -f 'avl.c'; then $(CYGPATH_W) 'avl.c'; else $(CYGPATH_W) '$(srcdir)/avl.c'; fi` + +audisp_ids-ids.o: ids.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-ids.o -MD -MP -MF $(DEPDIR)/audisp_ids-ids.Tpo -c -o audisp_ids-ids.o `test -f 'ids.c' || echo '$(srcdir)/'`ids.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-ids.Tpo $(DEPDIR)/audisp_ids-ids.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ids.c' object='audisp_ids-ids.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-ids.o `test -f 'ids.c' || echo '$(srcdir)/'`ids.c + +audisp_ids-ids.obj: ids.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-ids.obj -MD -MP -MF $(DEPDIR)/audisp_ids-ids.Tpo -c -o audisp_ids-ids.obj `if test -f 'ids.c'; then $(CYGPATH_W) 'ids.c'; else $(CYGPATH_W) '$(srcdir)/ids.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-ids.Tpo $(DEPDIR)/audisp_ids-ids.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ids.c' object='audisp_ids-ids.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-ids.obj `if test -f 'ids.c'; then $(CYGPATH_W) 'ids.c'; else $(CYGPATH_W) '$(srcdir)/ids.c'; fi` + +audisp_ids-ids_config.o: ids_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-ids_config.o -MD -MP -MF $(DEPDIR)/audisp_ids-ids_config.Tpo -c -o audisp_ids-ids_config.o `test -f 'ids_config.c' || echo '$(srcdir)/'`ids_config.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-ids_config.Tpo $(DEPDIR)/audisp_ids-ids_config.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ids_config.c' object='audisp_ids-ids_config.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-ids_config.o `test -f 'ids_config.c' || echo '$(srcdir)/'`ids_config.c + +audisp_ids-ids_config.obj: ids_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-ids_config.obj -MD -MP -MF $(DEPDIR)/audisp_ids-ids_config.Tpo -c -o audisp_ids-ids_config.obj `if test -f 'ids_config.c'; then $(CYGPATH_W) 'ids_config.c'; else $(CYGPATH_W) '$(srcdir)/ids_config.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-ids_config.Tpo $(DEPDIR)/audisp_ids-ids_config.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ids_config.c' object='audisp_ids-ids_config.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-ids_config.obj `if test -f 'ids_config.c'; then $(CYGPATH_W) 'ids_config.c'; else $(CYGPATH_W) '$(srcdir)/ids_config.c'; fi` + +audisp_ids-model_bad_event.o: model_bad_event.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-model_bad_event.o -MD -MP -MF $(DEPDIR)/audisp_ids-model_bad_event.Tpo -c -o audisp_ids-model_bad_event.o `test -f 'model_bad_event.c' || echo '$(srcdir)/'`model_bad_event.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-model_bad_event.Tpo $(DEPDIR)/audisp_ids-model_bad_event.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='model_bad_event.c' object='audisp_ids-model_bad_event.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-model_bad_event.o `test -f 'model_bad_event.c' || echo '$(srcdir)/'`model_bad_event.c + +audisp_ids-model_bad_event.obj: model_bad_event.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-model_bad_event.obj -MD -MP -MF $(DEPDIR)/audisp_ids-model_bad_event.Tpo -c -o audisp_ids-model_bad_event.obj `if test -f 'model_bad_event.c'; then $(CYGPATH_W) 'model_bad_event.c'; else $(CYGPATH_W) '$(srcdir)/model_bad_event.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-model_bad_event.Tpo $(DEPDIR)/audisp_ids-model_bad_event.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='model_bad_event.c' object='audisp_ids-model_bad_event.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-model_bad_event.obj `if test -f 'model_bad_event.c'; then $(CYGPATH_W) 'model_bad_event.c'; else $(CYGPATH_W) '$(srcdir)/model_bad_event.c'; fi` + +audisp_ids-model_behavior.o: model_behavior.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-model_behavior.o -MD -MP -MF $(DEPDIR)/audisp_ids-model_behavior.Tpo -c -o audisp_ids-model_behavior.o `test -f 'model_behavior.c' || echo '$(srcdir)/'`model_behavior.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-model_behavior.Tpo $(DEPDIR)/audisp_ids-model_behavior.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='model_behavior.c' object='audisp_ids-model_behavior.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-model_behavior.o `test -f 'model_behavior.c' || echo '$(srcdir)/'`model_behavior.c + +audisp_ids-model_behavior.obj: model_behavior.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-model_behavior.obj -MD -MP -MF $(DEPDIR)/audisp_ids-model_behavior.Tpo -c -o audisp_ids-model_behavior.obj `if test -f 'model_behavior.c'; then $(CYGPATH_W) 'model_behavior.c'; else $(CYGPATH_W) '$(srcdir)/model_behavior.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-model_behavior.Tpo $(DEPDIR)/audisp_ids-model_behavior.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='model_behavior.c' object='audisp_ids-model_behavior.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-model_behavior.obj `if test -f 'model_behavior.c'; then $(CYGPATH_W) 'model_behavior.c'; else $(CYGPATH_W) '$(srcdir)/model_behavior.c'; fi` + +audisp_ids-nvpair.o: nvpair.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-nvpair.o -MD -MP -MF $(DEPDIR)/audisp_ids-nvpair.Tpo -c -o audisp_ids-nvpair.o `test -f 'nvpair.c' || echo '$(srcdir)/'`nvpair.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-nvpair.Tpo $(DEPDIR)/audisp_ids-nvpair.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nvpair.c' object='audisp_ids-nvpair.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-nvpair.o `test -f 'nvpair.c' || echo '$(srcdir)/'`nvpair.c + +audisp_ids-nvpair.obj: nvpair.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-nvpair.obj -MD -MP -MF $(DEPDIR)/audisp_ids-nvpair.Tpo -c -o audisp_ids-nvpair.obj `if test -f 'nvpair.c'; then $(CYGPATH_W) 'nvpair.c'; else $(CYGPATH_W) '$(srcdir)/nvpair.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-nvpair.Tpo $(DEPDIR)/audisp_ids-nvpair.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nvpair.c' object='audisp_ids-nvpair.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-nvpair.obj `if test -f 'nvpair.c'; then $(CYGPATH_W) 'nvpair.c'; else $(CYGPATH_W) '$(srcdir)/nvpair.c'; fi` + +audisp_ids-origin.o: origin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-origin.o -MD -MP -MF $(DEPDIR)/audisp_ids-origin.Tpo -c -o audisp_ids-origin.o `test -f 'origin.c' || echo '$(srcdir)/'`origin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-origin.Tpo $(DEPDIR)/audisp_ids-origin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='origin.c' object='audisp_ids-origin.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-origin.o `test -f 'origin.c' || echo '$(srcdir)/'`origin.c + +audisp_ids-origin.obj: origin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-origin.obj -MD -MP -MF $(DEPDIR)/audisp_ids-origin.Tpo -c -o audisp_ids-origin.obj `if test -f 'origin.c'; then $(CYGPATH_W) 'origin.c'; else $(CYGPATH_W) '$(srcdir)/origin.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-origin.Tpo $(DEPDIR)/audisp_ids-origin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='origin.c' object='audisp_ids-origin.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-origin.obj `if test -f 'origin.c'; then $(CYGPATH_W) 'origin.c'; else $(CYGPATH_W) '$(srcdir)/origin.c'; fi` + +audisp_ids-reactions.o: reactions.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-reactions.o -MD -MP -MF $(DEPDIR)/audisp_ids-reactions.Tpo -c -o audisp_ids-reactions.o `test -f 'reactions.c' || echo '$(srcdir)/'`reactions.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-reactions.Tpo $(DEPDIR)/audisp_ids-reactions.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='reactions.c' object='audisp_ids-reactions.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-reactions.o `test -f 'reactions.c' || echo '$(srcdir)/'`reactions.c + +audisp_ids-reactions.obj: reactions.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-reactions.obj -MD -MP -MF $(DEPDIR)/audisp_ids-reactions.Tpo -c -o audisp_ids-reactions.obj `if test -f 'reactions.c'; then $(CYGPATH_W) 'reactions.c'; else $(CYGPATH_W) '$(srcdir)/reactions.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-reactions.Tpo $(DEPDIR)/audisp_ids-reactions.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='reactions.c' object='audisp_ids-reactions.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-reactions.obj `if test -f 'reactions.c'; then $(CYGPATH_W) 'reactions.c'; else $(CYGPATH_W) '$(srcdir)/reactions.c'; fi` + +audisp_ids-session.o: session.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-session.o -MD -MP -MF $(DEPDIR)/audisp_ids-session.Tpo -c -o audisp_ids-session.o `test -f 'session.c' || echo '$(srcdir)/'`session.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-session.Tpo $(DEPDIR)/audisp_ids-session.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='session.c' object='audisp_ids-session.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-session.o `test -f 'session.c' || echo '$(srcdir)/'`session.c + +audisp_ids-session.obj: session.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-session.obj -MD -MP -MF $(DEPDIR)/audisp_ids-session.Tpo -c -o audisp_ids-session.obj `if test -f 'session.c'; then $(CYGPATH_W) 'session.c'; else $(CYGPATH_W) '$(srcdir)/session.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-session.Tpo $(DEPDIR)/audisp_ids-session.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='session.c' object='audisp_ids-session.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-session.obj `if test -f 'session.c'; then $(CYGPATH_W) 'session.c'; else $(CYGPATH_W) '$(srcdir)/session.c'; fi` + +audisp_ids-timer-services.o: timer-services.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-timer-services.o -MD -MP -MF $(DEPDIR)/audisp_ids-timer-services.Tpo -c -o audisp_ids-timer-services.o `test -f 'timer-services.c' || echo '$(srcdir)/'`timer-services.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-timer-services.Tpo $(DEPDIR)/audisp_ids-timer-services.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='timer-services.c' object='audisp_ids-timer-services.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-timer-services.o `test -f 'timer-services.c' || echo '$(srcdir)/'`timer-services.c + +audisp_ids-timer-services.obj: timer-services.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -MT audisp_ids-timer-services.obj -MD -MP -MF $(DEPDIR)/audisp_ids-timer-services.Tpo -c -o audisp_ids-timer-services.obj `if test -f 'timer-services.c'; then $(CYGPATH_W) 'timer-services.c'; else $(CYGPATH_W) '$(srcdir)/timer-services.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_ids-timer-services.Tpo $(DEPDIR)/audisp_ids-timer-services.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='timer-services.c' object='audisp_ids-timer-services.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_ids_CFLAGS) $(CFLAGS) -c -o audisp_ids-timer-services.obj `if test -f 'timer-services.c'; then $(CYGPATH_W) 'timer-services.c'; else $(CYGPATH_W) '$(srcdir)/timer-services.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +# This directory's subdirectories are mostly independent; you can cd +# into them and run 'make' without going through this Makefile. +# To change the values of 'make' variables: instead of editing Makefiles, +# (1) if the variable is set in 'config.status', edit 'config.status' +# (which will cause the Makefiles to be regenerated when you run 'make'); +# (2) otherwise, pass the desired values on the 'make' command line. +$(am__recursive_targets): + @fail=; \ + if $(am__make_keepgoing); then \ + failcom='fail=yes'; \ + else \ + failcom='exit 1'; \ + fi; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-recursive +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-recursive + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-recursive + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + $(am__make_dryrun) \ + || test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + am__skip_mode_fix=: \ + distdir) \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-recursive +all-am: Makefile $(PROGRAMS) $(HEADERS) +installdirs: installdirs-recursive +installdirs-am: + for dir in "$(DESTDIR)$(sbindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-recursive +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-recursive + +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + mostlyclean-am + +distclean: distclean-recursive + -rm -f ./$(DEPDIR)/audisp_ids-account.Po + -rm -f ./$(DEPDIR)/audisp_ids-avl.Po + -rm -f ./$(DEPDIR)/audisp_ids-ids.Po + -rm -f ./$(DEPDIR)/audisp_ids-ids_config.Po + -rm -f ./$(DEPDIR)/audisp_ids-model_bad_event.Po + -rm -f ./$(DEPDIR)/audisp_ids-model_behavior.Po + -rm -f ./$(DEPDIR)/audisp_ids-nvpair.Po + -rm -f ./$(DEPDIR)/audisp_ids-origin.Po + -rm -f ./$(DEPDIR)/audisp_ids-reactions.Po + -rm -f ./$(DEPDIR)/audisp_ids-session.Po + -rm -f ./$(DEPDIR)/audisp_ids-timer-services.Po + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-recursive + +dvi-am: + +html: html-recursive + +html-am: + +info: info-recursive + +info-am: + +install-data-am: + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook +install-dvi: install-dvi-recursive + +install-dvi-am: + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-recursive + +install-html-am: + +install-info: install-info-recursive + +install-info-am: + +install-man: + +install-pdf: install-pdf-recursive + +install-pdf-am: + +install-ps: install-ps-recursive + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-recursive + -rm -f ./$(DEPDIR)/audisp_ids-account.Po + -rm -f ./$(DEPDIR)/audisp_ids-avl.Po + -rm -f ./$(DEPDIR)/audisp_ids-ids.Po + -rm -f ./$(DEPDIR)/audisp_ids-ids_config.Po + -rm -f ./$(DEPDIR)/audisp_ids-model_bad_event.Po + -rm -f ./$(DEPDIR)/audisp_ids-model_behavior.Po + -rm -f ./$(DEPDIR)/audisp_ids-nvpair.Po + -rm -f ./$(DEPDIR)/audisp_ids-origin.Po + -rm -f ./$(DEPDIR)/audisp_ids-reactions.Po + -rm -f ./$(DEPDIR)/audisp_ids-session.Po + -rm -f ./$(DEPDIR)/audisp_ids-timer-services.Po + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-recursive + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-recursive + +pdf-am: + +ps: ps-recursive + +ps-am: + +uninstall-am: uninstall-sbinPROGRAMS + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) uninstall-hook +.MAKE: $(am__recursive_targets) install-am install-data-am \ + install-strip uninstall-am + +.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ + am--depfiles check check-am clean clean-generic clean-libtool \ + clean-sbinPROGRAMS cscopelist-am ctags ctags-am distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-data-hook install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-sbinPROGRAMS install-strip \ + installcheck installcheck-am installdirs installdirs-am \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ + uninstall-hook uninstall-sbinPROGRAMS + +.PRECIOUS: Makefile + + +install-data-hook: + mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} + $(INSTALL_DATA) -D -m 640 ${srcdir}/$(plugin_conf) ${DESTDIR}${plugin_confdir} + $(INSTALL_DATA) -D -m 640 ${srcdir}/$(prog_conf) ${DESTDIR}${prog_confdir} + +uninstall-hook: + rm ${DESTDIR}${plugin_confdir}/$(plugin_conf) + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru audit-3.0/audisp/plugins/ids/README.md audit-3.0.7/audisp/plugins/ids/README.md --- audit-3.0/audisp/plugins/ids/README.md 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/README.md 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,9 @@ +This is an experimental Intrusion Detection System (IDS) plugin. It's goal +is to either identify or react to suspicious activity. This is a work in +progress and is subject to either be completed or dropped in it's entirity +at its author's descretion. + +So, if you would like to test it and report issues or even contribute code +feel free to do so. But please discuss the contribution first to ensure +that its acceptable. This project uses the Linux Kernel Style Guideline. +Please follow it if you wish to contribute. diff -Nru audit-3.0/audisp/plugins/ids/TODO audit-3.0.7/audisp/plugins/ids/TODO --- audit-3.0/audisp/plugins/ids/TODO 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/TODO 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,9 @@ +1) Start getting whitelisting in place +2) verify timer services working correctly +Test on live server +3) Support IPv6 +4) Support nftables +5) Patch auditctl for new ids rules +6) Should we save state on shutdown and restore on start up? +7) Develop ids rules for more coverage of ATT&CK +8) More sophisticated models diff -Nru audit-3.0/audisp/plugins/ids/account.c audit-3.0.7/audisp/plugins/ids/account.c --- audit-3.0/audisp/plugins/ids/account.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/account.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,185 @@ +/* account.c -- + * + * Authors: + * Steve Grubb + * + */ + +#include "config.h" +#include +#include +#include "ids.h" +#include "account.h" +#include "reactions.h" + + +// This holds info about all sessions +struct account_avl{ + avl_tree index; + unsigned int count; +}; + +static struct account_avl accounts; +static account_data_t *cur = NULL; + + +static int cmp_accounts(void *a, void *b) +{ + return strcmp(((account_data_t *)a)->name, ((account_data_t *)b)->name); +} + +void init_accounts(void) +{ + accounts.count = 0; + cur = NULL; + avl_init(&accounts.index, cmp_accounts); +} + +unsigned int get_num_accounts(void) +{ + return accounts.count; +} + +static int dump_account(void *entry, void *data) +{ + FILE *f = data; + account_data_t *a = entry; + + fprintf(f, "\n"); + fprintf(f, " name: %s\n", a->name); + fprintf(f, " karma: %u\n", a->karma); + + return 0; +} + +void traverse_accounts(FILE *f) +{ + fprintf(f, "Accounts\n"); + fprintf(f, "========\n"); + fprintf(f, "count: %u\n", accounts.count); + avl_traverse(&accounts.index, dump_account, f); +} + +static void free_account(account_data_t *a) +{ + if (debug) + my_printf("Account freeing %p", a); + free((void *)a->name); + free(a); +} + +static void destroy_account(void) +{ + avl *cur = accounts.index.root; + + account_data_t *a = (account_data_t *)avl_remove(&accounts.index, cur); + if ((avl *)a != cur) + my_printf("account: removal of invalid node"); + + // Now free any data pointed to by cur + free_account(a); + cur = NULL; +} + +void new_account(const char *name) +{ + account_data_t *tmp = (account_data_t *)malloc(sizeof(account_data_t)); + if (tmp) { + tmp->name = name ? strdup(name) : strdup(""); + tmp->karma = 0; + add_account(tmp); + } +} + +void destroy_accounts(void) +{ + while (accounts.index.root) { + accounts.count--; + destroy_account(); + } +} + +int add_account(account_data_t *a) +{ + account_data_t *tmp; + if (debug) + my_printf("Adding account %s", a->name); + + cur = NULL; + tmp = (account_data_t *)avl_insert(&accounts.index, (avl *)(a)); + if (tmp) { + if (tmp != a) { + if (debug) + my_printf("account: duplicate name found"); + free_account(a); + return 1; + } + accounts.count++; + cur = tmp; + } else if (debug) + my_printf("account: failed inserting name %s", a->name); + return 0; +} + +account_data_t *find_account(const char *name) +{ + account_data_t tmp; + + if (name == NULL) + return NULL; + + tmp.name = name; + cur = (account_data_t *)avl_search(&accounts.index, (avl *) &tmp); + return cur; +} + +account_data_t *current_account(void) +{ + return cur; +} + +int del_account(const char *name) +{ + account_data_t tmp1, *tmp2; + tmp1.name = name; + + if (debug) + my_printf("Deleting %s", name); + cur = NULL; + tmp2 = (account_data_t *)avl_remove(&accounts.index, (avl *) &tmp1); + if (tmp2) { + accounts.count--; + if (strcmp(tmp2->name, name) != 0) { + if (debug) + my_printf("account: deleting unknown name"); + return 1; + } + } else { + if (debug) + my_printf("account: didn't find name"); + + return 1; + } + + // Now free any data pointed to by tmp2 + free_account(tmp2); + + return 0; +} + +void add_to_score_account(account_data_t *a, unsigned int adj) +{ + cur = a; + if (a == NULL) { + if (debug) + my_printf("Account NULL adding score"); + return; + } + + a->karma += adj; + + // Now invoke any reaction + if (a->karma >= 5) { + } +} + diff -Nru audit-3.0/audisp/plugins/ids/account.h audit-3.0.7/audisp/plugins/ids/account.h --- audit-3.0/audisp/plugins/ids/account.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/account.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,35 @@ +/* account.h -- + * + * Authors: + * Steve Grubb + * + */ + +#ifndef ACCOUNT_HEADER +#define ACCOUNT_HEADER + +#include +#include "avl.h" + +typedef struct account_data { + avl avl; // This has to be first + + const char *name; + unsigned int karma; +} account_data_t; + + +void init_accounts(void); +void destroy_accounts(void); +void new_account(const char *name); +unsigned int get_num_accounts(void); +void traverse_accounts(FILE *f); + +int add_account(account_data_t *a); +account_data_t *find_account(const char *name); +account_data_t *current_account(void); +int del_account(const char *name); +void add_to_score_account(account_data_t *a, unsigned int adj); + +#endif + diff -Nru audit-3.0/audisp/plugins/ids/audisp-ids.conf audit-3.0.7/audisp/plugins/ids/audisp-ids.conf --- audit-3.0/audisp/plugins/ids/audisp-ids.conf 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/audisp-ids.conf 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,9 @@ +# This file controls the configuration of the +# audisp-ids plugin. + +active = no +direction = out +path = /usr/sbin/audisp-ids +type = always +args = 1 +format = string diff -Nru audit-3.0/audisp/plugins/ids/avl.c audit-3.0.7/audisp/plugins/ids/avl.c --- audit-3.0/audisp/plugins/ids/avl.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/avl.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,429 @@ +#include "config.h" +#include // for NULL +#include "avl.h" + +// Note: this file is based on this: +// https://github.com/firehol/netdata/blob/master/src/avl.c +// c63bdb5 on Oct 23, 2017 +// +// which has been moved to here (05/23/20): +// https://github.com/netdata/netdata/blob/master/libnetdata/avl/avl.c +// +// However, its been modified to remove pthreads as this application will +// only use it from a single thread. + +/* ------------------------------------------------------------------------- */ +/* + * avl_insert(), avl_remove() and avl_search() + * are adaptations (by Costa Tsaousis) of the AVL algorithm found in libavl + * v2.0.3, so that they do not use any memory allocations and their memory + * footprint is optimized (by eliminating non-necessary data members). + * + * libavl - library for manipulation of binary trees. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2004 Free Software + * Foundation, Inc. + * GNU Lesser General Public License +*/ + + +/* Search |tree| for an item matching |item|, and return it if found. + Otherwise return |NULL|. */ +avl *avl_search(avl_tree *tree, avl *item) { + avl *p; + + // assert (tree != NULL && item != NULL); + + for (p = tree->root; p != NULL; ) { + int cmp = tree->compar(item, p); + + if (cmp < 0) + p = p->avl_link[0]; + else if (cmp > 0) + p = p->avl_link[1]; + else /* |cmp == 0| */ + return p; + } + + return NULL; +} + +/* Inserts |item| into |tree| and returns a pointer to |item|'s address. + If a duplicate item is found in the tree, + returns a pointer to the duplicate without inserting |item|. + */ +avl *avl_insert(avl_tree *tree, avl *item) { + avl *y, *z; /* Top node to update balance factor, and parent. */ + avl *p, *q; /* Iterator, and parent. */ + avl *n; /* Newly inserted node. */ + avl *w; /* New root of rebalanced subtree. */ + unsigned char dir; /* Direction to descend. */ + + unsigned char da[AVL_MAX_HEIGHT]; /* Cached comparison results. */ + int k = 0; /* Number of cached results. */ + + // assert(tree != NULL && item != NULL); + + z = (avl *) &tree->root; + y = tree->root; + dir = 0; + for (q = z, p = y; p != NULL; q = p, p = p->avl_link[dir]) { + int cmp = tree->compar(item, p); + if (cmp == 0) + return p; + + if (p->avl_balance != 0) + z = q, y = p, k = 0; + da[k++] = dir = (cmp > 0); + } + + n = q->avl_link[dir] = item; + + // tree->avl_count++; + n->avl_link[0] = n->avl_link[1] = NULL; + n->avl_balance = 0; + if (y == NULL) return n; + + for (p = y, k = 0; p != n; p = p->avl_link[da[k]], k++) + if (da[k] == 0) + p->avl_balance--; + else + p->avl_balance++; + + if (y->avl_balance == -2) { + avl *x = y->avl_link[0]; + if (x->avl_balance == -1) { + w = x; + y->avl_link[0] = x->avl_link[1]; + x->avl_link[1] = y; + x->avl_balance = y->avl_balance = 0; + } + else { + // assert (x->avl_balance == +1); + w = x->avl_link[1]; + x->avl_link[1] = w->avl_link[0]; + w->avl_link[0] = x; + y->avl_link[0] = w->avl_link[1]; + w->avl_link[1] = y; + if (w->avl_balance == -1) + x->avl_balance = 0, y->avl_balance = +1; + else if (w->avl_balance == 0) + x->avl_balance = y->avl_balance = 0; + else /* |w->avl_balance == +1| */ + x->avl_balance = -1, y->avl_balance = 0; + w->avl_balance = 0; + } + } + else if (y->avl_balance == +2) { + avl *x = y->avl_link[1]; + if (x->avl_balance == +1) { + w = x; + y->avl_link[1] = x->avl_link[0]; + x->avl_link[0] = y; + x->avl_balance = y->avl_balance = 0; + } + else { + // assert (x->avl_balance == -1); + w = x->avl_link[0]; + x->avl_link[0] = w->avl_link[1]; + w->avl_link[1] = x; + y->avl_link[1] = w->avl_link[0]; + w->avl_link[0] = y; + if (w->avl_balance == +1) + x->avl_balance = 0, y->avl_balance = -1; + else if (w->avl_balance == 0) + x->avl_balance = y->avl_balance = 0; + else /* |w->avl_balance == -1| */ + x->avl_balance = +1, y->avl_balance = 0; + w->avl_balance = 0; + } + } + else return n; + + z->avl_link[y != z->avl_link[0]] = w; + + // tree->avl_generation++; + return n; +} + +/* Deletes from |tree| and returns an item matching |item|. + Returns a null pointer if no matching item found. */ +avl *avl_remove(avl_tree *tree, avl *item) { + /* Stack of nodes. */ + avl *pa[AVL_MAX_HEIGHT]; /* Nodes. */ + unsigned char da[AVL_MAX_HEIGHT]; /* |avl_link[]| indexes. */ + int k; /* Stack pointer. */ + + avl *p; /* Traverses tree to find node to delete. */ + int cmp; /* Result of comparison between |item| and |p|. */ + + // assert (tree != NULL && item != NULL); + + k = 0; + p = (avl *) &tree->root; + for(cmp = -1; cmp != 0; cmp = tree->compar(item, p)) { + unsigned char dir = (unsigned char)(cmp > 0); + + pa[k] = p; + da[k++] = dir; + + p = p->avl_link[dir]; + if(p == NULL) return NULL; + } + + item = p; + + if (p->avl_link[1] == NULL) + pa[k - 1]->avl_link[da[k - 1]] = p->avl_link[0]; + else { + avl *r = p->avl_link[1]; + if (r->avl_link[0] == NULL) { + r->avl_link[0] = p->avl_link[0]; + r->avl_balance = p->avl_balance; + pa[k - 1]->avl_link[da[k - 1]] = r; + da[k] = 1; + pa[k++] = r; + } + else { + avl *s; + int j = k++; + + for (;;) { + da[k] = 0; + pa[k++] = r; + s = r->avl_link[0]; + if (s->avl_link[0] == NULL) break; + + r = s; + } + + s->avl_link[0] = p->avl_link[0]; + r->avl_link[0] = s->avl_link[1]; + s->avl_link[1] = p->avl_link[1]; + s->avl_balance = p->avl_balance; + + pa[j - 1]->avl_link[da[j - 1]] = s; + da[j] = 1; + pa[j] = s; + } + } + + // assert (k > 0); + while (--k > 0) { + avl *y = pa[k]; + + if (da[k] == 0) { + y->avl_balance++; + if (y->avl_balance == +1) break; + else if (y->avl_balance == +2) { + avl *x = y->avl_link[1]; + if (x->avl_balance == -1) { + avl *w; + // assert (x->avl_balance == -1); + w = x->avl_link[0]; + x->avl_link[0] = w->avl_link[1]; + w->avl_link[1] = x; + y->avl_link[1] = w->avl_link[0]; + w->avl_link[0] = y; + if (w->avl_balance == +1) + x->avl_balance = 0, y->avl_balance = -1; + else if (w->avl_balance == 0) + x->avl_balance = y->avl_balance = 0; + else /* |w->avl_balance == -1| */ + x->avl_balance = +1, y->avl_balance = 0; + w->avl_balance = 0; + pa[k - 1]->avl_link[da[k - 1]] = w; + } + else { + y->avl_link[1] = x->avl_link[0]; + x->avl_link[0] = y; + pa[k - 1]->avl_link[da[k - 1]] = x; + if (x->avl_balance == 0) { + x->avl_balance = -1; + y->avl_balance = +1; + break; + } + else x->avl_balance = y->avl_balance = 0; + } + } + } + else + { + y->avl_balance--; + if (y->avl_balance == -1) break; + else if (y->avl_balance == -2) { + avl *x = y->avl_link[0]; + if (x->avl_balance == +1) { + avl *w; + // assert (x->avl_balance == +1); + w = x->avl_link[1]; + x->avl_link[1] = w->avl_link[0]; + w->avl_link[0] = x; + y->avl_link[0] = w->avl_link[1]; + w->avl_link[1] = y; + if (w->avl_balance == -1) + x->avl_balance = 0, y->avl_balance = +1; + else if (w->avl_balance == 0) + x->avl_balance = y->avl_balance = 0; + else /* |w->avl_balance == +1| */ + x->avl_balance = -1, y->avl_balance = 0; + w->avl_balance = 0; + pa[k - 1]->avl_link[da[k - 1]] = w; + } + else { + y->avl_link[0] = x->avl_link[1]; + x->avl_link[1] = y; + pa[k - 1]->avl_link[da[k - 1]] = x; + if (x->avl_balance == 0) { + x->avl_balance = +1; + y->avl_balance = -1; + break; + } + else x->avl_balance = y->avl_balance = 0; + } + } + } + } + + // tree->avl_count--; + // tree->avl_generation++; + return item; +} + +/* ------------------------------------------------------------------------- */ +// below are functions by (C) Costa Tsaousis + +// --------------------------- +// traversing + +int avl_walker(avl *node, int (*callback)(void *entry, void *data), void *data) { + int total = 0, ret = 0; + + if(node->avl_link[0]) { + ret = avl_walker(node->avl_link[0], callback, data); + if(ret < 0) return ret; + total += ret; + } + + ret = callback(node, data); + if(ret < 0) return ret; + total += ret; + + if(node->avl_link[1]) { + ret = avl_walker(node->avl_link[1], callback, data); + if (ret < 0) return ret; + total += ret; + } + + return total; +} + +int avl_traverse(avl_tree *t, int (*callback)(void *entry, void *data), + void *data) { + if(t->root) + return avl_walker(t->root, callback, data); + else + return 0; +} + +void avl_init(avl_tree *t, int (*compar)(void *a, void *b)) { + t->root = NULL; + t->compar = compar; +} + +/* ------------------------------------------------------------------------- */ +// below are functions by (C) Steve Grubb + +// --------------------------- + +avl *avl_first(avl_iterator *i, avl_tree *t) +{ + if (t->root == NULL || i == NULL) + return NULL; + + i->tree = t; + i->height = 0; + + // follow the leftmost node to its bottom + avl *node = t->root; + while (node->avl_link[0]) { + i->stack[i->height] = node; + i->height++; + node = node->avl_link[0]; + } + + i->current = node; + return node; +} + +avl *avl_next(avl_iterator *i) +{ + if (i == NULL || i->tree == NULL) + return NULL; + + avl *node = i->current; + if (node == NULL) + return avl_first(i, i->tree); + else if (node->avl_link[1]) { + i->stack[i->height] = node; + i->height++; + node = node->avl_link[1]; + + while (node->avl_link[0]) { + i->stack[i->height] = node; + i->height++; + node = node->avl_link[0]; + } + } else { + avl *tmp; + + do { + if (i->height == 0) { + i->current = NULL; + return NULL; + } + + tmp = node; + i->height--; + node = i->stack[i->height]; + } while (tmp == node->avl_link[1]); + } + + i->current = node; + return node; +} + +static int avl_walker2(avl *node, avl_tree *haystack) { + int ret; + + // If the lefthand has a link, take it so that we walk to the + // leftmost bottom + if(node->avl_link[0]) { + ret = avl_walker2(node->avl_link[0], haystack); + if (ret) return ret; + } + + // Next, check the current node + avl *res = avl_search(haystack, node); + if (res) return 1; + + // If the righthand has a link, take it so that we check all the + // rightmost nodes, too. + if(node->avl_link[1]) { + ret = avl_walker2(node->avl_link[1], haystack); + if (ret) return ret; + } + + // nothing found + return 0; +} + +int avl_intersection(avl_tree *needle, avl_tree *haystack) +{ + // traverse the needle and search the haystack + // this implies that needle should be smaller than haystack + if (needle && haystack && needle->root && haystack->root) + return avl_walker2(needle->root, haystack); + + // something is not initialized, so we cannot search + return 0; +} diff -Nru audit-3.0/audisp/plugins/ids/avl.h audit-3.0.7/audisp/plugins/ids/avl.h --- audit-3.0/audisp/plugins/ids/avl.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/avl.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,78 @@ +#ifndef AVL_HEADER +#define AVL_HEADER + +#include "gcc-attributes.h" + +/* Maximum AVL tree height. */ +#ifndef AVL_MAX_HEIGHT +#define AVL_MAX_HEIGHT 92 +#endif + +/* Data structures */ + +/* One element of the AVL tree */ +typedef struct avl { + struct avl *avl_link[2]; /* Subtrees - 0 left, 1 right */ + signed char avl_balance; /* Balance factor. */ +} avl; + +/* An AVL tree */ +typedef struct avl_tree { + avl *root; + int (*compar)(void *a, void *b); +} avl_tree; + +/* Iterator state struct */ +typedef struct avl_iterator { + avl_tree *tree; + avl *current; + avl *stack[AVL_MAX_HEIGHT]; + unsigned height; +} avl_iterator; + + +/* Public methods */ + +/* Insert element a into the AVL tree t + * returns the added element a, or a pointer the + * element that is equal to a (as returned by t->compar()) + * a is linked directly to the tree, so it has to + * be properly allocated by the caller. + */ +avl *avl_insert(avl_tree *t, avl *a) NEVERNULL WARNUNUSED; + +/* Remove an element a from the AVL tree t + * returns a pointer to the removed element + * or NULL if an element equal to a is not found + * (equal as returned by t->compar()) + */ +avl *avl_remove(avl_tree *t, avl *a) WARNUNUSED; + +/* Find the element into the tree that equal to a + * (equal as returned by t->compar()) + * returns NULL is no element is equal to a + */ +avl *avl_search(avl_tree *t, avl *a); + +/* Initialize the avl_tree + */ +void avl_init(avl_tree *t, int (*compar)(void *a, void *b)); + +/* Walk the tree and call callback at each node + */ +int avl_traverse(avl_tree *t, int (*callback)(void *entry, void *data), + void *data); + +/* Walk the tree down to the first node and return it + */ +avl *avl_first(avl_iterator *i, avl_tree *t); + +/* Walk the tree to the next logical node and return it + */ +avl *avl_next(avl_iterator *i); + +/* Given two trees, see if any in needle are contained in haystack + */ +int avl_intersection(avl_tree *needle, avl_tree *haystack); + +#endif /* avl.h */ diff -Nru audit-3.0/audisp/plugins/ids/gcc-attributes.h audit-3.0.7/audisp/plugins/ids/gcc-attributes.h --- audit-3.0/audisp/plugins/ids/gcc-attributes.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/gcc-attributes.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,16 @@ +/* gcc-attributes.h -- + * + * Authors: + * Steve Grubb + * + */ + +#ifndef GCC_ATTRIBUTES_H +#define GCC_ATTRIBUTES_H + +#define NEVERNULL __attribute__ ((returns_nonnull)) +#define WARNUNUSED __attribute__ ((warn_unused_result)) +#define MALLOCLIKE __attribute__ ((malloc)) +#define NORETURN __attribute__ ((noreturn)) + +#endif diff -Nru audit-3.0/audisp/plugins/ids/ids.c audit-3.0.7/audisp/plugins/ids/ids.c --- audit-3.0/audisp/plugins/ids/ids.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/ids.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,336 @@ +/* ids.c -- + * Copyright 2021 Steve Grubb. + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb + * + */ + +#include "config.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include // umask +#include +#include +#include "auparse.h" +#include "common.h" +#include "ids.h" +#include "ids_config.h" +#include "origin.h" +#include "account.h" +#include "session.h" +#include "model_bad_event.h" +#include "model_behavior.h" +#include "timer-services.h" + +/* Global Data */ +int debug = 1; +// mode 3 == file, mode 2 == syslog, 1 == stderr, 0 == nothing +int mode = 0; + +/* Local Data */ +static FILE *l = NULL; // Log file +static volatile int stop = 0; +static volatile int hup = 0; +static volatile int dump_state = 0; +static auparse_state_t *au = NULL; +#define NO_ACTIONS (!hup && !stop && !dump_state) +#define STATE_FILE "/var/run/ids-state" +#define TIMER_INTERVAL 30 // Run every 30 seconds +static struct ids_conf config; + +/* Local declarations */ +static void handle_event(auparse_state_t *au, + auparse_cb_event_t cb_event_type, void *user_data); + +void my_printf(const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + if (mode == 2) + vsyslog(LOG_WARNING, fmt, ap); + else if (mode == 1) { + vfprintf(stderr, fmt, ap); + fputc('\n', stderr); + } else if (mode == 3) { + if (l == NULL) { + l = fopen("/var/run/audisp-ids.log", "wt"); + if (l == NULL) { + va_end(ap); + return; + } + setlinebuf(l); + } + vfprintf(l, fmt, ap); + fputc('\n', l); + } + va_end(ap); +} + +static int audit_fd = -1; +static void init_audit(void) +{ + audit_fd = audit_open(); + if (audit_fd < 0) { + syslog(LOG_ERR, "Cannot open audit connection"); + exit(1); + } +} + + +static void destroy_audit(void) +{ + audit_close(audit_fd); +} + + +void log_audit_event(int type, const char *text, int res) +{ + audit_log_user_message(audit_fd, type, text, NULL, NULL, NULL, res); +} + + +/* + * SIGTERM handler + */ +static void term_handler(int sig __attribute__((unused))) +{ + stop = 1; +} + + +static void child_handler(int sig __attribute__((unused))) +{ + int status; + while (waitpid(-1, &status, WNOHANG)>0) + ; /* empty */ +} + + +/* + * SIGHUP handler: re-read config + */ +static void hup_handler(int sig __attribute__((unused))) +{ + hup = 1; +} + + +static void reload_config(void) +{ + hup = 0; + free_config(&config); + load_config(&config); +} + + +static void sigusr1_handler(int sig __attribute__((unused))) +{ + dump_state = 1; +} + + +static void output_state(void) +{ + FILE *f = fopen(STATE_FILE, "wt"); + dump_state = 0; + if (f) { + traverse_origins(f); + fprintf(f, "\n"); + traverse_accounts(f); + fprintf(f, "\n"); + traverse_sessions(f); + dump_config(&config, f); + fclose(f); + } +} + + +int main(void) +{ + char tmp[MAX_AUDIT_MESSAGE_LENGTH+1]; + struct sigaction sa; + struct itimerspec itval; + int tfd; + fd_set read_mask; + + /* Register sighandlers */ + sa.sa_flags = 0; + sigemptyset(&sa.sa_mask); + /* Set handler for the ones we care about */ + sa.sa_handler = term_handler; + sigaction(SIGTERM, &sa, NULL); + sa.sa_handler = child_handler; + sigaction(SIGCHLD, &sa, NULL); + sa.sa_handler = hup_handler; + sigaction(SIGHUP, &sa, NULL); + sa.sa_handler = sigusr1_handler; + sigaction(SIGUSR1, &sa, NULL); + (void) umask(0177); + + if (load_config(&config)) + return 1; + + init_audit(); + + // Initialize the model + init_origins(); + init_accounts(); + init_sessions(); + + /* Initialize the auparse library */ + au = auparse_init(AUSOURCE_FEED, 0); + if (au == NULL) { + my_printf("ids is exiting due to auparse init errors"); + return -1; + } + auparse_set_eoe_timeout(2); + auparse_add_callback(au, handle_event, NULL, NULL); + + init_timer_services(); + tfd = timerfd_create (CLOCK_MONOTONIC, TFD_NONBLOCK|TFD_CLOEXEC); + if (tfd < 0) { + my_printf("ids is exiting due to timerfd_create failing"); + return -1; + } + itval.it_interval.tv_sec = TIMER_INTERVAL; + itval.it_interval.tv_nsec = 0; + itval.it_value.tv_sec = itval.it_interval.tv_sec; + itval.it_value.tv_nsec = 0; + timerfd_settime(tfd, 0, &itval, NULL); + + do { + int retval; + + /* Handle dump_state */ + if (dump_state) + output_state(); + + /* Load configuration */ + if (hup) + reload_config(); + + /* Probably not needed, but maybe reload took some time? */ + if (stop) + break; + + do { + FD_ZERO(&read_mask); + FD_SET(0, &read_mask); + FD_SET(tfd, &read_mask); + + if (auparse_feed_has_data(au)) { + // We'll do a 1 second timeout to try to + // age events as quick as possible + struct timeval tv; + tv.tv_sec = 1; + tv.tv_usec = 0; + //my_printf("auparse_feed_has_data"); + retval= select(tfd+1, &read_mask, + NULL, NULL, &tv); + } else + retval= select(tfd+1, &read_mask, + NULL, NULL, NULL); + + /* If we timed out & have events, shake them loose */ + if (retval == 0 && auparse_feed_has_data(au)) { + //my_printf("auparse_feed_age_events"); + auparse_feed_age_events(au); + } + } while (retval == -1 && errno == EINTR && NO_ACTIONS); + + /* Now the event loop */ + if (NO_ACTIONS && retval > 0) { + if (FD_ISSET(0, &read_mask)) { + do { + int len; + if ((len = audit_fgets(tmp, + MAX_AUDIT_MESSAGE_LENGTH, + 0)) > 0) { + /* char *buf = strndup(tmp, 40); + my_printf("auparse_feed %s", buf); + free(buf); */ + auparse_feed(au, tmp, len); + } + } while (audit_fgets_more( + MAX_AUDIT_MESSAGE_LENGTH)); + } + if (FD_ISSET(tfd, &read_mask)) { + unsigned long long missed; + //my_printf("do_timer_services"); + do_timer_services(TIMER_INTERVAL); + missed=read(tfd, &missed, sizeof (missed)); + } + + } + if (audit_fgets_eof()) + break; + } while (stop == 0); + + shutdown_timer_services(); + close(tfd); + + /* Flush any accumulated events from queue */ + auparse_flush_feed(au); + auparse_destroy(au); + destroy_sessions(); + destroy_accounts(); + destroy_origins(); + destroy_audit(); + free_config(&config); + + if (stop) + my_printf("ids is exiting on stop request"); + else + my_printf("ids is exiting on stdin EOF"); + + if (l) + fclose(l); + + return 0; +} + + +/* This function receives a single complete event from the auparse library. */ +static void handle_event(auparse_state_t *au, + auparse_cb_event_t cb_event_type, + void *user_data __attribute__((unused))) +{ + if (cb_event_type != AUPARSE_CB_EVENT_READY) + return; + + //my_printf("handle_event %s", auparse_get_type_name(au)); + + /* Do this once for all models */ + if (auparse_normalize(au, NORM_OPT_NO_ATTRS)) + my_printf("Error normalizing %s", auparse_get_type_name(au)); + + /* Check for events that are known bad */ + process_bad_event_model(au, &config); + + /* Check if user doing something strange */ + process_behavior_model(au, &config); +} + diff -Nru audit-3.0/audisp/plugins/ids/ids.conf audit-3.0.7/audisp/plugins/ids/ids.conf --- audit-3.0/audisp/plugins/ids/ids.conf 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/ids.conf 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,9 @@ +option_origin_failed_logins_threshold = 6 +option_origin_failed_logins_reaction = block_address +option_session_badness1_threshold = 8 +option_session_badness1_reaction = block_address +option_service_login_allowed = 0 +option_service_login_weight = 7 +option_root_login_allowed = 0 +option_root_login_weight = 7 +option_bad_login_weight = 1 diff -Nru audit-3.0/audisp/plugins/ids/ids.h audit-3.0.7/audisp/plugins/ids/ids.h --- audit-3.0/audisp/plugins/ids/ids.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/ids.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,20 @@ +/* ids.h -- + * + * Authors: + * Steve Grubb + * + */ + +#ifndef IDS_HEADER +#define IDS_HEADER + +#include "libaudit.h" +#define DAEMON_SESSION "4294967295" +#define UNSET 4294967295 + +extern int debug; +extern void my_printf(const char *fmt, ...) + __attribute__ (( format(printf, 1, 2) )); +extern void log_audit_event(int type, const char *text, int res); + +#endif diff -Nru audit-3.0/audisp/plugins/ids/ids_config.c audit-3.0.7/audisp/plugins/ids/ids_config.c --- audit-3.0/audisp/plugins/ids/ids_config.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/ids_config.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,466 @@ +/* model_bad_event.c -- + * + * Authors: + * Steve Grubb + * + */ + +#include "config.h" +#include +#include +#include +#include +#include +#include /* O_NOFOLLOW needs gnu defined */ +#include /* INT_MAX */ +#include +#include +#include "ids_config.h" + +#define CONFIG_FILE "/etc/audit/ids.conf" +extern char *audit_strsplit(char *s); + + +/* Local prototypes */ +struct nv_pair +{ + const char *name; + const char *value; +}; + +struct kw_pair +{ + const char *name; + int (*parser)(struct nv_pair *, int, struct ids_conf *); +}; + +struct kw_value +{ + const char *name; + int value; +}; + +struct nv_list +{ + const char *name; + int option; +}; + + +static char *get_line(FILE *f, char *buf, unsigned size, int *lineno, + const char *file); +static int nv_split(char *buf, struct nv_pair *nv); +static const struct kw_pair *kw_lookup(const char *val); +static int option_origin_failed_logins_threshold_parser(struct nv_pair *nv, + int line, struct ids_conf *config); +static int option_origin_failed_logins_reaction_parser(struct nv_pair *nv, + int line, struct ids_conf *config); +static int option_session_badness1_threshold_parser(struct nv_pair *nv, + int line, struct ids_conf *config); +static int option_session_badness1_reaction_parser(struct nv_pair *nv, + int line, struct ids_conf *config); +static int option_service_login_allowed_parser(struct nv_pair *nv, int line, + struct ids_conf *config); +static int option_service_login_weight_parser(struct nv_pair *nv, int line, + struct ids_conf *config); +static int option_root_login_allowed_parser(struct nv_pair *nv, int line, + struct ids_conf *config); +static int option_root_login_weight_parser(struct nv_pair *nv, int line, + struct ids_conf *config); +static int option_bad_login_weight_parser(struct nv_pair *nv, int line, + struct ids_conf *config); + +static const struct kw_value reactions[] = +{ + { "ignore", REACTION_IGNORE }, + { "log", REACTION_LOG }, + { "email", REACTION_EMAIL }, + { "term_process", REACTION_TERMINATE_PROCESS }, + { "term_session", REACTION_TERMINATE_SESSION }, + { "restrict_role", REACTION_RESTRICT_ROLE }, + { "password_reset", REACTION_PASSWORD_RESET }, + { "lock_account_timed", REACTION_LOCK_ACCOUNT_TIMED }, + { "lock_account", REACTION_LOCK_ACCOUNT }, + { "block_address_timed", REACTION_BLOCK_ADDRESS_TIMED }, + { "block_address", REACTION_BLOCK_ADDRESS }, + { "system_reboot", REACTION_SYSTEM_REBOOT }, + { "system_single_user", REACTION_SYSTEM_SINGLE_USER }, + { "system_halt", REACTION_SYSTEM_HALT }, +}; +#define REACTION_NAMES (sizeof(reactions)/sizeof(reactions[0])) + +static const struct kw_pair keywords[] = +{ + {"option_origin_failed_logins_threshold", + option_origin_failed_logins_threshold_parser }, + {"option_origin_failed_logins_reaction", + option_origin_failed_logins_reaction_parser }, + {"option_session_badness1_threshold", + option_session_badness1_threshold_parser }, + {"option_session_badness1_reaction", + option_session_badness1_reaction_parser }, + {"option_service_login_allowed", option_service_login_allowed_parser }, + {"option_service_login_weight", option_service_login_weight_parser }, + {"option_root_login_allowed", option_root_login_allowed_parser }, + {"option_root_login_weight", option_root_login_weight_parser }, + {"option_bad_login_weight", option_bad_login_weight_parser }, +}; + +void reset_config(struct ids_conf *config) +{ + config->option_origin_failed_logins_threshold = 8; + config->option_origin_failed_logins_reaction = REACTION_BLOCK_ADDRESS; + config->option_session_badness1_threshold = 8; + config->option_session_badness1_reaction = REACTION_TERMINATE_SESSION; + config->option_service_login_allowed = 0; + config->option_service_login_weight = 5; + config->option_root_login_allowed = 0; + config->option_root_login_weight = 5; + config->option_bad_login_weight = 1; +} + +void free_config(struct ids_conf *config __attribute__((unused))) +{ +} + +void dump_config(struct ids_conf *config, FILE *f) +{ + fprintf(f, "\nInternal Configuration\n"); + fprintf(f, "======================\n"); + fprintf(f, "option_origin_failed_logins_threshold: %u\n", + config->option_origin_failed_logins_threshold); + fprintf(f, "option_session_badness1_threshold: %u\n", + config->option_session_badness1_threshold); + fprintf(f, "option_service_login_allowed: %u\n", + config->option_service_login_allowed); + fprintf(f, "option_service_login_weight: %u\n", + config->option_service_login_weight); + fprintf(f, "option_root_login_allowed: %u\n", + config->option_root_login_allowed); + fprintf(f, "option_root_login_weight: %u\n", + config->option_root_login_weight); + fprintf(f, "option_bad_login_weight: %u\n", + config->option_bad_login_weight); +} + +int load_config(struct ids_conf *config) +{ + int fd, rc, mode, lineno = 1; + struct stat st; + FILE *f; + char buf[160]; + + reset_config(config); + + /* open the file */ + mode = O_RDONLY; + rc = open(CONFIG_FILE, mode); + if (rc < 0) { + if (errno != ENOENT) { + syslog(LOG_ERR, "Error opening config file (%s)", + strerror(errno)); + return 1; + } + syslog(LOG_WARNING, + "Config file %s doesn't exist, skipping", CONFIG_FILE); + return 0; + } + fd = rc; + + if (fstat(fd, &st) < 0) { + syslog(LOG_ERR, "Error fstat'ing config file (%s)", + strerror(errno)); + close(fd); + return 1; + } + if (st.st_uid != 0) { + syslog(LOG_ERR, "Error - %s isn't owned by root", + CONFIG_FILE); + close(fd); + return 1; + } + if ((st.st_mode & S_IWOTH) == S_IWOTH) { + syslog(LOG_ERR, "Error - %s is world writable", + CONFIG_FILE); + close(fd); + return 1; + } + if (!S_ISREG(st.st_mode)) { + syslog(LOG_ERR, "Error - %s is not a regular file", + CONFIG_FILE); + close(fd); + return 1; + } + + /* it's ok, read line by line */ + f = fdopen(fd, "rm"); + if (f == NULL) { + syslog(LOG_ERR, "Error - fdopen failed (%s)", + strerror(errno)); + close(fd); + return 1; + } + + while (get_line(f, buf, sizeof(buf), &lineno, CONFIG_FILE)) { + // convert line into name-value pair + const struct kw_pair *kw; + struct nv_pair nv; + rc = nv_split(buf, &nv); + switch (rc) { + case 0: // fine + break; + case 1: // not the right number of tokens. + syslog(LOG_ERR, + "Wrong number of arguments for line %d in %s", + lineno, CONFIG_FILE); + break; + case 2: // no '=' sign + syslog(LOG_ERR, + "Missing equal sign for line %d in %s", + lineno, CONFIG_FILE); + break; + default: // something else went wrong... + syslog(LOG_ERR, + "Unknown error for line %d in %s", + lineno, CONFIG_FILE); + break; + } + if (nv.name == NULL) { + lineno++; + continue; + } + if (nv.value == NULL) { + fclose(f); + syslog(LOG_ERR, + "Not processing any more lines in %s", + CONFIG_FILE); + return 1; + } + + /* identify keyword or error */ + kw = kw_lookup(nv.name); + if (kw->name == NULL) { + syslog(LOG_ERR, + "Unknown keyword \"%s\" in line %d of %s", + nv.name, lineno, CONFIG_FILE); + fclose(f); + return 1; + } + + /* dispatch to keyword's local parser */ + rc = kw->parser(&nv, lineno, config); + if (rc != 0) { + fclose(f); + return 1; // local parser puts message out + } + lineno++; + } + + fclose(f); +// if (lineno > 1) +// return sanity_check(config); + return 0; +} + +static char *get_line(FILE *f, char *buf, unsigned size, int *lineno, + const char *file) +{ + int too_long = 0; + + while (fgets_unlocked(buf, size, f)) { + /* remove newline */ + char *ptr = strchr(buf, 0x0a); + if (ptr) { + if (!too_long) { + *ptr = 0; + return buf; + } + // Reset and start with the next line + too_long = 0; + *lineno = *lineno + 1; + } else { + // If a line is too long skip it. + // Only output 1 warning + if (!too_long) + syslog(LOG_ERR, + "Skipping line %d in %s: too long", + *lineno, file); + too_long = 1; + } + } + return NULL; +} + +static int nv_split(char *buf, struct nv_pair *nv) +{ + /* Get the name part */ + char *ptr; + + nv->name = NULL; + nv->value = NULL; + ptr = audit_strsplit(buf); + if (ptr == NULL) + return 0; /* If there's nothing, go to next line */ + if (ptr[0] == '#') + return 0; /* If there's a comment, go to next line */ + nv->name = ptr; + + /* Check for a '=' */ + ptr = audit_strsplit(NULL); + if (ptr == NULL) + return 1; + if (strcmp(ptr, "=") != 0) + return 2; + + /* get the value */ + ptr = audit_strsplit(NULL); + if (ptr == NULL) + return 1; + nv->value = ptr; + + /* See if there's more */ + ptr = audit_strsplit(NULL); + if (ptr) + return 1; + + /* Everything is OK */ + return 0; +} + +static const struct kw_pair *kw_lookup(const char *val) +{ + int i = 0; + while (keywords[i].name != NULL) { + if (strcasecmp(keywords[i].name, val) == 0) + break; + i++; + } + return &keywords[i]; +} + +static int unsigned_int_parser(struct nv_pair *nv, int line, unsigned int *val) +{ + const char *ptr = nv->value; + unsigned long i; + + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { + if (!isdigit(ptr[i])) { + syslog(LOG_ERR, + "Value %s should only be numbers - line %d", + nv->value, line); + return 1; + } + } + + /* convert to unsigned int */ + errno = 0; + i = strtoul(nv->value, NULL, 10); + if (errno) { + syslog(LOG_ERR, + "Error converting string to a number (%s) - line %d", + strerror(errno), line); + return 1; + } + + /* Check its range */ + if (i > INT_MAX) { + syslog(LOG_ERR, + "Error - converted number (%s) is too large - line %d", + nv->value, line); + return 1; + } + + *val = (unsigned int)i; + return 0; +} + +static int reaction_parser(struct nv_pair *nv, int line, unsigned int *val) +{ + unsigned int i, found = 0; + char *ptr, *tmp = strdup(nv->value), *saved; + if (tmp == NULL) + return 1; + + *val = 0; + ptr = strtok_r(tmp, ",", &saved); + while (ptr) { + for (i = 0; i < REACTION_NAMES; i++) { + if (strcasecmp(reactions[i].name, ptr) == 0) { + *val |= (unsigned int)reactions[i].value; + found = 1; + } + } + ptr = strtok_r(NULL, ",", &saved); + } + free(tmp); + if (found) + return 0; + + syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); + return 1; +} + +static int option_origin_failed_logins_threshold_parser(struct nv_pair *nv, + int line, struct ids_conf *config) +{ + return unsigned_int_parser(nv, line, + &config->option_origin_failed_logins_threshold); +} + +static int option_origin_failed_logins_reaction_parser(struct nv_pair *nv, + int line, struct ids_conf *config) +{ + return reaction_parser(nv, line, + &config->option_origin_failed_logins_reaction); +} + +static int option_session_badness1_threshold_parser(struct nv_pair *nv, + int line, struct ids_conf *config) +{ + return unsigned_int_parser(nv, line, + &config->option_session_badness1_threshold); +} + +static int option_session_badness1_reaction_parser(struct nv_pair *nv, + int line, struct ids_conf *config) +{ + return reaction_parser(nv, line, + &config->option_session_badness1_reaction); +} + +static int option_service_login_allowed_parser(struct nv_pair *nv, int line, + struct ids_conf *config) +{ + return unsigned_int_parser(nv, line, + &config->option_service_login_allowed); +} + +static int option_service_login_weight_parser(struct nv_pair *nv, int line, + struct ids_conf *config) +{ + return unsigned_int_parser(nv, line, + &config->option_service_login_weight); +} + +static int option_root_login_allowed_parser(struct nv_pair *nv, int line, + struct ids_conf *config) +{ + return unsigned_int_parser(nv, line, + &config->option_root_login_allowed); +} + +static int option_root_login_weight_parser(struct nv_pair *nv, int line, + struct ids_conf *config) +{ + return unsigned_int_parser(nv, line, + &config->option_root_login_weight); +} + +static int option_bad_login_weight_parser(struct nv_pair *nv, int line, + struct ids_conf *config) +{ + return unsigned_int_parser(nv, line, + &config->option_bad_login_weight); +} + diff -Nru audit-3.0/audisp/plugins/ids/ids_config.h audit-3.0.7/audisp/plugins/ids/ids_config.h --- audit-3.0/audisp/plugins/ids/ids_config.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/ids_config.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,66 @@ +/* ids_config.h -- + * + * Authors: + * Steve Grubb + * + */ + +#ifndef IDS_CONFIG_HEADER +#define IDS_CONFIG_HEADER + +#include + +// Notifications +#define REACTION_IGNORE 0x0000001 +#define REACTION_LOG 0x0000002 +#define REACTION_EMAIL 0x0000004 + +// Bad process defenses +#define REACTION_TERMINATE_PROCESS 0x0000010 +// freeze process? + +// Bad session defenses +#define REACTION_TERMINATE_SESSION 0x0000100 + +// Account defenses +#define REACTION_RESTRICT_ROLE 0x0001000 +#define REACTION_PASSWORD_RESET 0x0002000 +#define REACTION_LOCK_ACCOUNT_TIMED 0x0004000 +#define REACTION_LOCK_ACCOUNT 0x0008000 +// drop supplemental groups? + +// Remote system defenses +#define REACTION_BLOCK_ADDRESS_TIMED 0x0010000 +#define REACTION_BLOCK_ADDRESS 0x0020000 + +// System defenses +// sysctls, selinux booleans +// update specific rpm, all rpms +// restart service +// drop service timed <- need to whitelist these + +// System terminations +// Drop network timed +#define REACTION_SYSTEM_REBOOT 0x2000000 +#define REACTION_SYSTEM_SINGLE_USER 0x4000000 +#define REACTION_SYSTEM_HALT 0x8000000 + +struct ids_conf +{ + unsigned int option_origin_failed_logins_threshold; + unsigned int option_origin_failed_logins_reaction; + unsigned int option_session_badness1_threshold; + unsigned int option_session_badness1_reaction; + unsigned int option_service_login_allowed; + unsigned int option_service_login_weight; + unsigned int option_root_login_allowed; + unsigned int option_root_login_weight; + unsigned int option_bad_login_weight; +}; + +int load_config(struct ids_conf *config); +void reset_config(struct ids_conf *config); +void free_config(struct ids_conf *config); +void dump_config(struct ids_conf *config, FILE *f); + +#endif diff -Nru audit-3.0/audisp/plugins/ids/model_bad_event.c audit-3.0.7/audisp/plugins/ids/model_bad_event.c --- audit-3.0/audisp/plugins/ids/model_bad_event.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/model_bad_event.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,168 @@ +/* model_bad_event.c -- + * + * Authors: + * Steve Grubb + * + */ + +#include "config.h" +#include // inet_pton +#include +#include +#include +#include "ids.h" +#include "session.h" +#include "origin.h" +#include "model_bad_event.h" +#include "reactions.h" + +/* Local Data */ + + +static void terminate_sessions(void) +{ + if (get_num_sessions() == 0) + return; + + if (debug) + my_printf("terminating all sessions"); + // Might want to do more than this like update persistent scores + destroy_sessions(); +} + +// Look at the acct, is it a daemon acct and forbidden +// Is the acct root and forbidden +// is it a bad login +// is it a new session +static void start_session(auparse_state_t *au, struct ids_conf *config) +{ + unsigned int a; + const char *addr = auparse_find_field(au, "addr"); + if (addr && *addr != '?') + inet_pton(AF_INET, addr, &a); + else + a = -1; + + int service_acct = 0; + const char *acct = NULL; + const char *atype = auparse_normalize_subject_kind(au); + if (atype && strncmp(atype, "service", 7) == 0) + service_acct = 1; + if (auparse_normalize_subject_primary(au) == 1) + acct = strdup(auparse_interpret_field(au)); + + // Have we seen this endpoint before? + origin_data_t *o = find_origin(a); + if (o == NULL) { + new_origin(a); + o = find_origin(a); + } + + // Is this login a service account? + if (service_acct && !config->option_service_login_allowed) { + my_printf("bad_service_login_origin: %s", acct); + bad_service_login_origin(o, config, acct); + } + + // Is this a root login + else if (!config->option_root_login_allowed && acct && + strcmp(acct, "root") == 0) { + my_printf("watched_login_origin: %s", acct); + watched_login_origin(o, config, acct); + } + + // Check if it's a failed login + if (auparse_normalize_get_results(au) == 1) { + // Handle a bad login + const char *res = auparse_interpret_field(au); + if (res && strcmp(res, "failed") == 0) { + // Since the login failed, we don't need to + // start a new session + bad_login_origin(o, config); + free((void *)acct); + return; + } + } + + // Look for new login sessions + if (auparse_normalize_session(au) == 1) { + unsigned int s = auparse_get_field_int(au); + if (s != UNSET) { + // new_session takes custody of acct + new_session(s, a, acct); + acct = NULL; + // otherwise we have a strange daemon login + } else if (debug) + my_printf("start_session: can't find session in serial %s", + auparse_get_type_name(au)); + } + free((void *)acct); +} + +static void end_session(auparse_state_t *au) +{ + if (auparse_normalize_session(au) == 1) { + const char *ses = auparse_get_field_str(au); + if (ses && strcmp(ses, DAEMON_SESSION)) { + unsigned int s = auparse_get_field_int(au); + del_session(s); + } + } +} + +/* This function receives a single complete event from the auparse library. */ +void process_bad_event_model(auparse_state_t *au, + struct ids_conf *config) +{ + unsigned int answer = 0; + auparse_first_record(au); + int type = auparse_get_type(au); + + /* Now we can branch based on what the first record type we find. */ + switch (type) { + case AUDIT_SYSTEM_BOOT: + case AUDIT_SYSTEM_SHUTDOWN: + // Reset everything + terminate_sessions(); + break; + // FIXME: update this list as events are added + case AUDIT_ANOM_LOGIN_SERVICE: + case AUDIT_ANOM_LOGIN_ACCT: + // Do not process our own events + break; + case AUDIT_ANOM_LOGIN_FAILURES: + { + // Do not process our own events + const char *exe = auparse_normalize_how(au); + if (exe && strcmp(exe, "/usr/sbin/audisp-ids") == 0) + break; + } + // fallthrough if pam related + case AUDIT_ANOM_LOGIN_TIME: + case AUDIT_ANOM_LOGIN_SESSIONS: + case AUDIT_ANOM_LOGIN_LOCATION: + // watch for pam discovered problems + break; + case AUDIT_USER_LOGIN: + start_session(au, config); + break; +// case AUDIT_USER_END: user_end can be for su + case AUDIT_USER_LOGOUT: + end_session(au); + break; + default: + break; + } + + // We only mess with origins because it could be a bad login + origin_data_t *o = current_origin(); + if (o) { + if (o->karma >= config->option_origin_failed_logins_threshold && + !o->blocked) { + //AUDIT_ANOM_ORIGIN_FAILURES + answer |= config->option_origin_failed_logins_reaction; + do_reaction(answer, "login_failures"); + } + } +} + diff -Nru audit-3.0/audisp/plugins/ids/model_bad_event.h audit-3.0.7/audisp/plugins/ids/model_bad_event.h --- audit-3.0/audisp/plugins/ids/model_bad_event.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/model_bad_event.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,10 @@ +#ifndef MODEL_BAD_EVENT_HEADER +#define MODEL_BAD_EVENT_HEADER + +#include "auparse.h" +#include "ids_config.h" + +void process_bad_event_model(auparse_state_t *au, + struct ids_conf *config); + +#endif diff -Nru audit-3.0/audisp/plugins/ids/model_behavior.c audit-3.0.7/audisp/plugins/ids/model_behavior.c --- audit-3.0/audisp/plugins/ids/model_behavior.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/model_behavior.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,134 @@ +/* model_behavior.c -- + * + * Authors: + * Steve Grubb + * + */ + +#include "config.h" +#include +#include +#include "ids.h" +#include "session.h" +#include "origin.h" +#include "model_behavior.h" +#include "reactions.h" + +/* Local Data */ + + +static void process_plain_syscalls(auparse_state_t *au) +{ + if (auparse_normalize_key(au) == 1) { + uint32_t s = -2; + const char *key = auparse_interpret_field(au); + // If its a key we don't care about, skip it. + if (strncmp(key, "ids-", 4)) + return; + if (auparse_normalize_session(au) == 1) { + const char *ses = auparse_get_field_str(au); + if (ses && strcmp(ses, DAEMON_SESSION)) + s = auparse_get_field_int(au); + } + + // For now, do not process daemon events + if ((int32_t)s < 0) + return; + + session_data_t *sess = find_session(s); + if (sess) { + if (strcmp(key, "ids-recon") == 0) { + add_to_score_session(sess, 2); + } else if (strcmp(key, "ids-archive") == 0) { + add_to_score_session(sess, 5); + } else if (strcmp(key, "ids-mkexec") == 0) { + add_to_score_session(sess, 4); + } else if (strcmp(key, "ids-connections") == 0) { + add_to_score_session(sess, 6); + } + } + } +} + +static void process_anomalies(auparse_state_t *au) +{ + if (auparse_normalize_session(au) == 1) { + const char *ses = auparse_get_field_str(au); + if (ses && strcmp(ses, DAEMON_SESSION)) { + unsigned int s = auparse_get_field_int(au); + + session_data_t *sess = find_session(s); + if (sess) { + auparse_first_record(au); + int type = auparse_get_type(au); + if (type == AUDIT_FANOTIFY) + add_to_score_session(sess, 12); + else + add_to_score_session(sess, 2); + } + } + } +} + +/* This function receives a single complete event from the auparse library. */ +void process_behavior_model(auparse_state_t *au, struct ids_conf *config) +{ + unsigned int answer = 0; + auparse_first_record(au); + int type = auparse_get_type(au); + + /* Now we can branch based on what the first record type we find. */ + switch (type) { + case AUDIT_SYSCALL: + process_plain_syscalls(au); + break; + //case SECCOMP: + case AUDIT_FANOTIFY: + case AUDIT_AVC: + case AUDIT_ANOM_PROMISCUOUS: + case AUDIT_ANOM_ABEND: + case AUDIT_ANOM_LINK: + // Handle these by looking for session. If + // not in a session handle by process + process_anomalies(au); + break; + case AUDIT_USER_MGMT: + case AUDIT_ADD_USER: + case AUDIT_DEL_USER: + case AUDIT_ADD_GROUP: + case AUDIT_DEL_GROUP: + case AUDIT_GRP_MGMT: + break; + case AUDIT_USER_AUTH: + case AUDIT_USER_ACCT: + case AUDIT_GRP_AUTH: + // watch for failures in auth + break; + default: + break; + } + + origin_data_t *o = current_origin(); + session_data_t *s = current_session(); + + if (o && s) { + if (s->score >= config->option_session_badness1_threshold && + s->killed == 0) { + //AUDIT_ANOM_SESSION + answer |= config->option_session_badness1_reaction; + do_reaction(answer, "session_bad"); + if (s->killed >= 1) + add_to_score_origin(o, 5); + else + add_to_score_origin(o, 2); + } + } + + if (o && o->karma >= config->option_origin_failed_logins_threshold && + !o->blocked) { + //AUDIT_ANOM_ORIGIN_FAILURES + answer |= config->option_origin_failed_logins_reaction; + do_reaction(answer, "failed_login"); + } +} + diff -Nru audit-3.0/audisp/plugins/ids/model_behavior.h audit-3.0.7/audisp/plugins/ids/model_behavior.h --- audit-3.0/audisp/plugins/ids/model_behavior.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/model_behavior.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,10 @@ +#ifndef MODEL_BEHAVIOR_HEADER +#define MODEL_BEHAVIOR_HEADER + +#include "auparse.h" +#include "ids_config.h" + +void process_behavior_model(auparse_state_t *au, + struct ids_conf *config); + +#endif diff -Nru audit-3.0/audisp/plugins/ids/nvpair.c audit-3.0.7/audisp/plugins/ids/nvpair.c --- audit-3.0/audisp/plugins/ids/nvpair.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/nvpair.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,126 @@ +/* +* nvpair.c - Minimal linked list library for arg-jobue pairs +* Copyright (c) 2019 Steve Grubb. +* All Rights Reserved. +* +* This software may be freely redistributed and/or modified under the +* terms of the GNU General Public License as published by the Free +* Software Foundation; either version 2, or (at your option) any +* later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; see the file COPYING. If not, write to the +* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +* Boston, MA 02110-1335, USA. +* +* Authors: +* Steve Grubb +*/ + +#include "config.h" +#include +#include "nvpair.h" + + +void nvpair_list_create(nvlist *l) +{ + l->head = NULL; + l->cur = NULL; + l->prev = NULL; + l->cnt = 0; +} + +/*nvnode *nvlist_next(nvlist *l) +{ + if (l->cur == NULL) { + l->prev = NULL; + return NULL; + } + l->prev = l->cur; + l->cur = l->cur->next; + return l->cur; +}*/ + +void nvpair_list_append(nvlist *l, nvnode *node) +{ + nvnode* newnode = malloc(sizeof(nvnode)); + + newnode->arg = node->arg; + newnode->job = node->job; + newnode->expiration = node->expiration; + newnode->next = NULL; + + // if we are at top, fix this up + if (l->head == NULL) { + l->head = newnode; + l->prev = NULL; + } else { // Add pointer to newnode and make sure we are at the end + while (l->cur->next) { + l->prev = l->cur; + l->cur = l->cur->next; + } + l->cur->next = newnode; + } + + // make newnode current + l->cur = newnode; + l->cnt++; +} + +int nvpair_list_find_job(nvlist *l, time_t t) +{ + nvnode* node = l->head; + l->prev = NULL; + + while (node) { + if (node->expiration < t) { + l->cur = node; + return 1; + } + else { + l->prev = node; + node = node->next; + } + } + return 0; +} + +void nvpair_list_delete_cur(nvlist *l) +{ + if (l->cur == NULL) + return; + + if (l->cur == l->head) { + l->head = l->cur->next; + l->prev = NULL; + } else if (l->prev) + l->prev->next = l->cur->next; + + free(l->cur->arg); + free(l->cur); + l->cnt--; +} + +void nvpair_list_clear(nvlist* l) +{ + nvnode* nextnode; + nvnode* current; + + current = l->head; + while (current) { + nextnode=current->next; + free(current->arg); + free(current); + current=nextnode; + } + l->head = NULL; + l->prev = NULL; + l->cur = NULL; + l->cnt = 0; +} + diff -Nru audit-3.0/audisp/plugins/ids/nvpair.h audit-3.0.7/audisp/plugins/ids/nvpair.h --- audit-3.0/audisp/plugins/ids/nvpair.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/nvpair.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,62 @@ +/* +* nvpair.h - Header file for ausearch-nvpair.c +* Copyright (c) 2019 Steve Grubb. +* All Rights Reserved. +* +* This software may be freely redistributed and/or modified under the +* terms of the GNU General Public License as published by the Free +* Software Foundation; either version 2, or (at your option) any +* later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; see the file COPYING. If not, write to the +* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +* Boston, MA 02110-1335, USA. +* +* Authors: +* Steve Grubb +*/ + +#ifndef AUNVPAIR_HEADER +#define AUNVPAIR_HEADER + +#include +#include +#include "timer-services.h" + +/* This is the node of the linked list. message & item are the only elements + * at this time. Any data elements that are per item goes here. */ +typedef struct _nvnode{ + jobs_t job; // The job to run + char *arg; // The argument string + time_t expiration; // The time when the job can be run + struct _nvnode *next; // Next nvpair node pointer +} nvnode; + +/* This is the linked list head. Only data elements that are 1 per + * event goes here. */ +typedef struct { + nvnode *head; // List head + nvnode *cur; // Pointer to current node + nvnode *prev; // Pointer to previous node + unsigned int cnt; // How many items in this list +} nvlist; + +void nvpair_list_create(nvlist *l); +static inline void nvlist_first(nvlist *l) { l->cur = l->head; } +//nvnode *nvlist_next(nvlist *l); +static inline nvnode *nvpair_list_get_cur(nvlist *l) { return l->cur; } +void nvpair_list_append(nvlist *l, nvnode *node); +void nvpair_list_delete_cur(nvlist *l); +void nvpair_list_clear(nvlist* l); + +/* Given a time, find a job to run. */ +int nvpair_list_find_job(nvlist *l, time_t t); + +#endif + diff -Nru audit-3.0/audisp/plugins/ids/origin.c audit-3.0.7/audisp/plugins/ids/origin.c --- audit-3.0/audisp/plugins/ids/origin.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/origin.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,242 @@ +/* origin.c -- + * + * Authors: + * Steve Grubb + * + */ + +#include "config.h" +#include +#include "ids.h" +#include "origin.h" +#include "reactions.h" + +// This holds info about all sessions +struct origin_avl{ + avl_tree index; + unsigned int count; +}; + +static struct origin_avl origins; +static origin_data_t *cur = NULL; + +static int cmp_origins(void *a, void *b) +{ + return (((origin_data_t *)a)->address - + ((origin_data_t *)b)->address); +} + +void init_origins(void) +{ + origins.count = 0; + cur = NULL; + avl_init(&origins.index, cmp_origins); +} + +unsigned int get_num_origins(void) +{ + return origins.count; +} + +static int dump_origin(void *entry, void *data) +{ + FILE *f = data; + origin_data_t *o = entry; + + fprintf(f, "\n"); + fprintf(f, " address: %s\n", sockint_to_ipv4(o->address)); + fprintf(f, " karma: %u\n", o->karma); + fprintf(f, " blocked: %u\n", o->blocked); + + return 0; +} + +void traverse_origins(FILE *f) +{ + fprintf(f, "Origins\n"); + fprintf(f, "=======\n"); + fprintf(f, "count: %u\n", origins.count); + avl_traverse(&origins.index, dump_origin, f); +} + +static void free_origin(origin_data_t *o) +{ + if (debug) + my_printf("Origin freeing %p", o); + free(o); +} + +void new_origin(unsigned int a) +{ + origin_data_t *tmp = (origin_data_t *)malloc(sizeof(origin_data_t)); + if (tmp) { + tmp->address = a; + tmp->karma = 0; + tmp->blocked = 0; + add_origin(tmp); + } +} + +static void destroy_origin(void) +{ + avl *cur = origins.index.root; + + origin_data_t *o = (origin_data_t *)avl_remove(&origins.index, cur); + if ((avl *)o != cur) + my_printf("origin: removal of invalid node"); + + // Now free any data pointed to by cur + free_origin(o); + cur = NULL; +} + +void destroy_origins(void) +{ + while (origins.index.root) { + origins.count--; + destroy_origin(); + } +} + +int add_origin(origin_data_t *o) +{ + origin_data_t *tmp; + if (debug) + my_printf("Adding origin %u", o->address); + + cur = NULL; + tmp = (origin_data_t *)avl_insert(&origins.index, (avl *)(o)); + if (tmp) { + if (tmp != o) { + if (debug) + my_printf("origin: duplicate address found"); + free(o); + return 1; + } + origins.count++; + cur = tmp; + } else if (debug) + my_printf("origin: failed inserting address %u", o->address); + return 0; +} + +origin_data_t *find_origin(unsigned int addr) +{ + origin_data_t tmp; + + tmp.address = addr; + cur = (origin_data_t *)avl_search(&origins.index, (avl *) &tmp); + return cur; +} + +origin_data_t *current_origin(void) +{ + return cur; +} + +int del_origin(unsigned int addr) +{ + origin_data_t tmp1, *tmp2; + tmp1.address = addr; + + if (debug) + my_printf("Deleting %u", addr); + cur = NULL; + tmp2 = (origin_data_t *)avl_remove(&origins.index, (avl *) &tmp1); + if (tmp2) { + origins.count--; + if (tmp2->address != addr) { + if (debug) + my_printf("origin: deleting unknown address"); + return 1; + } + } else { + if (debug) + my_printf("origin: didn't find address"); + return 1; + } + + // Now free any data pointed to by tmp2 + free_origin(tmp2); + + return 0; +} + +char *sockint_to_ipv4(unsigned int addr) +{ + unsigned char *uaddr = (unsigned char *)&(addr); + static char buf[16]; + + snprintf(buf, sizeof(buf), "%u.%u.%u.%u", + uaddr[0], uaddr[1], uaddr[2], uaddr[3]); + return buf; +} + +unsigned int ipv4_to_sockint(const char *buf) +{ + unsigned int addr; + unsigned int ip[4] = {0, 0, 0, 0}; + + if (sscanf(buf, "%u.%u.%u.%u", &ip[3], &ip[2], &ip[1], &ip[0]) != 4) + return 0; + + addr = ip[0] << 24 | ip[1] << 16 | ip[2] << 8 | ip[3]; + return addr; +} + +void bad_login_origin(origin_data_t *o, struct ids_conf *config) +{ // We will just add a 1 for a bad login. + add_to_score_origin(o, config->option_bad_login_weight); +} + +void bad_service_login_origin(origin_data_t *o, struct ids_conf *config, + const char *acct) +{ // We will just add a 5 for a bad service login. + char buf[62]; + const char *addr = sockint_to_ipv4(o->address); + // account names can be up to 32 characters. IPv4 can be 16 + snprintf(buf, sizeof(buf), "acct=%.32s daddr=%.16s", + acct ? acct : "?", addr); + log_audit_event(AUDIT_ANOM_LOGIN_SERVICE, buf, 1); + + add_to_score_origin(o, config->option_service_login_weight); +} + +void watched_login_origin(origin_data_t *o, struct ids_conf *config, + const char *acct) +{ // We will just add a 5 for a watched login. + char buf[62]; + const char *addr = sockint_to_ipv4(o->address); + snprintf(buf, sizeof(buf), "acct=%.32s daddr=%.16s", + acct ? acct : "?", addr); + log_audit_event(AUDIT_ANOM_LOGIN_ACCT, buf, 1); + + add_to_score_origin(o, config->option_root_login_weight); +} + +void add_to_score_origin(origin_data_t *o, unsigned int adj) +{ + cur = o; + if (o == NULL) { + if (debug) + my_printf("origin NULL adding score"); + return; + } + + o->karma += adj; + if (debug) + my_printf("origin karma: %u", o->karma); +} + +// Returns 1 on success and 0 on failure +int unblock_origin(const char *addr) +{ + unsigned int uaddr = ipv4_to_sockint(addr); + origin_data_t *o = find_origin(uaddr); + if (o) { + o->blocked = 0; + return 1; + } + + return 0; +} diff -Nru audit-3.0/audisp/plugins/ids/origin.h audit-3.0.7/audisp/plugins/ids/origin.h --- audit-3.0/audisp/plugins/ids/origin.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/origin.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,45 @@ +/* origin.h -- + * + * Authors: + * Steve Grubb + * + */ + +#ifndef ORIGIN_HEADER +#define ORIGIN_HEADER + +#include +#include "avl.h" +#include "ids_config.h" + +typedef struct origin_data { + avl avl; // This has to be first + + unsigned int address; // This hack works for IPv4 + unsigned int karma; + unsigned int blocked; +} origin_data_t; + + +void init_origins(void); +void new_origin(unsigned int a); +void destroy_origins(void); +unsigned int get_num_origins(void); +void traverse_origins(FILE *f); + +int add_origin(origin_data_t *o); +origin_data_t *find_origin(unsigned int addr); +origin_data_t *current_origin(void); +int del_origin(unsigned int addr); +void bad_login_origin(origin_data_t *o, struct ids_conf *config); +void bad_service_login_origin(origin_data_t *o, struct ids_conf *config, + const char *acct); +void watched_login_origin(origin_data_t *o, struct ids_conf *config, + const char *acct); +void add_to_score_origin(origin_data_t *o, unsigned int adj); +int unblock_origin(const char *addr); +char *sockint_to_ipv4(unsigned int addr); +unsigned int ipv4_to_sockint(const char *buf); + +#endif + diff -Nru audit-3.0/audisp/plugins/ids/reactions.c audit-3.0.7/audisp/plugins/ids/reactions.c --- audit-3.0/audisp/plugins/ids/reactions.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/reactions.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,344 @@ +/* reactions.c -- + * + * Authors: + * Steve Grubb + * + */ + +#include "config.h" +#include +#include +#include +#include +#include +#include +#include +#include // nanosleep +#include +#include +#include +#include "ids.h" +#include "ids_config.h" +#include "reactions.h" +#include "session.h" +#include "timer-services.h" + +// Returns 0 on success and 1 on failure +static int safe_exec(const char *exe, ...) +{ + char **argv; + va_list ap; + unsigned int i; + int pid; + struct sigaction sa; + + if (exe == NULL) { + syslog(LOG_ALERT, + "Safe_exec passed NULL for program to execute"); + return 1; + } + + pid = fork(); + if (pid < 0) { + syslog(LOG_ALERT, + "Audit IDS failed to fork doing safe_exec"); + return 1; + } + if (pid) /* Parent */ + return 0; // FIXME: should we waitpid to know if it succeeded? + + /* Child */ + sigfillset (&sa.sa_mask); + sigprocmask (SIG_UNBLOCK, &sa.sa_mask, 0); + + va_start(ap, exe); + for (i = 1; va_arg(ap, char *) != NULL; i++); + va_end(ap); + argv = alloca(i * sizeof(char *)); + + va_start(ap, exe); + argv[0] = (char *) exe; + for (i = 1; (argv[i] = (char *) va_arg(ap, char *)) != NULL; i++); + va_end(ap); + argv[i] = NULL; + + execve(exe, argv, NULL); + syslog(LOG_ALERT, "Audit IDS failed to exec %s", exe); + exit(1); +} + +static void minipause(void) +{ + struct timespec ts; + ts.tv_sec = 0; + ts.tv_nsec = 120 * 1000 * 1000; // 120 milliseconds + nanosleep(&ts, NULL); +} + +int kill_process(pid_t pid) +{ + if (pid <= 0) + return 1; + + if (debug) + my_printf("reaction kill -KILL %d", pid); + + return kill(pid, SIGKILL); +} + +int kill_session(int session) +{ + char ses[16]; + + // Do not kill session -1 or the system will die + if (session < 0) + return 1; + + snprintf(ses, sizeof(ses), "%d", session); + if (debug) + my_printf("reaction killall -d %s", ses); + return safe_exec("/usr/bin/killall", "-d", ses, NULL); +} + +static int uid_min = -1; +static void read_uid_min(void) +{ + FILE *f; + char buf[100]; + int uid = -1; + + if (uid_min > 0) + return; + + f = fopen("/etc/login.defs", "r"); + if (f == NULL) + return; + __fsetlocking(f, FSETLOCKING_BYCALLER); + while (fgets(buf, sizeof(buf), f)) { + if (memcmp(buf, "UID_MIN", 7) == 0) { + if (sscanf(buf, "UID_MIN %d", &uid) == 1) { + if (uid != -1) { + uid_min = uid; + if (debug) + my_printf("uid_min set to %d", + uid_min); + } + } + break; + } + } + fclose(f); +} + +/* returns 0 if user account and 1 on anything else */ +static int verify_acct(const char *acct) +{ + struct passwd *pw; + + if (acct == NULL) + return 1; + + // Make sure valid acct + errno = 0; + pw = getpwnam(acct); + if (pw == NULL || errno) + return 1; + + // Make sure not a daemon + if (strstr(pw->pw_shell, "nologin")) + return 1; + if (uid_min < 0) { + read_uid_min(); + if (uid_min < 0) + return 1; + } + if ((int)pw->pw_uid < uid_min) + return 1; + + return 0; +} + +int restricted_role(const char *acct) +{ + int rc; + + if (verify_acct(acct)) + return 1; + + // Restrict to guest user + rc = safe_exec("/usr/sbin/semanage", "login", "-m", "-s", + "guest_u", acct); + if (rc) + return rc; + + // Need to force a logout of all sessions for the user + return safe_exec("/usr/bin/killall", "--user", acct); +} + +int force_password_reset(const char *acct) +{ + if (verify_acct(acct)) + return 1; + + return safe_exec("/usr/bin/chage", "-d", "0", acct); +} + +int lock_account(const char *acct) +{ + if (verify_acct(acct)) + return 1; + + return safe_exec("/usr/bin/passwd", "-l", acct); +} + +int unlock_account(const char *acct) +{ + if (verify_acct(acct)) + return 1; + + return safe_exec("/usr/bin/passwd", "-u", acct); +} + +int lock_account_timed(const char *acct, unsigned long length) +{ + int rc = lock_account(acct); + + if (rc) + return rc; + + add_timer_job(UNLOCK_ACCOUNT, acct, length); + + return 0; +} + +int block_ip_address(const char *addr) +{ + if (debug) + my_printf("reaction /sbin/iptables -I INPUT -s %s -j DROP", + addr); + minipause(); + return safe_exec("/usr/sbin/iptables", "-I", "INPUT", "-s", addr, + "-j","DROP", NULL); +} + +int block_ip_address_timed(const char *addr, unsigned long length) +{ + int rc = block_ip_address(addr); + if (rc) + return rc; + + add_timer_job(UNBLOCK_ADDRESS, addr, length); + + return 0; +} + +#define MINUTES 60 +#define HOURS 60*MINUTES +#define DAYS 24*HOURS +#define WEEKS 7*DAYS +#define MONTHS 30*DAYS + +static void block_address(unsigned int reaction, const char *reason) +{ + // FIXME: This should be configurable + unsigned time_out = 2*MINUTES; + int res; + char buf[80]; + origin_data_t *o = current_origin(); + const char *addr = sockint_to_ipv4(o->address); + + if (debug) + my_printf("Blocking address %s b/c %s", addr, reason); + + if (reaction == REACTION_BLOCK_ADDRESS) + res = block_ip_address(addr); + else + res = block_ip_address_timed(addr, time_out); + + if (res == 0) { + o->blocked = 1; + if (reaction == REACTION_BLOCK_ADDRESS) { + snprintf(buf, sizeof(buf), "daddr=%.16s reason=%s", + addr, reason); + log_audit_event(AUDIT_RESP_ORIGIN_BLOCK, buf, 1); + } else { + snprintf(buf, sizeof(buf), + "daddr=%.16s reason=%s time_out=%u", + addr, reason, time_out/MINUTES); + log_audit_event(AUDIT_RESP_ORIGIN_BLOCK_TIMED, buf, 1); + } + } +} + +int unblock_ip_address(const char *addr) +{ + if (debug) + my_printf("reaction /sbin/iptables -D INPUT -s %s -j DROP", + addr); + minipause(); + return safe_exec("/usr/sbin/iptables", "-D", "INPUT", "-s", addr, + "-j","DROP", NULL); +} + +int system_reboot(void) +{ + return safe_exec("/sbin/init", "6"); +} + +int system_single_user(void) +{ + return safe_exec("/sbin/init", "1"); +} + +int system_halt(void) +{ + return safe_exec("/sbin/init", "0"); +} + +void do_reaction(unsigned int answer, const char *reason) +{ +//my_printf("Answer: %u", answer); + unsigned int num = 0; + + do { + unsigned int tmp = 1 << num; + if (answer & tmp) { + switch (tmp) { + // FIXME: do the reactions + case REACTION_IGNORE: + break; + case REACTION_LOG: + case REACTION_EMAIL: + case REACTION_TERMINATE_PROCESS: + break; + case REACTION_TERMINATE_SESSION: + { + // FIXME: need to add audit events + session_data_t *s = current_session(); + kill_session(s->session); + break; + } + case REACTION_RESTRICT_ROLE: + case REACTION_PASSWORD_RESET: + case REACTION_LOCK_ACCOUNT_TIMED: + case REACTION_LOCK_ACCOUNT: + break; + case REACTION_BLOCK_ADDRESS_TIMED: + case REACTION_BLOCK_ADDRESS: + block_address(tmp, reason); + break; + case REACTION_SYSTEM_REBOOT: + case REACTION_SYSTEM_SINGLE_USER: + case REACTION_SYSTEM_HALT: + break; + default: + if (debug) + my_printf("Unknown reaction: %X", + tmp); + break; + } + } + num++; + } while (num < 32); +} + diff -Nru audit-3.0/audisp/plugins/ids/reactions.h audit-3.0.7/audisp/plugins/ids/reactions.h --- audit-3.0/audisp/plugins/ids/reactions.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/reactions.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,26 @@ +/* reactions.h -- + * + * Authors: + * Steve Grubb + * + */ + +#ifndef REACTIONS_HEADER +#define REACTIONS_HEADER + +int kill_process(pid_t pid); +int kill_session(int session); +int restricted_role(const char *acct); +int force_password_reset(const char *acct); +int lock_account(const char *acct); +int unlock_account(const char *acct); +int lock_account_timed(const char *acct, unsigned long length); +int block_ip_address(const char *addr); +int block_ip_address_timed(const char *addr, unsigned long length); +int unblock_ip_address(const char *addr); +int system_reboot(void); +int system_single_user(void); +int system_halt(void); +void do_reaction(unsigned int answer, const char *reason); + +#endif diff -Nru audit-3.0/audisp/plugins/ids/rules/25-connections.rules audit-3.0.7/audisp/plugins/ids/rules/25-connections.rules --- audit-3.0/audisp/plugins/ids/rules/25-connections.rules 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/rules/25-connections.rules 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,22 @@ +# This rule gets the connections of known data moving programs + +#-a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F exe=/usr/bin/awk -F key=ids-connections +#-a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F exe=/usr/bin/bash -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/curl -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/elinks -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/ftp -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/git -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/links -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/lynx -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/rsync -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/scp -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/sftp -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/ssh -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/w3m -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/wget -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/telnet -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/nc -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/ncat -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/nmap -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/nping -F key=ids-connections +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/ping -F key=ids-connections diff -Nru audit-3.0/audisp/plugins/ids/rules/25-make-exec.rules audit-3.0.7/audisp/plugins/ids/rules/25-make-exec.rules --- audit-3.0/audisp/plugins/ids/rules/25-make-exec.rules 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/rules/25-make-exec.rules 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,10 @@ +# This rule triggers when someone makes an executable in specific directories + +-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/home -F a1&0111 -F filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec +-a exit,always -F arch=b64 -S fchmodat -F dir=/home -F a2&0111 -F filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec +-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/tmp -F a1&0111 -F filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec +-a exit,always -F arch=b64 -S fchmodat -F dir=/tmp -F a2&0111 -F filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec +-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/var/tmp -F a1&0111 -F filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec +-a exit,always -F arch=b64 -S fchmodat -F dir=/var/tmp -F a2&0111 -F filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec +-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/dev/shm -F a1&0111 -F filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec +-a exit,always -F arch=b64 -S fchmodat -F dir=/dev/shm -F a2&0111 -F filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec diff -Nru audit-3.0/audisp/plugins/ids/rules/25-recon.rules audit-3.0.7/audisp/plugins/ids/rules/25-recon.rules --- audit-3.0/audisp/plugins/ids/rules/25-recon.rules 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/rules/25-recon.rules 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,26 @@ +# This set of rules can trigger on events that might be considered recon + +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/uname -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/rpm -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/yum -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/dnf -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/w -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/who -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/whoami -F key=ids-recon +#-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/id -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/netstat -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/ss -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/route -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/ifconfig -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/ip -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/mount -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/lsof -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/df -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/dig -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/host -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/last -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/lastlog -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/getent -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/history -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/bin/watch -F key=ids-recon +-a always,exit -F auid>=1000 -F auid!=-1 -F perm=x -F path=/usr/sbin/sestatus -F key=ids-recon diff -Nru audit-3.0/audisp/plugins/ids/rules/25-unpacking.rules audit-3.0.7/audisp/plugins/ids/rules/25-unpacking.rules --- audit-3.0/audisp/plugins/ids/rules/25-unpacking.rules 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/rules/25-unpacking.rules 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,12 @@ +# This rule triggers whenever someone runs a utility that unpacks or in some +# instances, packs an archive + +-a always,exit -F perm=x -F path=/usr/bin/unzip -F auid>=1000 -F auid!=-1 -F key=ids-archive +-a always,exit -F perm=x -F path=/usr/bin/tar -F auid>=1000 -F auid!=-1 -F key=ids-archive +-a always,exit -F perm=x -F path=/usr/bin/bunzip -F auid>=1000 -F auid!=-1 -F key=ids-archive +-a always,exit -F perm=x -F path=/usr/bin/zipgrep -F auid>=1000 -F auid!=-1 -F key=ids-archive +-a always,exit -F perm=x -F path=/usr/bin/gzip -F auid>=1000 -F auid!=-1 -F key=ids-archive +-a always,exit -F perm=x -F path=/usr/bin/gunzip -F auid>=1000 -F auid!=-1 -F key=ids-archive +-a always,exit -F perm=x -F path=/usr/bin/zcat -F auid>=1000 -F auid!=-1 -F key=ids-archive +-a always,exit -F perm=x -F path=/usr/bin/zgrep -F auid>=1000 -F auid!=-1 -F key=ids-archive +-a always,exit -F perm=x -F path=/usr/bin/zless -F auid>=1000 -F auid!=-1 -F key=ids-archive diff -Nru audit-3.0/audisp/plugins/ids/rules/Makefile.am audit-3.0.7/audisp/plugins/ids/rules/Makefile.am --- audit-3.0/audisp/plugins/ids/rules/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/rules/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,27 @@ +# Makefile.am -- +# Copyright 2021 Steve Grubb +# All Rights Reserved. +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. +# +# Authors: +# Steve Grubb +# + +CONFIG_CLEAN_FILES = *.rej *.orig +EXTRA_DIST = 25-connections.rules 25-make-exec.rules 25-recon.rules 25-unpacking.rules +rulesdir = $(datadir)/audit/ids-rules +dist_rules_DATA = $(EXTRA_DIST) + diff -Nru audit-3.0/audisp/plugins/ids/rules/Makefile.in audit-3.0.7/audisp/plugins/ids/rules/Makefile.in --- audit-3.0/audisp/plugins/ids/rules/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/rules/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -0,0 +1,560 @@ +# Makefile.in generated by automake 1.16.2 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2020 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# Makefile.am -- +# Copyright 2021 Steve Grubb +# All Rights Reserved. +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. +# +# Authors: +# Steve Grubb +# + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +target_triplet = @target@ +subdir = audisp/plugins/ids/rules +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ + $(top_srcdir)/m4/cap-ng.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/src/libev/libev.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_rules_DATA) \ + $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(rulesdir)" +DATA = $(dist_rules_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BUILD_EXEEXT = @BUILD_EXEEXT@ +BUILD_OBJEXT = @BUILD_OBJEXT@ +CAPNG_LDADD = @CAPNG_LDADD@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ +CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CYGPATH_W = @CYGPATH_W@ +DEBUG = @DEBUG@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GOLANG = @GOLANG@ +GOROOT = @GOROOT@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIBTOOL_DEPS = @LIBTOOL_DEPS@ +LIBWRAP_LIBS = @LIBWRAP_LIBS@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PYINCLUDEDIR = @PYINCLUDEDIR@ +PYTHON = @PYTHON@ +PYTHON3 = @PYTHON3@ +PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ +PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ +PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ +PYTHON3_LIBS = @PYTHON3_LIBS@ +PYTHON3_PREFIX = @PYTHON3_PREFIX@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gss_libs = @gss_libs@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +py3execdir = @py3execdir@ +pybind_dir = @pybind_dir@ +pyexecdir = @pyexecdir@ +python3dir = @python3dir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target = @target@ +target_alias = @target_alias@ +target_cpu = @target_cpu@ +target_os = @target_os@ +target_vendor = @target_vendor@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +use_python3 = @use_python3@ +CONFIG_CLEAN_FILES = *.rej *.orig +EXTRA_DIST = 25-connections.rules 25-make-exec.rules 25-recon.rules 25-unpacking.rules +rulesdir = $(datadir)/audit/ids-rules +dist_rules_DATA = $(EXTRA_DIST) +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu audisp/plugins/ids/rules/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu audisp/plugins/ids/rules/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-dist_rulesDATA: $(dist_rules_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_rules_DATA)'; test -n "$(rulesdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(rulesdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(rulesdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(rulesdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(rulesdir)" || exit $$?; \ + done + +uninstall-dist_rulesDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_rules_DATA)'; test -n "$(rulesdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(rulesdir)'; $(am__uninstall_files_from_dir) +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(DATA) +installdirs: + for dir in "$(DESTDIR)$(rulesdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-dist_rulesDATA + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-dist_rulesDATA + +.MAKE: install-am install-strip + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-dist_rulesDATA install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-dist_rulesDATA + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru audit-3.0/audisp/plugins/ids/session.c audit-3.0.7/audisp/plugins/ids/session.c --- audit-3.0/audisp/plugins/ids/session.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/session.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,197 @@ +/* session.c -- + * + * Authors: + * Steve Grubb + * + */ + +#include "config.h" +#include +#include +#include "ids.h" +#include "ids_config.h" +#include "origin.h" +#include "account.h" +#include "session.h" +#include "reactions.h" + +// This holds info about all sessions +struct session_avl{ + avl_tree index; + unsigned int count; +}; + +static struct session_avl sessions; +static session_data_t *cur = NULL; + + +static int cmp_sessions(void *a, void *b) +{ + return (((session_data_t *)a)->session - + ((session_data_t *)b)->session); +} + +void init_sessions(void) +{ + sessions.count = 0; + cur = NULL; + avl_init(&sessions.index, cmp_sessions); +} + +unsigned int get_num_sessions(void) +{ + return sessions.count; +} + +static int dump_session(void *entry, void *data) +{ + FILE *f = data; + session_data_t *s = entry; + + fprintf(f, "\n"); + fprintf(f, " session: %u\n", s->session); + fprintf(f, " score: %u\n", s->score); + fprintf(f, " killed: %u\n", s->killed); + fprintf(f, " origin: %s\n", sockint_to_ipv4(s->origin)); + fprintf(f, " acct: %s\n", s->acct); + + return 0; +} + +void traverse_sessions(FILE *f) +{ + fprintf(f, "Sessions\n"); + fprintf(f, "========\n"); + fprintf(f, "count: %u\n", sessions.count); + avl_traverse(&sessions.index, dump_session, f); +} + +static void free_session(session_data_t *s) +{ + if (debug) + my_printf("Freeing session %u, %p", s->session, s); + free((void *)s->acct); + free((void *)s); +} + +static void destroy_session(void) +{ + avl *cur = sessions.index.root; + + session_data_t *tmp =(session_data_t *)avl_remove(&sessions.index, cur); + if ((avl *)tmp != cur) + my_printf("session: removal of invalid node"); + free_session(tmp); + cur = NULL; +} + +void new_session(unsigned int s, unsigned int o, const char *acct) +{ + session_data_t *tmp = malloc(sizeof(session_data_t)); + if (tmp) { + tmp->session = s; + tmp->score = 0; + tmp->killed = 0; + tmp->origin = o; + tmp->acct = acct ? acct : strdup(""); + add_session(tmp); + } +} + +void destroy_sessions(void) +{ + while (sessions.index.root) { + sessions.count--; + destroy_session(); + } +} + +int add_session(session_data_t *s) +{ + session_data_t *tmp; + if (debug) + my_printf("Adding session %u, %p", s->session, s); + + cur = NULL; + tmp = (session_data_t *)avl_insert(&sessions.index, (avl *)(s)); + if (tmp) { + if (tmp != s) { + if (debug) + my_printf("session: duplicate session found"); + free_session(s); + return 1; + } + sessions.count++; + cur = tmp; + + // Add origin info + origin_data_t *o = find_origin(s->origin); + if (o == NULL) + new_origin(s->origin); + + // Add account info + account_data_t *a = find_account(s->acct); + if (a == NULL) + new_account(s->acct); + return 1; + } else if (debug) + my_printf("session: failed inserting session %u", s->session); + return 0; +} + +session_data_t *find_session(unsigned int s) +{ + session_data_t tmp; + + tmp.session = s; + cur = (session_data_t *)avl_search(&sessions.index, (avl *) &tmp); + return cur; +} + +session_data_t *current_session(void) +{ + return cur; +} + +int del_session(unsigned int s) +{ + session_data_t tmp1, *tmp2; + tmp1.session = s; + + if (debug) + my_printf("Deleting %u", s); + cur = NULL; + tmp2 = (session_data_t *)avl_remove(&sessions.index, (avl *) &tmp1); + if (tmp2) { + sessions.count--; + if (tmp2->session != s) { + if (debug) + my_printf("session: deleting unknown session"); + return 1; + } + } else { + if (debug) + my_printf("session: didn't find session"); + return 1; + } + + // Now free any data pointed to by tmp2 + free_session(tmp2); + + return 0; +} + +void add_to_score_session(session_data_t *s, unsigned int adj) +{ + cur = s; + if (s == NULL) { + if (debug) + my_printf("session is NULL adding score"); + return; + } + + s->score += adj; + if (debug) + my_printf("session score: %u", s->score); +} + diff -Nru audit-3.0/audisp/plugins/ids/session.h audit-3.0.7/audisp/plugins/ids/session.h --- audit-3.0/audisp/plugins/ids/session.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/session.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,40 @@ +/* session.h -- + * + * Authors: + * Steve Grubb + * + */ + +#ifndef SESSION_HEADER +#define SESSION_HEADER + +#include +#include "avl.h" +#include "origin.h" +#include "ids_config.h" + +typedef struct session_data { + avl avl; // This has to be first + + unsigned int session; + unsigned int score; + unsigned int killed; + unsigned int origin; // This hack works for IPv4 + const char *acct; // Not used at the moment +} session_data_t; + + +void init_sessions(void); +void new_session(unsigned int s, unsigned int o, const char *acct); +void destroy_sessions(void); +unsigned int get_num_sessions(void); +void traverse_sessions(FILE *f); + +int add_session(session_data_t *s); +session_data_t *find_session(unsigned int s); +session_data_t *current_session(void); +int del_session(unsigned int s); +void add_to_score_session(session_data_t *s, unsigned int adj); + +#endif + diff -Nru audit-3.0/audisp/plugins/ids/timer-services.c audit-3.0.7/audisp/plugins/ids/timer-services.c --- audit-3.0/audisp/plugins/ids/timer-services.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/timer-services.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,106 @@ +/* timer-services.c -- + * Copyright 2021 Steve Grubb. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb + * + */ + +#include "config.h" +#include +#include +#include // for snprintf +#include "timer-services.h" +#include "nvpair.h" +#include "reactions.h" +#include "ids.h" +#include "origin.h" + +static nvlist jobs; +static time_t now; +// Something to think about, jobs should probably be peristent so that +// we can resume them after starting back up. + +void init_timer_services(void) +{ + nvpair_list_create(&jobs); + now = time(NULL); +} + +void do_timer_services(unsigned int interval) +{ + now += interval; +rerun_jobs: + while (nvpair_list_find_job(&jobs, now)) { + nvnode *j = nvpair_list_get_cur(&jobs); + switch (j->job) { + case UNLOCK_ACCOUNT: + unlock_account(j->arg); + // Should we reset the stats? + break; + case UNBLOCK_ADDRESS: + { + // Send iptables rule + int res = unblock_ip_address(j->arg); + + // Log that its back in business + char buf[24]; + snprintf(buf, sizeof(buf), + "daddr=%.16s", j->arg); + log_audit_event( + AUDIT_RESP_ORIGIN_UNBLOCK_TIMED, + buf, !res); + + // Reset origin state + unblock_origin(j->arg); + } + break; + default: + break; + } + nvpair_list_delete_cur(&jobs); + } + + // Every 10 minutes resync to the clock + if (now%600 > interval) { + time_t cur = now; + now = time(NULL); + if (now > cur) { + if (debug) + my_printf("Time jumped - rerunning jobs"); + goto rerun_jobs; + } + } +} + +void add_timer_job(jobs_t job, const char *arg, unsigned long length) +{ + nvnode node; + + node.job = job; + node.arg = strdup(arg); + node.expiration = time(NULL) + length; + + nvpair_list_append(&jobs, &node); +} + +void shutdown_timer_services(void) +{ + nvpair_list_clear(&jobs); +} + diff -Nru audit-3.0/audisp/plugins/ids/timer-services.h audit-3.0.7/audisp/plugins/ids/timer-services.h --- audit-3.0/audisp/plugins/ids/timer-services.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/ids/timer-services.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,34 @@ +/* timer-services.h -- + * Copyright 2021 Steve Grubb. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb + * + */ + +#ifndef TIMER_SERVICES_HEADER +#define TIMER_SERVICES_HEADER + +typedef enum {UNLOCK_ACCOUNT, UNBLOCK_ADDRESS} jobs_t; + +void init_timer_services(void); +void do_timer_services(unsigned int interval); +void add_timer_job(jobs_t job, const char *arg, unsigned long length); +void shutdown_timer_services(void); + +#endif diff -Nru audit-3.0/audisp/plugins/remote/Makefile.am audit-3.0.7/audisp/plugins/remote/Makefile.am --- audit-3.0/audisp/plugins/remote/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/remote/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -33,11 +34,11 @@ check_PROGRAMS = test-queue TESTS = $(check_PROGRAMS) -audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.a +audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.la audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -audisp_remote_LDADD = $(CAPNG_LDADD) $(gss_libs) -L${top_builddir}/common -laucommon +audisp_remote_LDADD = $(CAPNG_LDADD) $(gss_libs) ${top_builddir}/common/libaucommon.la test_queue_SOURCES = queue.c test-queue.c diff -Nru audit-3.0/audisp/plugins/remote/Makefile.in audit-3.0.7/audisp/plugins/remote/Makefile.in --- audit-3.0/audisp/plugins/remote/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/audisp/plugins/remote/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -563,6 +564,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -586,11 +588,11 @@ noinst_HEADERS = remote-config.h queue.h man_MANS = audisp-remote.8 audisp-remote.conf.5 TESTS = $(check_PROGRAMS) -audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.a +audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.la audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -audisp_remote_LDADD = $(CAPNG_LDADD) $(gss_libs) -L${top_builddir}/common -laucommon +audisp_remote_LDADD = $(CAPNG_LDADD) $(gss_libs) ${top_builddir}/common/libaucommon.la test_queue_SOURCES = queue.c test-queue.c all: all-am diff -Nru audit-3.0/audisp/plugins/remote/audisp-remote.8 audit-3.0.7/audisp/plugins/remote/audisp-remote.8 --- audit-3.0/audisp/plugins/remote/audisp-remote.8 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/remote/audisp-remote.8 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUDISP-REMOTE: "8" "August 2018" "Red Hat" "System Administration Utilities" +.TH AUDISP-REMOTE "8" "August 2018" "Red Hat" "System Administration Utilities" .SH NAME audisp-remote \- plugin for remote logging .SH SYNOPSIS @@ -16,7 +16,7 @@ .IR suspend flag tells whether or not logging has been suspended. The .IR remote_ended -flage tells if the connection was broken by the server saying it can't log events. The +flag tells if the connection was broken by the server saying it can't log events. The .IR transport_ok flag tells whether or not the connection to the remote server is healthy. The .IR queue_size @@ -30,8 +30,8 @@ /etc/audit/plugins.d/au-remote.conf /etc/audit/auditd.conf .SH "SEE ALSO" -.BR auditd.conf(8), -.BR auditd-plugins(5), -.BR audisp-remote.conf(5). +.BR auditd.conf (8), +.BR auditd-plugins (5), +.BR audisp-remote.conf (5). .SH AUTHOR Steve Grubb diff -Nru audit-3.0/audisp/plugins/remote/audisp-remote.c audit-3.0.7/audisp/plugins/remote/audisp-remote.c --- audit-3.0/audisp/plugins/remote/audisp-remote.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/remote/audisp-remote.c 2022-01-23 19:36:56.000000000 +0000 @@ -566,7 +566,7 @@ // See if input fd is also set if (FD_ISSET(ifd, &rfd)) { do { - if (audit_fgets(event, sizeof(event), ifd)) { + if (audit_fgets(event,sizeof(event),ifd) > 0) { if (!transport_ok && remote_ended && (config.remote_ending_action == FA_RECONNECT || @@ -836,7 +836,7 @@ if (gethostname(host_name, sizeof(host_name)) != 0) { if (!quiet) syslog (LOG_ERR, - "gethostname: host name longer than %ld characters?", + "gethostname: host name longer than %lu characters?", sizeof (host_name)); return -1; } diff -Nru audit-3.0/audisp/plugins/remote/audisp-remote.conf.5 audit-3.0.7/audisp/plugins/remote/audisp-remote.conf.5 --- audit-3.0/audisp/plugins/remote/audisp-remote.conf.5 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/remote/audisp-remote.conf.5 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUDISP-REMOTE.CONF: "5" "Aug 2018" "Red Hat" "System Administration Utilities" +.TH AUDISP-REMOTE.CONF "5" "Aug 2018" "Red Hat" "System Administration Utilities" .SH NAME audisp-remote.conf \- the audisp-remote configuration file .SH DESCRIPTION @@ -16,7 +16,7 @@ connect from on the local machine. If unspecified (the default) or set to the word .I any -then any available unpriviledged port is used. This is a security mechanism to prevent untrusted user space apps from injecting events into the audit daemon. You should set it to an unused port < 1024 to ensure that only privileged users can bind to that port. Then also set the tcp_client_ports in the aggregating auditd.conf file to match the ports that clients are sending from. +then any available unprivileged port is used. This is a security mechanism to prevent untrusted user space apps from injecting events into the audit daemon. You should set it to an unused port < 1024 to ensure that only privileged users can bind to that port. Then also set the tcp_client_ports in the aggregating auditd.conf file to match the ports that clients are sending from. .TP .I transport This parameter tells the remote logging app how to send events to the remote system. The valid options are @@ -48,7 +48,7 @@ .I forward mode of the .I mode -option and internal queueing for temporary network outtages. The default depth is 2048. +option and internal queueing for temporary network outages. The default depth is 2048. .TP .I format This parameter tells the remote logging app what data format will be @@ -62,7 +62,7 @@ overhead at all. The .I ascii format is a very simplistic protocol. If there are any network problems, it -willcause audisp-remote to exit. Auditd may or may not restart it on next +will cause audisp-remote to exit. Auditd may or may not restart it on next event. If something more robust is needed, use the .I managed format. If @@ -108,9 +108,9 @@ .I exec /path-to-script will execute the script. You cannot pass parameters to the script. If an event was sent, its dequeued. .I warn_once_continue -is like syslog execept that only one message is put in syslog until an event is successfully transferred. +is like syslog except that only one message is put in syslog until an event is successfully transferred. .I warn_once -is like warn_once_continue execept that the event is not dequeued. +is like warn_once_continue except that the event is not dequeued. .I Suspend will cause the remote logging app to stop sending records to the remote system. The logging app will still be alive. If an event was sent, it is not dequeued. The .I single @@ -179,7 +179,7 @@ .I exec /path-to-script will execute the script. You cannot pass parameters to the script. .I warn_once -is like syslog execept that only one message is put in syslog until an event is successfully transferred. +is like syslog except that only one message is put in syslog until an event is successfully transferred. .I warn_once_continue is like warn_once except it ignores the problem. This is the default. .TP @@ -237,8 +237,8 @@ .SH "SEE ALSO" .BR audispd (8), -.BR audisp-remote(8), -.BR auditd.conf(5). +.BR audisp-remote (8), +.BR auditd.conf (5). .SH AUTHOR Steve Grubb diff -Nru audit-3.0/audisp/plugins/statsd/Makefile.am audit-3.0.7/audisp/plugins/statsd/Makefile.am --- audit-3.0/audisp/plugins/statsd/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/statsd/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,44 @@ +# Makefile.am -- +# Copyright 2021 Steve Grubb. +# All Rights Reserved. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. +# +# Authors: +# Steve Grubb +# +CONFIG_CLEAN_FILES = *.loT *.rej *.orig +EXTRA_DIST = au-statsd.conf audisp-statsd.conf $(man_MANS) +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/auparse +prog_confdir = $(sysconfdir)/audit +prog_conf = audisp-statsd.conf +plugin_confdir=$(prog_confdir)/plugins.d +plugin_conf = au-statsd.conf +sbin_PROGRAMS = audisp-statsd +man_MANS = audisp-statsd.8 +audisp_statsd_SOURCES = audisp-statsd.c +audisp_statsd_CFLAGS = -g -D_GNU_SOURCE +audisp_statsd_LDADD = ${top_builddir}/auparse/libauparse.la ${top_builddir}/lib/libaudit.la + +install-data-hook: + mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} + $(INSTALL_DATA) -D -m 640 ${srcdir}/$(plugin_conf) ${DESTDIR}${plugin_confdir} + $(INSTALL_DATA) -D -m 640 ${srcdir}/$(prog_conf) ${DESTDIR}${prog_confdir} + +uninstall-hook: + rm ${DESTDIR}${plugin_confdir}/$(plugin_conf) + rm ${DESTDIR}${prog_confdir}/$(prog_conf) + diff -Nru audit-3.0/audisp/plugins/statsd/Makefile.in audit-3.0.7/audisp/plugins/statsd/Makefile.in --- audit-3.0/audisp/plugins/statsd/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/statsd/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -0,0 +1,815 @@ +# Makefile.in generated by automake 1.16.2 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2020 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +target_triplet = @target@ +sbin_PROGRAMS = audisp-statsd$(EXEEXT) +subdir = audisp/plugins/statsd +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ + $(top_srcdir)/m4/cap-ng.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/src/libev/libev.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" +PROGRAMS = $(sbin_PROGRAMS) +am_audisp_statsd_OBJECTS = audisp_statsd-audisp-statsd.$(OBJEXT) +audisp_statsd_OBJECTS = $(am_audisp_statsd_OBJECTS) +audisp_statsd_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/lib/libaudit.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +audisp_statsd_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(audisp_statsd_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/audisp_statsd-audisp-statsd.Po +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(audisp_statsd_SOURCES) +DIST_SOURCES = $(audisp_statsd_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BUILD_EXEEXT = @BUILD_EXEEXT@ +BUILD_OBJEXT = @BUILD_OBJEXT@ +CAPNG_LDADD = @CAPNG_LDADD@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ +CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CYGPATH_W = @CYGPATH_W@ +DEBUG = @DEBUG@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GOLANG = @GOLANG@ +GOROOT = @GOROOT@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIBTOOL_DEPS = @LIBTOOL_DEPS@ +LIBWRAP_LIBS = @LIBWRAP_LIBS@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PYINCLUDEDIR = @PYINCLUDEDIR@ +PYTHON = @PYTHON@ +PYTHON3 = @PYTHON3@ +PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ +PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ +PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ +PYTHON3_LIBS = @PYTHON3_LIBS@ +PYTHON3_PREFIX = @PYTHON3_PREFIX@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gss_libs = @gss_libs@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +py3execdir = @py3execdir@ +pybind_dir = @pybind_dir@ +pyexecdir = @pyexecdir@ +python3dir = @python3dir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target = @target@ +target_alias = @target_alias@ +target_cpu = @target_cpu@ +target_os = @target_os@ +target_vendor = @target_vendor@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +use_python3 = @use_python3@ + +# Makefile.am -- +# Copyright 2021 Steve Grubb. +# All Rights Reserved. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. +# +# Authors: +# Steve Grubb +# +CONFIG_CLEAN_FILES = *.loT *.rej *.orig +EXTRA_DIST = au-statsd.conf audisp-statsd.conf $(man_MANS) +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/auparse +prog_confdir = $(sysconfdir)/audit +prog_conf = audisp-statsd.conf +plugin_confdir = $(prog_confdir)/plugins.d +plugin_conf = au-statsd.conf +man_MANS = audisp-statsd.8 +audisp_statsd_SOURCES = audisp-statsd.c +audisp_statsd_CFLAGS = -g -D_GNU_SOURCE +audisp_statsd_LDADD = ${top_builddir}/auparse/libauparse.la ${top_builddir}/lib/libaudit.la +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu audisp/plugins/statsd/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu audisp/plugins/statsd/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +audisp-statsd$(EXEEXT): $(audisp_statsd_OBJECTS) $(audisp_statsd_DEPENDENCIES) $(EXTRA_audisp_statsd_DEPENDENCIES) + @rm -f audisp-statsd$(EXEEXT) + $(AM_V_CCLD)$(audisp_statsd_LINK) $(audisp_statsd_OBJECTS) $(audisp_statsd_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_statsd-audisp-statsd.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +audisp_statsd-audisp-statsd.o: audisp-statsd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_statsd_CFLAGS) $(CFLAGS) -MT audisp_statsd-audisp-statsd.o -MD -MP -MF $(DEPDIR)/audisp_statsd-audisp-statsd.Tpo -c -o audisp_statsd-audisp-statsd.o `test -f 'audisp-statsd.c' || echo '$(srcdir)/'`audisp-statsd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_statsd-audisp-statsd.Tpo $(DEPDIR)/audisp_statsd-audisp-statsd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audisp-statsd.c' object='audisp_statsd-audisp-statsd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_statsd_CFLAGS) $(CFLAGS) -c -o audisp_statsd-audisp-statsd.o `test -f 'audisp-statsd.c' || echo '$(srcdir)/'`audisp-statsd.c + +audisp_statsd-audisp-statsd.obj: audisp-statsd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_statsd_CFLAGS) $(CFLAGS) -MT audisp_statsd-audisp-statsd.obj -MD -MP -MF $(DEPDIR)/audisp_statsd-audisp-statsd.Tpo -c -o audisp_statsd-audisp-statsd.obj `if test -f 'audisp-statsd.c'; then $(CYGPATH_W) 'audisp-statsd.c'; else $(CYGPATH_W) '$(srcdir)/audisp-statsd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_statsd-audisp-statsd.Tpo $(DEPDIR)/audisp_statsd-audisp-statsd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audisp-statsd.c' object='audisp_statsd-audisp-statsd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_statsd_CFLAGS) $(CFLAGS) -c -o audisp_statsd-audisp-statsd.obj `if test -f 'audisp-statsd.c'; then $(CYGPATH_W) 'audisp-statsd.c'; else $(CYGPATH_W) '$(srcdir)/audisp-statsd.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) $(MANS) +installdirs: + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + mostlyclean-am + +distclean: distclean-am + -rm -f ./$(DEPDIR)/audisp_statsd-audisp-statsd.Po + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-man + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/audisp_statsd-audisp-statsd.Po + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-sbinPROGRAMS + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) uninstall-hook +uninstall-man: uninstall-man8 + +.MAKE: install-am install-data-am install-strip uninstall-am + +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ + clean-generic clean-libtool clean-sbinPROGRAMS cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-data-hook install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-sbinPROGRAMS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am uninstall-hook \ + uninstall-man uninstall-man8 uninstall-sbinPROGRAMS + +.PRECIOUS: Makefile + + +install-data-hook: + mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} + $(INSTALL_DATA) -D -m 640 ${srcdir}/$(plugin_conf) ${DESTDIR}${plugin_confdir} + $(INSTALL_DATA) -D -m 640 ${srcdir}/$(prog_conf) ${DESTDIR}${prog_confdir} + +uninstall-hook: + rm ${DESTDIR}${plugin_confdir}/$(plugin_conf) + rm ${DESTDIR}${prog_confdir}/$(prog_conf) + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru audit-3.0/audisp/plugins/statsd/au-statsd.conf audit-3.0.7/audisp/plugins/statsd/au-statsd.conf --- audit-3.0/audisp/plugins/statsd/au-statsd.conf 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/statsd/au-statsd.conf 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,9 @@ +# This file controls the configuration of the statsd plugin. +# It picks out metrics and writes them to statsd. + +active = no +direction = out +path = /sbin/audisp-statsd +type = always +# args = +format = string diff -Nru audit-3.0/audisp/plugins/statsd/audisp-statsd.8 audit-3.0.7/audisp/plugins/statsd/audisp-statsd.8 --- audit-3.0/audisp/plugins/statsd/audisp-statsd.8 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/statsd/audisp-statsd.8 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,61 @@ +.TH AUDISP-STATSD "8" "February 2021" "Red Hat" "System Administration Utilities" +.SH NAME +audisp-statsd \- plugin to push audit metrics to a statsd service +.SH SYNOPSIS +.B audisp-statsd +[ \fIOPTIONS\fP ] +.SH DESCRIPTION +\fBaudisp-statsd\fP is a plugin for the audit event dispatcher that pushes various audit metrics to a statsd service using UDP. Currently it collects the following metrics as gauges: +.RS +.TP +.B backlog +number of kernel events pending transfer to user space +.TP +.B lost +number of kernel events dropped +.TP +.B free_space +how much disk free space auditd sees in MB +.TP +.B plugin_current_depth +number of events in auditd pending transfer to plugins +.TP +.B plugin_max_depth +historical maximum number of events backlogged while pending transfer to plugins +.RE +as counters: +.RS +.TP +.B events_total_count +total number of events seen during interval +.TP +.B events_total_failed +total number of events seen during interval with failed outcome +.TP +.B events_avc_count +total number of AVC events seen during interval +.TP +.B events_fanotify_count +total number of FANOTIFY events seen during interval +.TP +.B events_logins_success +total number of successful login events seen during interval +.TP +.B events_logins_failed +total number of failed login events seen during interval +.TP +.B events_anamoly_count +total number of anamoly events seen during interval +.TP +.B events_response_count +total number of anamoly response events seen during interval +.RE + +.SH FILES +/etc/audit/audisp-statsd.conf +/etc/audit/plugins/au-statsd.conf +.SH "SEE ALSO" +.BR auditd.conf (8), +.BR auditd-plugins (5). +.SH AUTHOR +Steve Grubb diff -Nru audit-3.0/audisp/plugins/statsd/audisp-statsd.c audit-3.0.7/audisp/plugins/statsd/audisp-statsd.c --- audit-3.0/audisp/plugins/statsd/audisp-statsd.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/statsd/audisp-statsd.c 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,466 @@ +/* audisp-statsd.c -- + * Copyright 2021 Steve Grubb + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: + * Steve Grubb + */ +#include "config.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "libaudit.h" +#include "auparse.h" + + +/* Global Definitions */ +#define STATE_REPORT "/var/run/auditd.state" +#define CONFIG "/etc/audit/audisp-statsd.conf" + +struct daemon_config +{ + char address[65]; + unsigned int port; + unsigned int interval; + int sock; + struct sockaddr_storage addr; + socklen_t addrlen; +}; + +struct audit_report +{ + unsigned int backlog; + unsigned int lost; + unsigned int free_space; + unsigned int plugin_current_depth; + unsigned int plugin_max_depth; + unsigned int events_total_count; + unsigned int events_total_failed; + unsigned int events_avc_count; + unsigned int events_fanotify_count; + unsigned int events_logins_success; + unsigned int events_logins_failed; + unsigned int events_anomaly_count; + unsigned int events_response_count; +}; + +/* Global Data */ +static volatile int stop = 0; +static volatile int hup = 0; +static int audit_fd = -1; +static pid_t auditd_pid = 0; +static auparse_state_t *au = NULL; +static int timer_fd = -1; +static char msg[MAX_AUDIT_MESSAGE_LENGTH + 1]; +static struct daemon_config d; +static struct audit_report r; + +/* Local function protoypes */ +static void handle_event(auparse_state_t *au, auparse_cb_event_t cb_event_type, + void *user_data); + + +/* + * SIGTERM handler: exit time + */ +static void term_handler(int sig) +{ + stop = sig; +} + +/* + * SIGHUP handler: re-read config + */ +static void hup_handler(int sig) +{ + hup = sig; +} + +/* + * Get the next config file line and clean it up a little + */ +static char *get_line(FILE *f, char *buf, size_t len) +{ + if (fgets(buf, len, f)) { + /* remove newline */ + char *ptr = strchr(buf, 0x0a); + if (ptr) + *ptr = 0; + return buf; + } + return NULL; +} + +/* + * Load the plugin's configuration. Returns 1 on failure and 0 on sucess. + */ +static int load_config(void) +{ + unsigned int status = 0; + char buf[128]; + FILE *f = fopen(CONFIG, "rt"); + if (f == NULL) { + fprintf(stderr, "Cannot open config file\n"); + return 1; + } + + while (get_line(f, buf, sizeof(buf))) { + switch (buf[0]) + { + case 'a': + sscanf(buf, "address = %64s", d.address); + status |= 0x01; + break; + case 'p': + sscanf(buf, "port = %u", &d.port); + status |= 0x02; + break; + case 'i': + sscanf(buf, "interval = %u", &d.interval); + status |= 0x04; + break; + case 0: + case '#': + // Comments + break; + default: + fprintf(stderr, "unknown option\n"); + fclose(f); + return 1; + } + } + fclose(f); + if (status != 0x07) { + fprintf(stderr, "Not all config options specified\n"); + return 1; + } + return 0; +} + +/* + * Given the configuration data, turn it into a usable address for use + * with sendto later. + */ +int make_socket(void) +{ + int rc; + struct addrinfo hints, *ai; + char port[16]; + + // Resolve the remote host + memset(&hints, '\0', sizeof(hints)); + hints.ai_flags = AI_ADDRCONFIG|AI_NUMERICSERV; + hints.ai_socktype = SOCK_DGRAM; + + snprintf(port, sizeof(port), "%u", d.port); + rc = getaddrinfo(d.address, port, &hints, &ai); + if (rc) { + syslog(LOG_ERR, "error looking up statsd service\n"); + return -1; + } + + d.sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + memcpy(&d.addr, ai->ai_addr, ai->ai_addrlen); + d.addrlen = ai->ai_addrlen; + freeaddrinfo(ai); + + return d.sock; +} + +/* + * Reset all the report parameters + */ +static void clear_report(void) +{ + r.lost = 0; + r.backlog = 0; + r.free_space = 0; + r.plugin_current_depth = 0; + r.plugin_max_depth = 0; + r.events_total_count = 0; + r.events_total_failed = 0; + r.events_avc_count = 0; + r.events_fanotify_count = 0; + r.events_logins_success = 0; + r.events_logins_failed = 0; + r.events_anomaly_count = 0; + r.events_response_count = 0; +} + +/* + * Pull the current status from the kernel + */ +static void get_kernel_status(void) +{ + struct audit_reply rep; + + audit_request_status(audit_fd); + audit_get_reply(audit_fd, &rep, GET_REPLY_BLOCKING, 0); + + if (rep.type == AUDIT_GET) { + // add info to global audit event struct + r.lost = rep.status->lost; + r.backlog = rep.status->backlog; + } +} + +/* + * Collect free_space, plugin_current_depth, and plugin_max_depth + * out of the auditd state report. + */ +static void get_auditd_status(void) +{ + // SIGCONT was sent previously, hopefully the report is ready now + FILE *f = fopen(STATE_REPORT, "rt"); + if (f) { + char buf[80]; + + __fsetlocking(f, FSETLOCKING_BYCALLER); + + while (fgets(buf, sizeof(buf), f)) { + if (memcmp(buf, "Logging", 7) == 0) { + sscanf(buf, + "Logging partition free space %u", + &r.free_space); + } else if (memcmp(buf, "current plugin", 14) == 0) { + sscanf(buf, + "current plugin queue depth = %u", + &r.plugin_current_depth); + } else if (memcmp(buf, "max plugin", 10) == 0) { + sscanf(buf, + "max plugin queue depth used = %u", + &r.plugin_max_depth); + break; // This is last item, break free + } + } + fclose(f); + } +} + +/* + * Format and send the report metrics to the statsd service. + */ +static void send_statsd(void) +{ + // The message size has to stay under the MTU for the network + // 512 should be low enough to survive the commodity internet + char message[512]; + int len; + + // grab the global audit event struct and format it + // format - :| + // Things pulled from kernel or auditd are gauges. Anything + // incremented (events) are counters. + len = snprintf(message, sizeof(message), + "kernel.lost:%u|g\nkernel.backlog:%u|g\n" + "auditd.free_space:%u|g\nauditd.plugin_current_depth:%u|g\nauditd.plugin_max_depth:%u|g\n" + "events.total_count:%u|c\nevents.total_failed:%u|c\n" + "events.avc_count:%u|c\nevents.fanotify_count:%u|c\n" + "events.logins_success:%u|c\nevents.logins_failed:%u|c\n" + "events.anomaly_count:%u|c\nevents.response_count:%u|c\n", + r.lost, r.backlog, + r.free_space, r.plugin_current_depth, r.plugin_max_depth, + r.events_total_count, r.events_total_failed, + r.events_avc_count, r.events_fanotify_count, + r.events_logins_success, r.events_logins_failed, + r.events_anomaly_count, r.events_response_count); + + if (len > 0 && len < (int)sizeof(message)) + sendto(d.sock, message, len, 0, (struct sockaddr *)&d.addr, + d.addrlen); +} + + +int main(void) +{ + struct sigaction sa; + struct pollfd pfd[2]; + struct itimerspec itval; + int rc; + + if (geteuid() != 0) { + fprintf(stderr, "You need to be root to run this\n"); + return 1; + } + + if (load_config()) { + syslog(LOG_ERR, "Failed loading config - exiting"); + return 1; + } + + // Setup signal handlers + sa.sa_flags = 0; + sigemptyset(&sa.sa_mask); + + /* Set handler for the ones we care about */ + sa.sa_handler = term_handler; + sigaction(SIGTERM, &sa, NULL); + sa.sa_handler = hup_handler; + sigaction(SIGHUP, &sa, NULL); + + // Create the socket + d.sock = make_socket(); + if (d.sock < 0) { + syslog(LOG_ERR, "Failed creating socket - exiting"); + return 1; + } + + // Initialize audit + clear_report(); + au = auparse_init(AUSOURCE_FEED, 0); + if (au == NULL) { + close(d.sock); + syslog(LOG_ERR, "exiting due to auparse init errors"); + return 1; + } + auparse_set_eoe_timeout(5); + auparse_add_callback(au, handle_event, NULL, NULL); + audit_fd = audit_open(); + if (audit_fd < 0) { + close(d.sock); + syslog(LOG_ERR, "unable to open audit socket"); + return 1; + } + auditd_pid = getppid(); + fcntl(0, F_SETFL, O_NONBLOCK); /* Set STDIN non-blocking */ + pfd[0].fd = 0; // add stdin to the poll group + pfd[0].events = POLLIN; + + // Initialize interval timer + timer_fd = timerfd_create (CLOCK_MONOTONIC, 0); + pfd[1].fd = timer_fd; + pfd[1].events = POLLIN; + itval.it_interval.tv_sec = d.interval; + itval.it_interval.tv_nsec = 0; + itval.it_value.tv_sec = itval.it_interval.tv_sec; + itval.it_value.tv_nsec = 0; + timerfd_settime(timer_fd, 0, &itval, NULL); + + // Start event loop + while (!stop) { + rc = poll(pfd, 2, -1); + if (rc < 0) { + if (errno == EINTR) + continue; + } else if (rc > 0) { + // timer + if (pfd[1].revents & POLLIN) { + unsigned long long missed; + missed=read(timer_fd, &missed, sizeof (missed)); + kill(auditd_pid, SIGCONT); // Run auditd report + // Clear any old events if possible + if (auparse_feed_has_data(au)) + auparse_feed_age_events(au); + get_kernel_status(); + get_auditd_status(); + send_statsd(); + clear_report(); + } + // audit event + if (pfd[0].revents & POLLIN) { + int len; + while ((len = read(0, msg, + MAX_AUDIT_MESSAGE_LENGTH)) > 0) { + msg[len] = 0; + auparse_feed(au, msg, len); + } + } + } + } + + // tear down everything + close(timer_fd); + auparse_destroy(au); + close(audit_fd); + close(d.sock); + + if (stop) + syslog(LOG_INFO, "audisp-statsd is exiting on stop request"); + else + syslog(LOG_INFO, "audisp-statsd is exiting"); + + return 0; +} + +/* + * Given a completed event, parse it up and increment various counters + * based on what we see. + */ +static void handle_event(auparse_state_t *au, auparse_cb_event_t cb_event_type, + void *user_data __attribute__((unused))) +{ + int type; + const char *success; + + if (cb_event_type != AUPARSE_CB_EVENT_READY) + return; + + // Need to put everything in the global struct + // r.events_total_count; + // r.events_total_failed; + // r.events_avc_count; + // r.events_fanotify_count; + // r.events_logins_success; + // r.events_logins_failed; + // r.events_anomaly_count; + // r.events_response_count + r.events_total_count++; + auparse_normalize(au, NORM_OPT_NO_ATTRS); + auparse_normalize_get_results(au); + success = auparse_interpret_field(au); + if (success && strcmp(success, "no") == 0) + r.events_total_failed++; + + auparse_first_record(au); + type = auparse_get_type(au); + switch (type) + { + // These take advantage of knowing that this is the first + // record in the whole event. If this ever changes then all + // bets are off. + case AUDIT_USER_LOGIN: + if (success) { + if (strcmp(success, "no") == 0) + r.events_logins_failed++; + else + r.events_logins_success++; + } + break; + case AUDIT_FANOTIFY: + r.events_fanotify_count++; + break; + case AUDIT_AVC: + r.events_avc_count++; + break; + case AUDIT_FIRST_ANOM_MSG...AUDIT_LAST_ANOM_MSG: + r.events_anomaly_count++; + break; + case AUDIT_FIRST_ANOM_RESP...AUDIT_LAST_ANOM_RESP: + r.events_response_count++; + break; + } +} + diff -Nru audit-3.0/audisp/plugins/statsd/audisp-statsd.conf audit-3.0.7/audisp/plugins/statsd/audisp-statsd.conf --- audit-3.0/audisp/plugins/statsd/audisp-statsd.conf 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/audisp/plugins/statsd/audisp-statsd.conf 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,5 @@ +# This file points audisp-statsd to the statsd server. The interval is +# the time in seconds between updates. +address = localhost +port = 8125 +interval = 15 diff -Nru audit-3.0/audisp/plugins/syslog/Makefile.am audit-3.0.7/audisp/plugins/syslog/Makefile.am --- audit-3.0/audisp/plugins/syslog/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/syslog/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -29,11 +30,11 @@ sbin_PROGRAMS = audisp-syslog man_MANS = audisp-syslog.8 -audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.a +audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.la audisp_syslog_SOURCES = audisp-syslog.c audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef audisp_syslog_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -audisp_syslog_LDADD = $(CAPNG_LDADD) -L${top_builddir}/common -laucommon -L${top_builddir}/auparse -lauparse +audisp_syslog_LDADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la ${top_builddir}/auparse/libauparse.la install-data-hook: mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} diff -Nru audit-3.0/audisp/plugins/syslog/Makefile.in audit-3.0.7/audisp/plugins/syslog/Makefile.in --- audit-3.0/audisp/plugins/syslog/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/audisp/plugins/syslog/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -371,6 +372,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -391,11 +393,11 @@ plugin_confdir = $(prog_confdir)/plugins.d plugin_conf = syslog.conf man_MANS = audisp-syslog.8 -audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.a +audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.la audisp_syslog_SOURCES = audisp-syslog.c audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef audisp_syslog_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -audisp_syslog_LDADD = $(CAPNG_LDADD) -L${top_builddir}/common -laucommon -L${top_builddir}/auparse -lauparse +audisp_syslog_LDADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la ${top_builddir}/auparse/libauparse.la all: all-am .SUFFIXES: diff -Nru audit-3.0/audisp/plugins/syslog/audisp-syslog.8 audit-3.0.7/audisp/plugins/syslog/audisp-syslog.8 --- audit-3.0/audisp/plugins/syslog/audisp-syslog.8 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/syslog/audisp-syslog.8 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUDISP-SYSLOG: "8" "August 2018" "Red Hat" "System Administration Utilities" +.TH AUDISP-SYSLOG "8" "August 2018" "Red Hat" "System Administration Utilities" .SH NAME audisp-syslog \- plugin to push audit events into syslog .SH SYNOPSIS @@ -17,8 +17,8 @@ /etc/audit/syslog.conf /etc/audit/auditd.conf .SH "SEE ALSO" -.BR auditd.conf(8), -.BR auditd-plugins(5), -.BR syslog(3). +.BR auditd.conf (8), +.BR auditd-plugins (5), +.BR syslog (3). .SH AUTHOR Steve Grubb diff -Nru audit-3.0/audisp/plugins/syslog/audisp-syslog.c audit-3.0.7/audisp/plugins/syslog/audisp-syslog.c --- audit-3.0/audisp/plugins/syslog/audisp-syslog.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/syslog/audisp-syslog.c 2022-01-23 19:36:56.000000000 +0000 @@ -249,7 +249,7 @@ if (FD_ISSET(0, &read_mask)) { do { if (audit_fgets(tmp, - MAX_AUDIT_MESSAGE_LENGTH, 0)) + MAX_AUDIT_MESSAGE_LENGTH, 0) > 0) write_syslog(tmp); } while (audit_fgets_more( MAX_AUDIT_MESSAGE_LENGTH)); diff -Nru audit-3.0/audisp/plugins/zos-remote/Makefile.am audit-3.0.7/audisp/plugins/zos-remote/Makefile.am --- audit-3.0/audisp/plugins/zos-remote/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/zos-remote/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -14,8 +14,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Klaus Heinrich Kiwi @@ -24,7 +25,7 @@ AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/auparse CONFIG_CLEAN_FILES = *.rej *.orig EXTRA_DIST = zos-remote.conf audispd-zos-remote.conf -LIBS = -L${top_builddir}/auparse -lauparse +LIBS = ${top_builddir}/auparse/libauparse.la LDADD = -lpthread -lldap -llber $(CAPNG_LDADD) plugin_confdir=$(sysconfdir)/audit plugin_conf = zos-remote.conf diff -Nru audit-3.0/audisp/plugins/zos-remote/Makefile.in audit-3.0.7/audisp/plugins/zos-remote/Makefile.in --- audit-3.0/audisp/plugins/zos-remote/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/audisp/plugins/zos-remote/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -30,8 +30,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Klaus Heinrich Kiwi @@ -262,7 +263,7 @@ LDFLAGS = @LDFLAGS@ LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ LIBOBJS = @LIBOBJS@ -LIBS = -L${top_builddir}/auparse -lauparse +LIBS = ${top_builddir}/auparse/libauparse.la LIBTOOL = @LIBTOOL@ LIBTOOL_DEPS = @LIBTOOL_DEPS@ LIBWRAP_LIBS = @LIBWRAP_LIBS@ @@ -358,6 +359,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/audisp/plugins/zos-remote/audispd-zos-remote.conf audit-3.0.7/audisp/plugins/zos-remote/audispd-zos-remote.conf --- audit-3.0/audisp/plugins/zos-remote/audispd-zos-remote.conf 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/zos-remote/audispd-zos-remote.conf 2022-01-23 19:36:56.000000000 +0000 @@ -10,5 +10,5 @@ direction = out path = /sbin/audispd-zos-remote type = always -args = /etc/audisp/zos-remote.conf +args = /etc/audit/zos-remote.conf format = string diff -Nru audit-3.0/audisp/plugins/zos-remote/zos-remote-ldap.c audit-3.0.7/audisp/plugins/zos-remote/zos-remote-ldap.c --- audit-3.0/audisp/plugins/zos-remote/zos-remote-ldap.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/zos-remote/zos-remote-ldap.c 2022-01-23 19:36:56.000000000 +0000 @@ -69,7 +69,7 @@ {ZOS_REMOTE_MAJOR_RACROUTE, "RACROUTE - The R_auditx service returned an unexpected error"}, {ZOS_REMOTE_MAJOR_VAL_ERR, "VAL_ERR - Value error in request"}, {ZOS_REMOTE_MAJOR_ENC_ERR, "ENC_ERR - DER decoding error in request"}, - {ZOS_REMOTE_MAJOR_UNSUF_AUTH, "UNSUF_AUTH - The user has unsuficient authority for the requested function"}, + {ZOS_REMOTE_MAJOR_UNSUF_AUTH, "UNSUF_AUTH - The user has unsufficient authority for the requested function"}, {ZOS_REMOTE_MAJOR_EMPTY, "EMPTY - Empty request received - No items found within the ItemList"}, {ZOS_REMOTE_MAJOR_INVALID_VER, "INVALID_VER - Invalid RequestVersion"}, {ZOS_REMOTE_MAJOR_INTERNAL_ERR, "INTERNAL_ERR - An internal error was encountered within the ICTX component"}, diff -Nru audit-3.0/audisp/plugins/zos-remote/zos-remote-plugin.c audit-3.0.7/audisp/plugins/zos-remote/zos-remote-plugin.c --- audit-3.0/audisp/plugins/zos-remote/zos-remote-plugin.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audisp/plugins/zos-remote/zos-remote-plugin.c 2022-01-23 19:36:56.000000000 +0000 @@ -34,7 +34,6 @@ #include #include #include -#include #include #include #include diff -Nru audit-3.0/audit.spec audit-3.0.7/audit.spec --- audit-3.0/audit.spec 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/audit.spec 2022-01-23 19:36:56.000000000 +0000 @@ -1,24 +1,22 @@ -%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} Summary: User space tools for kernel auditing Name: audit -Version: 3.0 -Release: 1 +Version: 3.0.7 +Release: 1%{dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root -BuildRequires: gcc +BuildRequires: gcc swig BuildRequires: golang -BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel +BuildRequires: krb5-devel libcap-ng-devel BuildRequires: kernel-headers >= 2.6.29 BuildRequires: systemd Requires: %{name}-libs = %{version}-%{release} Requires(post): systemd coreutils -Requires(preun): systemd initscripts -Requires(postun): systemd coreutils initscript +Requires(preun): systemd initscripts-service +Requires(postun): systemd coreutils initscripts-service %description The audit package contains the user space utilities for @@ -92,11 +90,11 @@ %setup -q %build -%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes \ - --with-python3=yes --enable-tcp=yes \ - --with-golang --with-libwrap \ - --enable-gssapi-krb5=yes --enable-zos-remote \ - --with-libcap-ng=yes --enable-systemd +%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \ + --with-python3=yes \ + --enable-gssapi-krb5=yes --with-arm --with-aarch64 \ + --with-libcap-ng=yes --enable-zos-remote \ + --enable-systemd make CFLAGS="%{optflags}" %{?_smp_mflags} @@ -110,9 +108,6 @@ make DESTDIR=$RPM_BUILD_ROOT install mkdir -p $RPM_BUILD_ROOT/%{_libdir} -# This winds up in the wrong place when libtool is involved -mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT%{_libdir} -mv $RPM_BUILD_ROOT/%{_lib}/libauparse.a $RPM_BUILD_ROOT%{_libdir} curdir=`pwd` cd $RPM_BUILD_ROOT/%{_libdir} LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libaudit.so.1.*.*\`` @@ -136,8 +131,8 @@ %check make check - -%post libs -p /sbin/ldconfig +# Get rid of make files so that they don't get packaged. +rm -f rules/Makefile* %post # Copy default rules into place on new installation @@ -173,8 +168,6 @@ %doc contrib/plugin %{_libdir}/libaudit.so %{_libdir}/libauparse.so -%dir %{_prefix}/lib/golang/src/pkg/redhat.com/audit -%{_prefix}/lib/golang/src/pkg/redhat.com/audit/audit.go %{_includedir}/libaudit.h %{_includedir}/auparse.h %{_includedir}/auparse-defs.h @@ -200,6 +193,7 @@ %files %license COPYING %doc README ChangeLog rules init.d/auditd.cron +%attr(750,root,root) %{_datadir}/%{name} %attr(644,root,root) %{_datadir}/%{name}/sample-rules/* %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz @@ -234,6 +228,7 @@ %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop +%attr(750,root,root) %{_libexecdir}/audit-functions %ghost %{_localstatedir}/run/auditd.state %attr(-,root,-) %dir %{_var}/log/audit %attr(750,root,root) %dir /etc/audit @@ -246,8 +241,6 @@ %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf %files -n audispd-plugins -%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz -%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf %config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf %attr(750,root,root) /sbin/audispd-zos-remote @@ -257,12 +250,14 @@ %attr(750,root,root) /sbin/audisp-remote %attr(750,root,root) /sbin/audisp-syslog %attr(700,root,root) %dir %{_var}/spool/audit +%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz +%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz %changelog -* Sat Mar 10 2018 Steve Grubb 3.0-1 +* Fri Jan 23 2022 Steve Grubb 3.0.7-1 - New upstream release diff -Nru audit-3.0/auparse/Makefile.am audit-3.0.7/auparse/Makefile.am --- audit-3.0/auparse/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,11 +13,13 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb +# Richard Guy Briggs # SUBDIRS = test @@ -45,8 +47,8 @@ normalize_record_map.h normalize_syscall_map.h nodist_libauparse_la_SOURCES = $(BUILT_SOURCES) -libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a -libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.a +libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la +libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.la libauparse_la_LDFLAGS = -Wl,-z,relro message.c: @@ -65,7 +67,8 @@ tcpoptnametabs.h typetabs.h umounttabs.h inethooktabs.h \ netactiontabs.h \ normalize_obj_kind_maps.h normalize_record_maps.h \ - normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h + normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h \ + openat2-resolvetabs.h noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \ gen_clone-flagtabs_h \ gen_epoll_ctls_h gen_famtabs_h \ @@ -82,7 +85,8 @@ gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \ gen_umounttabs_h gen_inethooktabs_h gen_netactiontabs_h \ gen_normalize_record_map gen_normalize_syscall_map \ - gen_normalize_obj_kind_map gen_normalize_evtypetabs_h gen_bpftabs_h + gen_normalize_obj_kind_map gen_normalize_evtypetabs_h gen_bpftabs_h \ + gen_openat2-resolvetabs_h gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h gen_accesstabs_h_CFLAGS = '-DTABLE_H="accesstab.h"' @@ -660,3 +664,17 @@ bpftabs.h: gen_bpftabs_h Makefile ./gen_bpftabs_h --i2s bpf > $@ +gen_openat2_resolvetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ + openat2-resolvetab.h +gen_openat2_resolvetabs_h_CFLAGS = '-DTABLE_H="openat2-resolvetab.h"' +$(gen_openat2_resolvetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_openat2_resolvetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_openat2_resolvetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +$(gen_openat2_resolvetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) +openat2-resolvetabs.h: gen_openat2-resolvetabs_h Makefile + ./gen_openat2-resolvetabs_h --i2s-transtab openat2_resolve > $@ + diff -Nru audit-3.0/auparse/Makefile.in audit-3.0.7/auparse/Makefile.in --- audit-3.0/auparse/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/auparse/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,11 +29,13 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb +# Richard Guy Briggs # @@ -136,7 +138,8 @@ gen_netactiontabs_h$(EXEEXT) gen_normalize_record_map$(EXEEXT) \ gen_normalize_syscall_map$(EXEEXT) \ gen_normalize_obj_kind_map$(EXEEXT) \ - gen_normalize_evtypetabs_h$(EXEEXT) gen_bpftabs_h$(EXEEXT) + gen_normalize_evtypetabs_h$(EXEEXT) gen_bpftabs_h$(EXEEXT) \ + gen_openat2-resolvetabs_h$(EXEEXT) subdir = auparse ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ @@ -383,6 +386,15 @@ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(gen_open_flagtabs_h_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ +am_gen_openat2_resolvetabs_h_OBJECTS = \ + gen_openat2_resolvetabs_h-gen_tables.$(OBJEXT) +gen_openat2_resolvetabs_h_OBJECTS = \ + $(am_gen_openat2_resolvetabs_h_OBJECTS) +gen_openat2_resolvetabs_h_LDADD = $(LDADD) +gen_openat2_resolvetabs_h_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(gen_openat2_resolvetabs_h_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ am_gen_persontabs_h_OBJECTS = gen_persontabs_h-gen_tables.$(OBJEXT) gen_persontabs_h_OBJECTS = $(am_gen_persontabs_h_OBJECTS) gen_persontabs_h_LDADD = $(LDADD) @@ -564,6 +576,7 @@ ./$(DEPDIR)/gen_normalize_record_map-gen_tables.Po \ ./$(DEPDIR)/gen_normalize_syscall_map-gen_tables.Po \ ./$(DEPDIR)/gen_open_flagtabs_h-gen_tables.Po \ + ./$(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Po \ ./$(DEPDIR)/gen_persontabs_h-gen_tables.Po \ ./$(DEPDIR)/gen_pktoptnametabs_h-gen_tables.Po \ ./$(DEPDIR)/gen_prctl_opttabs_h-gen_tables.Po \ @@ -620,13 +633,15 @@ $(gen_normalize_obj_kind_map_SOURCES) \ $(gen_normalize_record_map_SOURCES) \ $(gen_normalize_syscall_map_SOURCES) \ - $(gen_open_flagtabs_h_SOURCES) $(gen_persontabs_h_SOURCES) \ - $(gen_pktoptnametabs_h_SOURCES) $(gen_prctl_opttabs_h_SOURCES) \ - $(gen_prottabs_h_SOURCES) $(gen_ptracetabs_h_SOURCES) \ - $(gen_recvtabs_h_SOURCES) $(gen_rlimit_h_SOURCES) \ - $(gen_schedtabs_h_SOURCES) $(gen_seccomptabs_h_SOURCES) \ - $(gen_seektabs_h_SOURCES) $(gen_shm_modetabs_h_SOURCES) \ - $(gen_signals_h_SOURCES) $(gen_sockleveltabs_h_SOURCES) \ + $(gen_open_flagtabs_h_SOURCES) \ + $(gen_openat2_resolvetabs_h_SOURCES) \ + $(gen_persontabs_h_SOURCES) $(gen_pktoptnametabs_h_SOURCES) \ + $(gen_prctl_opttabs_h_SOURCES) $(gen_prottabs_h_SOURCES) \ + $(gen_ptracetabs_h_SOURCES) $(gen_recvtabs_h_SOURCES) \ + $(gen_rlimit_h_SOURCES) $(gen_schedtabs_h_SOURCES) \ + $(gen_seccomptabs_h_SOURCES) $(gen_seektabs_h_SOURCES) \ + $(gen_shm_modetabs_h_SOURCES) $(gen_signals_h_SOURCES) \ + $(gen_sockleveltabs_h_SOURCES) \ $(gen_sockoptnametabs_h_SOURCES) $(gen_socktabs_h_SOURCES) \ $(gen_socktypetabs_h_SOURCES) $(gen_tcpoptnametabs_h_SOURCES) \ $(gen_typetabs_h_SOURCES) $(gen_umounttabs_h_SOURCES) @@ -645,13 +660,15 @@ $(gen_normalize_obj_kind_map_SOURCES) \ $(gen_normalize_record_map_SOURCES) \ $(gen_normalize_syscall_map_SOURCES) \ - $(gen_open_flagtabs_h_SOURCES) $(gen_persontabs_h_SOURCES) \ - $(gen_pktoptnametabs_h_SOURCES) $(gen_prctl_opttabs_h_SOURCES) \ - $(gen_prottabs_h_SOURCES) $(gen_ptracetabs_h_SOURCES) \ - $(gen_recvtabs_h_SOURCES) $(gen_rlimit_h_SOURCES) \ - $(gen_schedtabs_h_SOURCES) $(gen_seccomptabs_h_SOURCES) \ - $(gen_seektabs_h_SOURCES) $(gen_shm_modetabs_h_SOURCES) \ - $(gen_signals_h_SOURCES) $(gen_sockleveltabs_h_SOURCES) \ + $(gen_open_flagtabs_h_SOURCES) \ + $(gen_openat2_resolvetabs_h_SOURCES) \ + $(gen_persontabs_h_SOURCES) $(gen_pktoptnametabs_h_SOURCES) \ + $(gen_prctl_opttabs_h_SOURCES) $(gen_prottabs_h_SOURCES) \ + $(gen_ptracetabs_h_SOURCES) $(gen_recvtabs_h_SOURCES) \ + $(gen_rlimit_h_SOURCES) $(gen_schedtabs_h_SOURCES) \ + $(gen_seccomptabs_h_SOURCES) $(gen_seektabs_h_SOURCES) \ + $(gen_shm_modetabs_h_SOURCES) $(gen_signals_h_SOURCES) \ + $(gen_sockleveltabs_h_SOURCES) \ $(gen_sockoptnametabs_h_SOURCES) $(gen_socktabs_h_SOURCES) \ $(gen_socktypetabs_h_SOURCES) $(gen_tcpoptnametabs_h_SOURCES) \ $(gen_typetabs_h_SOURCES) $(gen_umounttabs_h_SOURCES) @@ -867,6 +884,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -902,8 +920,8 @@ normalize_record_map.h normalize_syscall_map.h nodist_libauparse_la_SOURCES = $(BUILT_SOURCES) -libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a -libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.a +libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la +libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.la libauparse_la_LDFLAGS = -Wl,-z,relro BUILT_SOURCES = accesstabs.h captabs.h clocktabs.h clone-flagtabs.h \ epoll_ctls.h famtabs.h fcntl-cmdtabs.h \ @@ -918,7 +936,8 @@ tcpoptnametabs.h typetabs.h umounttabs.h inethooktabs.h \ netactiontabs.h \ normalize_obj_kind_maps.h normalize_record_maps.h \ - normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h + normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h \ + openat2-resolvetabs.h gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h gen_accesstabs_h_CFLAGS = '-DTABLE_H="accesstab.h"' @@ -1015,6 +1034,10 @@ gen_normalize_evtypetabs_h_CFLAGS = '-DTABLE_H="normalize_evtypetab.h"' gen_bpftabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h bpftab.h gen_bpftabs_h_CFLAGS = '-DTABLE_H="bpftab.h"' +gen_openat2_resolvetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ + openat2-resolvetab.h + +gen_openat2_resolvetabs_h_CFLAGS = '-DTABLE_H="openat2-resolvetab.h"' all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1199,6 +1222,10 @@ @rm -f gen_open-flagtabs_h$(EXEEXT) $(AM_V_CCLD)$(gen_open_flagtabs_h_LINK) $(gen_open_flagtabs_h_OBJECTS) $(gen_open_flagtabs_h_LDADD) $(LIBS) +gen_openat2-resolvetabs_h$(EXEEXT): $(gen_openat2_resolvetabs_h_OBJECTS) $(gen_openat2_resolvetabs_h_DEPENDENCIES) $(EXTRA_gen_openat2_resolvetabs_h_DEPENDENCIES) + @rm -f gen_openat2-resolvetabs_h$(EXEEXT) + $(AM_V_CCLD)$(gen_openat2_resolvetabs_h_LINK) $(gen_openat2_resolvetabs_h_OBJECTS) $(gen_openat2_resolvetabs_h_LDADD) $(LIBS) + gen_persontabs_h$(EXEEXT): $(gen_persontabs_h_OBJECTS) $(gen_persontabs_h_DEPENDENCIES) $(EXTRA_gen_persontabs_h_DEPENDENCIES) @rm -f gen_persontabs_h$(EXEEXT) $(AM_V_CCLD)$(gen_persontabs_h_LINK) $(gen_persontabs_h_OBJECTS) $(gen_persontabs_h_LDADD) $(LIBS) @@ -1311,6 +1338,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_normalize_record_map-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_normalize_syscall_map-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_open_flagtabs_h-gen_tables.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_persontabs_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_pktoptnametabs_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_prctl_opttabs_h-gen_tables.Po@am__quote@ # am--include-marker @@ -1714,6 +1742,20 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_open_flagtabs_h_CFLAGS) $(CFLAGS) -c -o gen_open_flagtabs_h-gen_tables.obj `if test -f '../lib/gen_tables.c'; then $(CYGPATH_W) '../lib/gen_tables.c'; else $(CYGPATH_W) '$(srcdir)/../lib/gen_tables.c'; fi` +gen_openat2_resolvetabs_h-gen_tables.o: ../lib/gen_tables.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_openat2_resolvetabs_h_CFLAGS) $(CFLAGS) -MT gen_openat2_resolvetabs_h-gen_tables.o -MD -MP -MF $(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Tpo -c -o gen_openat2_resolvetabs_h-gen_tables.o `test -f '../lib/gen_tables.c' || echo '$(srcdir)/'`../lib/gen_tables.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Tpo $(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../lib/gen_tables.c' object='gen_openat2_resolvetabs_h-gen_tables.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_openat2_resolvetabs_h_CFLAGS) $(CFLAGS) -c -o gen_openat2_resolvetabs_h-gen_tables.o `test -f '../lib/gen_tables.c' || echo '$(srcdir)/'`../lib/gen_tables.c + +gen_openat2_resolvetabs_h-gen_tables.obj: ../lib/gen_tables.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_openat2_resolvetabs_h_CFLAGS) $(CFLAGS) -MT gen_openat2_resolvetabs_h-gen_tables.obj -MD -MP -MF $(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Tpo -c -o gen_openat2_resolvetabs_h-gen_tables.obj `if test -f '../lib/gen_tables.c'; then $(CYGPATH_W) '../lib/gen_tables.c'; else $(CYGPATH_W) '$(srcdir)/../lib/gen_tables.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Tpo $(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../lib/gen_tables.c' object='gen_openat2_resolvetabs_h-gen_tables.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_openat2_resolvetabs_h_CFLAGS) $(CFLAGS) -c -o gen_openat2_resolvetabs_h-gen_tables.obj `if test -f '../lib/gen_tables.c'; then $(CYGPATH_W) '../lib/gen_tables.c'; else $(CYGPATH_W) '$(srcdir)/../lib/gen_tables.c'; fi` + gen_persontabs_h-gen_tables.o: ../lib/gen_tables.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_persontabs_h_CFLAGS) $(CFLAGS) -MT gen_persontabs_h-gen_tables.o -MD -MP -MF $(DEPDIR)/gen_persontabs_h-gen_tables.Tpo -c -o gen_persontabs_h-gen_tables.o `test -f '../lib/gen_tables.c' || echo '$(srcdir)/'`../lib/gen_tables.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_persontabs_h-gen_tables.Tpo $(DEPDIR)/gen_persontabs_h-gen_tables.Po @@ -2264,6 +2306,7 @@ -rm -f ./$(DEPDIR)/gen_normalize_record_map-gen_tables.Po -rm -f ./$(DEPDIR)/gen_normalize_syscall_map-gen_tables.Po -rm -f ./$(DEPDIR)/gen_open_flagtabs_h-gen_tables.Po + -rm -f ./$(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_persontabs_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_pktoptnametabs_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_prctl_opttabs_h-gen_tables.Po @@ -2364,6 +2407,7 @@ -rm -f ./$(DEPDIR)/gen_normalize_record_map-gen_tables.Po -rm -f ./$(DEPDIR)/gen_normalize_syscall_map-gen_tables.Po -rm -f ./$(DEPDIR)/gen_open_flagtabs_h-gen_tables.Po + -rm -f ./$(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_persontabs_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_pktoptnametabs_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_prctl_opttabs_h-gen_tables.Po @@ -2874,6 +2918,16 @@ gen_bpftabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) bpftabs.h: gen_bpftabs_h Makefile ./gen_bpftabs_h --i2s bpf > $@ +$(gen_openat2_resolvetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_openat2_resolvetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_openat2_resolvetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +$(gen_openat2_resolvetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) +openat2-resolvetabs.h: gen_openat2-resolvetabs_h Makefile + ./gen_openat2-resolvetabs_h --i2s-transtab openat2_resolve > $@ # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru audit-3.0/auparse/auditd-config.c audit-3.0.7/auparse/auditd-config.c --- audit-3.0/auparse/auditd-config.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/auditd-config.c 2022-01-23 19:36:56.000000000 +0000 @@ -61,17 +61,20 @@ static const struct kw_pair *kw_lookup(const char *val); static int log_file_parser(auparse_state_t *au, const char *val, int line, struct daemon_conf *config); +static int eoe_timeout_parser(auparse_state_t *au, const char *val, int line, + struct daemon_conf *config); static const struct kw_pair keywords[] = { {"log_file", log_file_parser }, + {"end_of_event_timeout", eoe_timeout_parser }, { NULL, NULL } }; /* * Set everything to its default value */ -void clear_config(struct daemon_conf *config) +void aup_clear_config(struct daemon_conf *config) { config->local_events = 1; config->sender_uid = 0; @@ -100,6 +103,7 @@ config->disk_full_exe = NULL; config->disk_error_action = FA_SYSLOG; config->disk_error_exe = NULL; + config->end_of_event_timeout = EOE_TIMEOUT; } int aup_load_config(auparse_state_t *au, struct daemon_conf *config, @@ -109,14 +113,19 @@ FILE *f; char buf[160]; - clear_config(config); + aup_clear_config(config); lt = lt; /* open the file */ fd = open(CONFIG_FILE, O_RDONLY|O_NOFOLLOW); if (fd < 0) { if (errno != ENOENT) { - audit_msg(au, LOG_ERR, "Error opening config file (%s)", + if (errno == EACCES) { + audit_msg(au, LOG_INFO, + "libauparse: Permission denied opening config file, using defaults"); + return 0; + } + audit_msg(au, LOG_ERR, "Error opening config file (%s)", strerror(errno)); return 1; } @@ -323,8 +332,39 @@ return 0; } -void free_config(struct daemon_conf *config) + +static int eoe_timeout_parser(auparse_state_t *au, const char *val, int line, + struct daemon_conf *config) +{ + const char *ptr = val; + unsigned long i; + + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { + if (!isdigit(ptr[i])) { + audit_msg(au, LOG_ERR, + "Value %s should only be numbers - line %d", + val, line); + return 1; + } + } + + /* convert to unsigned long */ + errno = 0; + i = strtoul(val, NULL, 10); + if (errno) { + audit_msg(au, LOG_ERR, + "Error converting string to a number (%s) - line %d", + strerror(errno), line); + return 1; + } + config->end_of_event_timeout = i; + return 0; +} + +void aup_free_config(struct daemon_conf *config) { free((void*)config->log_file); + config->log_file = NULL; } diff -Nru audit-3.0/auparse/auparse-defs.h audit-3.0.7/auparse/auparse-defs.h --- audit-3.0/auparse/auparse-defs.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/auparse-defs.h 2022-01-23 19:36:56.000000000 +0000 @@ -87,7 +87,9 @@ AUPARSE_TYPE_PROCTITLE, AUPARSE_TYPE_HOOK, AUPARSE_TYPE_NETACTION, AUPARSE_TYPE_MACPROTO, AUPARSE_TYPE_IOCTL_REQ, AUPARSE_TYPE_ESCAPED_KEY, - AUPARSE_TYPE_ESCAPED_FILE, AUPARSE_TYPE_FANOTIFY } auparse_type_t; + AUPARSE_TYPE_ESCAPED_FILE, AUPARSE_TYPE_FANOTIFY, + AUPARSE_TYPE_NLMCGRP, AUPARSE_TYPE_RESOLVE +} auparse_type_t; /* This type determines what escaping if any gets applied to interpreted fields */ typedef enum { AUPARSE_ESC_RAW, AUPARSE_ESC_TTY, AUPARSE_ESC_SHELL, diff -Nru audit-3.0/auparse/auparse-idata.h audit-3.0.7/auparse/auparse-idata.h --- audit-3.0/auparse/auparse-idata.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/auparse-idata.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * idata.h - Header file for ausearch-lookup.c -* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2013,2016-17,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -34,8 +34,8 @@ unsigned long long a0; // arg 0 to the syscall unsigned long long a1; // arg 1 to the syscall const char *cwd; // The current working directory - const char *name; // name of field being interpretted - const char *val; // value of field being interpretted + const char *name; // name of field being interpreted + const char *val; // value of field being interpreted } idata; @@ -45,6 +45,7 @@ void _auparse_load_interpretations(const char *buf); void _auparse_free_interpretations(void); const char *_auparse_lookup_interpretation(const char *name); +void _auparse_flush_caches(void); #endif diff -Nru audit-3.0/auparse/auparse.c audit-3.0.7/auparse/auparse.c --- audit-3.0/auparse/auparse.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/auparse.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* auparse.c -- - * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. + * Copyright 2006-08,2012-19,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -32,6 +32,7 @@ #include #include #include +#include #include "common.h" //#define LOL_EVENTS_DEBUG01 1 // add debug for list of list event @@ -41,6 +42,8 @@ static int debug = 0; #endif +static time_t eoe_timeout = EOE_TIMEOUT; + static void init_lib(void) __attribute__ ((constructor)); static void init_lib(void) { @@ -64,8 +67,9 @@ char *filename, **tmp; int len, num = 0, i = 0; - /* Load config so we know where logs are */ - set_aumessage_mode(au, MSG_STDERR, DBG_NO); + /* Load config so we know where logs are */ + if (secure_getenv("AUPARSE_DEBUG")) + set_aumessage_mode(au, MSG_STDERR, DBG_NO); aup_load_config(au, &config, TEST_SEARCH); /* for each file */ @@ -73,7 +77,7 @@ filename = malloc(len); if (!filename) { fprintf(stderr, "No memory\n"); - free_config(&config); + aup_free_config(&config); return 1; } /* Find oldest log file */ @@ -87,7 +91,7 @@ if (num == 0) { fprintf(stderr, "No log file\n"); - free_config(&config); + aup_free_config(&config); free(filename); return 1; } @@ -111,11 +115,11 @@ else break; } while (1); - free_config(&config); + aup_free_config(&config); free(filename); // Terminate the list - tmp[i] = NULL; + tmp[i] = NULL; au->source_list = tmp; return 0; } @@ -134,11 +138,10 @@ int sz = ARRAY_LIMIT * sizeof(au_lolnode); lol->maxi = -1; - lol->limit = ARRAY_LIMIT; - if ((lol->array = (au_lolnode *)malloc(sz)) == NULL) { - lol->maxi = -1; + if ((lol->array = (au_lolnode *)malloc(sz)) == NULL) return NULL; - } + + lol->limit = ARRAY_LIMIT; memset(lol->array, 0x00, sz); return lol->array; @@ -236,7 +239,7 @@ int i; au_lol *lol = au->au_lo; au_lolnode *lowest = NULL; - + if (au->au_ready == 0) { //if (debug) printf("No events ready\n"); return NULL; @@ -287,13 +290,13 @@ if (cur->status == EBS_BUILDING) { if ((r = aup_list_get_cur(cur->l)) == NULL) continue; - // If 2 seconds have elapsed, we are done - if (cur->l->e.sec + 2 <= sec) { + // If eoe_timeout seconds have elapsed, we are done + if (cur->l->e.sec + eoe_timeout <= sec) { cur->status = EBS_COMPLETE; au->au_ready++; } else if ( // FIXME: Check this v remains true r->type == AUDIT_PROCTITLE || - r->type == AUDIT_EOE || + r->type == AUDIT_EOE || r->type < AUDIT_FIRST_EVENT || r->type >= AUDIT_FIRST_ANOM_MSG || r->type == AUDIT_KERNEL || @@ -398,6 +401,30 @@ /* General functions that affect operation of the library */ + +/* + * au_setup_userspace_configitems - load userspace configuration items from auditd.conf + * + * Args: + * au - pointer to auparseing state structure + * + * Rtns: + * void + */ +static void au_setup_userspace_configitems(auparse_state_t *au) +{ + struct daemon_conf config; + + /* Load config so we know where logs are */ + if (secure_getenv("AUPARSE_DEBUG")) + set_aumessage_mode(au, MSG_STDERR, DBG_NO); + aup_load_config(au, &config, TEST_SEARCH); + + eoe_timeout = (time_t)config.end_of_event_timeout; + + aup_free_config(&config); +} + auparse_state_t *auparse_init(ausource_t source, const void *b) { char **tmp, **bb = (char **)b, *buf = (char *)b; @@ -430,6 +457,9 @@ return NULL; } au->au_ready = 0; + au->escape_mode = AUPARSE_ESC_TTY; + au->message_mode = MSG_QUIET; + au->debug_message = DBG_NO; au->in = NULL; au->source_list = NULL; @@ -437,6 +467,7 @@ au->callback = NULL; au->callback_user_data = NULL; au->callback_user_data_destroy = NULL; + au_setup_userspace_configitems(au); switch (source) { case AUSOURCE_LOGS: @@ -525,9 +556,6 @@ au->expr = NULL; au->find_field = NULL; au->search_where = AUSEARCH_STOP_EVENT; - au->escape_mode = AUPARSE_ESC_TTY; - au->message_mode = MSG_QUIET; - au->debug_message = DBG_NO; au->tmp_translation = NULL; init_normalizer(&au->norm_data); @@ -600,6 +628,19 @@ } } +int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len) +{ + if (au->source != AUSOURCE_BUFFER) + return 1; + + auparse_reset(au); + + if (databuf_replace(&au->databuf, data, data_len) < 0) + return 1; + + return 0; +} + int auparse_feed(auparse_state_t *au, const char *data, size_t data_len) { if (databuf_append(&au->databuf, data, data_len) < 0) @@ -614,10 +655,31 @@ return 0; } -// If there is data in the state machine, return 1 +// If there is any data in the state machine, return 1. // Otherwise return 0 to indicate its empty int auparse_feed_has_data(auparse_state_t *au) { + if (!au) + return 0; + + int i; + au_lol *lol = au->au_lo; + + // An improvement would be to track how many events we have stored + // to avoid a costly loop + for (i=0; i <= lol->maxi; i++) { + au_lolnode *cur = &(lol->array[i]); + if (cur->status > EBS_EMPTY) + return 1; + } + + return 0; +} + +// If there is a ready event in the state machine, return 1. +// Otherwise return 0 to indicate its empty +int auparse_feed_has_ready_event(auparse_state_t *au) +{ if (au_get_ready_event(au, 1) != NULL) return 1; @@ -690,7 +752,7 @@ /* Fall through */ case AUSOURCE_DESCRIPTOR: case AUSOURCE_FILE_POINTER: - if (au->in) + if (au->in) rewind(au->in); /* Fall through */ case AUSOURCE_BUFFER: @@ -917,7 +979,7 @@ if (au->source_list) { int n = 0; - while (au->source_list[n]) + while (au->source_list[n]) free(au->source_list[n++]); free(au->source_list); au->source_list = NULL; @@ -950,7 +1012,7 @@ void auparse_destroy(auparse_state_t *au) { - aulookup_destroy_uid_list(); + lookup_destroy_uid_list(); aulookup_destroy_gid_list(); auparse_destroy_common(au); @@ -969,7 +1031,7 @@ * without a newline (note, this implies the line may be empty (strlen == 0)) if * successfully read a blank line (e.g. containing only a single newline). * cur_buf will have been newly allocated with malloc. - * + * * Note: cur_buf will be freed the next time this routine is called if * cur_buf is not NULL, callers who retain a reference to the cur_buf * pointer will need to set cur_buf to NULL to cause the previous cur_buf @@ -1027,7 +1089,7 @@ * newline (note, this implies the line may be empty (strlen == 0)) if * successfully read a blank line (e.g. containing only a single * newline). - * + * * Note: cur_buf will be freed the next time this routine is called if * cur_buf is not NULL, callers who retain a reference to the cur_buf * pointer will need to set cur_buf to NULL to cause the previous cur_buf @@ -1060,7 +1122,7 @@ if ((p_newline = strnchr(databuf_beg(&au->databuf), '\n', au->databuf.len)) != NULL) { line_len = p_newline - databuf_beg(&au->databuf); - + /* dup the line */ au->cur_buf = malloc(line_len+1); // +1 for null terminator if (au->cur_buf == NULL) @@ -1073,7 +1135,6 @@ // return success errno = 0; return 1; - } else { // return no data available errno = 0; @@ -1087,18 +1148,18 @@ errno = 0; e->sec = strtoul(s, NULL, 10); - if (errno) + if (errno || e->sec > (LONG_MAX - eoe_timeout -1)) return -1; ptr = strchr(s, '.'); if (ptr) { ptr++; e->milli = strtoul(ptr, NULL, 10); - if (errno) + if (errno || e->milli > 999) return -1; s = ptr; } else e->milli = 0; - + ptr = strchr(s, ':'); if (ptr) { ptr++; @@ -1134,13 +1195,14 @@ ptr = audit_strsplit(tmp); if (ptr) { // Optionally grab the node - may or may not be included - if (*ptr == 'n') { + if (*ptr == 'n' && strnlen(ptr, 8) > 5) { e->host = strdup(ptr+5); (void)audit_strsplit(NULL);// Bump along to next one } // at this point we have type= ptr = audit_strsplit(NULL); - if (ptr) { + // strlen is for fuzzers that make invalid lines + if (ptr && strnlen(ptr, 20) > 18) { if (*(ptr+9) == '(') ptr+=9; else @@ -1188,7 +1250,7 @@ /* This function will figure out how to get the next line of input. * storing it cur_buf. cur_buf will be NULL terminated but will not - * contain a trailing newline. This implies a successful read + * contain a trailing newline. This implies a successful read * (result == 1) may result in a zero length cur_buf if a blank line * was read. * @@ -1520,8 +1582,11 @@ if (debug) printf("Adding event to building event\n"); #endif /* LOL_EVENTS_DEBUG01 */ - aup_list_append(cur->l, au->cur_buf, - au->list_idx, au->line_number); + if (aup_list_append(cur->l, au->cur_buf, + au->list_idx, au->line_number) < 0) { + au->cur_buf = NULL; + continue; + } au->cur_buf = NULL; free((char *)e.host); au_check_events(au, e.sec); @@ -1549,7 +1614,13 @@ } aup_list_create(l); aup_list_set_event(l, &e); - aup_list_append(l, au->cur_buf, au->list_idx, au->line_number); + if (aup_list_append(l, au->cur_buf, au->list_idx, + au->line_number) < 0) { + au->cur_buf = NULL; + aup_list_clear(l); + free(l); + continue; + } // Eat standalone EOE - main event was already marked complete if (l->head->type == AUDIT_EOE) { au->cur_buf = NULL; @@ -1706,6 +1777,14 @@ if (rc <= 0) return rc; } + r = aup_list_get_cur(au->le); + if (r && r->item == 0 && interpretation_list_cnt()) { + // If we are on the first record and the list has previously + // been loaded, just pull cursor back and avoid loading the + // interpretation list. + aup_list_first_field(au->le); + return 1; + } aup_list_first(au->le); r = aup_list_get_cur(au->le); free_interpretation_list(); @@ -1744,6 +1823,15 @@ { rnode *r; + r = aup_list_get_cur(au->le); + if (r && r->item == num && interpretation_list_cnt()) { + // If we are on the first record and the list has previously + // been loaded, just pull cursor back and avoid loading the + // interpretation list. + aup_list_first_field(au->le); + return 1; + } + /* Check if a request is out of range */ free_interpretation_list(); // Its OK if au->le == NULL because get_cnt handles it @@ -1928,7 +2016,8 @@ rnode *r = aup_list_get_cur(au->le); while (r) { // For each record in the event... if (!moved) { - nvlist_next(&r->nv); + if (nvlist_next(&r->nv) == NULL) + return NULL; moved=1; } if (nvlist_find_name(&r->nv, au->find_field)) @@ -1936,6 +2025,7 @@ r = aup_list_next(au->le); if (r) { aup_list_first_field(au->le); + free_interpretation_list(); load_interpretation_list(r->interp); } } @@ -2123,3 +2213,18 @@ return auparse_interpret_sock_parts(au, "laddr="); } +/* + * auparse_set_eoe_timeout - set the end of event timeout value + * + * Args + * new_tmo - new timeout value + * Rtns + * 0 - correctly set + * 1 - failed to set + */ +int auparse_set_eoe_timeout (time_t new_tmo) { + if (new_tmo == 0) + return 1; + eoe_timeout = new_tmo; + return 0; +} diff -Nru audit-3.0/auparse/auparse.h audit-3.0.7/auparse/auparse.h --- audit-3.0/auparse/auparse.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/auparse.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* auparse.h -- - * Copyright 2006-08,2012,2014-17 Red Hat Inc., Durham, North Carolina. + * Copyright 2006-08,2012,2014-17 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -41,10 +41,12 @@ /* General functions that affect operation of the library */ auparse_state_t *auparse_init(ausource_t source, const void *b); +int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len); int auparse_feed(auparse_state_t *au, const char *data, size_t data_len); void auparse_feed_age_events(auparse_state_t *au); int auparse_flush_feed(auparse_state_t *au); int auparse_feed_has_data(auparse_state_t *au); +int auparse_feed_has_ready_event(auparse_state_t *au); void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback, void *user_data, user_destroy user_destroy_func); void auparse_set_escape_mode(auparse_state_t *au, auparse_esc_t mode); @@ -63,10 +65,13 @@ unsigned milli, ausearch_rule_t how); int ausearch_add_timestamp_item_ex(auparse_state_t *au, const char *op, time_t sec, unsigned milli, unsigned serial, ausearch_rule_t how); -int ausearch_add_regex(auparse_state_t *au, const char *expr); +int ausearch_add_regex(auparse_state_t *au, const char *regexp); int ausearch_set_stop(auparse_state_t *au, austop_t where); void ausearch_clear(auparse_state_t *au); +/* Function dealing with setting user space configuration items */ +int auparse_set_eoe_timeout (time_t new_tmo); + /* Functions that are part of the auparse_normalize interface */ // This causes the current event to become normalized. diff -Nru audit-3.0/auparse/captab.h audit-3.0.7/auparse/captab.h --- audit-3.0/auparse/captab.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/captab.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* captab.h -- - * Copyright 2007,2008,2012-14 Red Hat Inc., Durham, North Carolina. + * Copyright 2007,2008,2012-14,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -60,3 +60,7 @@ _S(35, "wake_alarm" ) _S(36, "block_suspend" ) _S(37, "audit_read" ) +_S(38, "perfmon" ) +_S(39, "bpf" ) +_S(40, "checkpoint_restore" ) + diff -Nru audit-3.0/auparse/data_buf.c audit-3.0.7/auparse/data_buf.c --- audit-3.0/auparse/data_buf.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/data_buf.c 2022-01-23 19:36:56.000000000 +0000 @@ -35,7 +35,7 @@ #include #include -#include +#include // for memmove() #include #include #include @@ -85,7 +85,6 @@ /*****************************************************************************/ static int databuf_shift_data_to_beginning(DataBuf *db); -static int databuf_strcat(DataBuf *db, const char *str); /*****************************************************************************/ /************************* External Global Variables ***********************/ @@ -143,7 +142,6 @@ fmt?" ":"", db->alloc_size, db->alloc_ptr, db->offset, databuf_beg(db), db->len, db->max_len); if (db->flags & DATABUF_FLAG_PRESERVE_HEAD) printf("PRESERVE_HEAD "); - if (db->flags & DATABUF_FLAG_STRING) printf("STRING "); printf("]"); if (print_data) { @@ -173,9 +171,6 @@ } } - // For strings intialize with initial NULL terminator - if (flags & DATABUF_FLAG_STRING) databuf_strcat(db, ""); - return 1; } @@ -210,10 +205,11 @@ if (debug) databuf_print(db, 1, "databuf_append() size=%zd", src_size); #endif if ((new_size > db->alloc_size) || - ((db->flags & DATABUF_FLAG_PRESERVE_HEAD) && !databuf_tail_available(db, src_size))) { + ((db->flags & DATABUF_FLAG_PRESERVE_HEAD) && + !databuf_tail_available(db, src_size))) { /* not enough room, we must realloc */ void *new_alloc; - + databuf_shift_data_to_beginning(db); if ((new_alloc = realloc(db->alloc_ptr, new_size))) { db->alloc_ptr = new_alloc; @@ -243,31 +239,14 @@ return 1; } -static int databuf_strcat(DataBuf *db, const char *str) +int databuf_replace(DataBuf *db, const char *src, size_t src_size) { - size_t str_len; - DATABUF_VALIDATE(db); - if (str == NULL) return 0; - - // +1 so the data append also copies the NULL terminator - str_len = strlen(str) + 1; - - // If there is a NULL terminator exclude it so the subsequent - // data append produces a proper string concatenation - if (db->len > 0) { - char *last_char = databuf_end(db) - 1; - if (last_char && *last_char == 0) { - db->len--; // backup over NULL terminator - } - } - - // Copy string and NULL terminator - databuf_append(db, str, str_len); + if (src == NULL || src_size == 0) return 0; - DATABUF_VALIDATE(db); - return 1; + db->len = 0; + return databuf_append(db, src, src_size); } int databuf_advance(DataBuf *db, size_t advance) @@ -336,25 +315,10 @@ char *data; int rc; - rc = databuf_init(&buf, size, DATABUF_FLAG_STRING); + rc = databuf_init(&buf, size, 0); assert(rc); databuf_print(&buf, 1, "after init size=%d", size); -#if 1 - data = "a"; - assert(databuf_strcat(&buf, data)); - databuf_print(&buf, 1, "after strcat(%s)", data); - - data = "bb"; - assert(databuf_strcat(&buf, data)); - databuf_print(&buf, 1, "after strcat(%s)", data); - - data = "ccc"; - assert(databuf_strcat(&buf, data)); - databuf_print(&buf, 1, "after strcat(%s)", data); - -#endif - databuf_free(&buf); #if 0 diff -Nru audit-3.0/auparse/data_buf.h audit-3.0.7/auparse/data_buf.h --- audit-3.0/auparse/data_buf.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/data_buf.h 2022-01-23 19:36:56.000000000 +0000 @@ -34,7 +34,6 @@ /*****************************************************************************/ #define DATABUF_FLAG_PRESERVE_HEAD (1 << 0) -#define DATABUF_FLAG_STRING (2 << 0) /*****************************************************************************/ @@ -76,6 +75,7 @@ int databuf_init(DataBuf *db, size_t size, unsigned flags); void databuf_free(DataBuf *db); int databuf_append(DataBuf *db, const char *src, size_t src_size); +int databuf_replace(DataBuf *db, const char *src, size_t src_size); int databuf_advance(DataBuf *db, size_t advance); int databuf_reset(DataBuf *db); diff -Nru audit-3.0/auparse/ellist.c audit-3.0.7/auparse/ellist.c --- audit-3.0/auparse/ellist.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/ellist.c 2022-01-23 19:36:56.000000000 +0000 @@ -103,7 +103,7 @@ static int parse_up_record(rnode* r) { char *ptr, *buf, *saved=NULL; - unsigned int offset = 0; + unsigned int offset = 0, len; // Potentially cut the record in two ptr = strchr(r->record, AUDIT_INTERP_SEPARATOR); @@ -112,10 +112,19 @@ ptr++; } r->interp = ptr; - buf = strdup(r->record); + // Rather than call strndup, we will do it ourselves to reduce + // the number of interations across the record. + // len includes the string terminator. + len = strlen(r->record) + 1; + r->nv.record = buf = malloc(len); + if (r->nv.record == NULL) + return -1; + memcpy(r->nv.record, r->record, len); + r->nv.end = r->nv.record + len; ptr = audit_strsplit_r(buf, &saved); if (ptr == NULL) { free(buf); + r->nv.record = NULL; return -1; } @@ -147,10 +156,13 @@ // Remove beginning cruft of name if (*ptr == '(') ptr++; - n.name = strdup(ptr); - n.val = strdup(val); + n.name = ptr; + n.val = val; // Remove trailing punctuation len = strlen(n.val); + // Check for invalid val + if (!len) + continue; if (len && n.val[len-1] == ':') { n.val[len-1] = 0; len--; @@ -172,32 +184,59 @@ } // Make virtual keys or just store it if (strcmp(n.name, "key") == 0 && *n.val != '(') { - if (*n.val == '"') - nvlist_append(&r->nv, &n); - else { + if (*n.val == '"') { + // This is a normal single key. + n.name = strdup("key"); + char *t = strdup(n.val); + n.val = t; + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + continue; + } + } else { + // Virtual keys char *key, *ptr2, *saved2; key = (char *)au_unescape(n.val); if (key == NULL) { + n.name = strdup("key"); + n.val = NULL; // Malformed key - save as is - nvlist_append(&r->nv, &n); + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + } continue; } ptr2 = strtok_r(key, key_sep, &saved2); - free(n.name); - free(n.val); while (ptr2) { n.name = strdup("key"); n.val = escape(ptr2); - nvlist_append(&r->nv, &n); + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + } ptr2 = strtok_r(NULL, key_sep, &saved2); } free(key); } continue; - } else - nvlist_append(&r->nv, &n); + } else { + if (strcmp(n.name, "key") == 0) { + // This is a null key + n.name = strdup("key"); + char *t = strdup(n.val); + n.val = t; + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + continue; + } + } else // everything not a key + nvlist_append(&r->nv, &n); + } // Do some info gathering for use later if (r->nv.cnt == 1 && strcmp(n.name, "node") == 0) @@ -208,7 +247,7 @@ r->type = audit_name_to_msg_type(n.val); // This has to account for seccomp records } else if ((r->nv.cnt == (2 + offset) || - r->nv.cnt == (11 + offset)) && + r->nv.cnt == (11 + offset)) && strcmp(n.name, "arch")== 0){ unsigned int ival; errno = 0; @@ -260,7 +299,9 @@ while (ptr && *ptr != '}') { len = strlen(ptr); if ((len+1) >= (256-total)) { - free(buf); + if (nvlist_get_cnt(&r->nv) + == 0) + free(buf); return -1; } if (tmpctx[0]) { @@ -274,18 +315,28 @@ } n.name = strdup("seperms"); n.val = strdup(tmpctx); - nvlist_append(&r->nv, &n); + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + } continue; } } else continue; - n.val = strdup(ptr); + n.val = ptr; nvlist_append(&r->nv, &n); } } while((ptr = audit_strsplit_r(NULL, &saved))); - free(buf); - r->nv.cur = r->nv.head; // reset to beginning + // If for some reason it was useless, delete buf + if (r->nv.cnt == 0) { + free(buf); + r->nv.record = NULL; + r->nv.end = NULL; + free((void *)r->cwd); + } + + r->nv.cur = 0; // reset to beginning return 0; } @@ -350,7 +401,7 @@ current = l->head; while (current) { nextnode=current->next; - nvlist_clear(¤t->nv); + nvlist_clear(¤t->nv, 1); free(current->record); free(current); current=nextnode; @@ -431,7 +482,7 @@ if (high <= low) return NULL; - node = l->head; /* Start at the beginning */ + node = l->head; /* Start at the beginning */ while (node) { if (node->type >= low && node->type <= high) { l->cur = node; diff -Nru audit-3.0/auparse/ellist.h audit-3.0.7/auparse/ellist.h --- audit-3.0/auparse/ellist.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/ellist.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * ellist.h - Header file for ellist.c -* Copyright (c) 2006-07,2017 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2006-07,2017,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -44,7 +44,7 @@ static inline unsigned int aup_list_get_cnt(event_list_t *l) { return l ? l->cnt : 0; } static inline void aup_list_first(event_list_t *l) { l->cur = l->head; } -static inline rnode *aup_list_get_cur(event_list_t *l) { return l->cur; } +static inline rnode *aup_list_get_cur(event_list_t *l) { return l ? l->cur : NULL; } AUDIT_HIDDEN_START diff -Nru audit-3.0/auparse/internal.h audit-3.0.7/auparse/internal.h --- audit-3.0/auparse/internal.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/internal.h 2022-01-23 19:36:56.000000000 +0000 @@ -59,12 +59,15 @@ * record type = AUDIT_EOE (audit end of event type record), or * record type = AUDIT_PROCTITLE (we note the AUDIT_PROCTITLE is always * the last record), or + * record type = AUDIT_KERNEL (kernel events are one record events), or * record type < AUDIT_FIRST_EVENT (only single record events appear * before this type), or * record type >= AUDIT_FIRST_ANOM_MSG (only single record events appear * after this type), or - * for the stream being processed, the time of the event is over 2 seconds - * old + * record type >= AUDIT_MAC_UNLBL_ALLOW && record type <= AUDIT_MAC_CALIPSO_DEL (these are also one record events), or + * for the stream being processed, the time of the event is over eoe_timeout seconds + * old. eoe_timeout is the configuration item, 'end_of_event_timeout', in the auditd.conf + * configuration file. It's default is EOE_TIMEOUT * * So, under LOL_EVENT processing, a event node (au_lolnode) can be either * @@ -95,7 +98,7 @@ typedef struct { au_lolnode *array; /* array of events */ int maxi; /* largest index in array used */ - int limit; /* number of events in array */ + size_t limit; /* number of events in array */ } au_lol; /* @@ -189,9 +192,9 @@ AUDIT_HIDDEN_START // auditd-config.c -void clear_config(struct daemon_conf *config); +void aup_clear_config(struct daemon_conf *config); int aup_load_config(auparse_state_t *au, struct daemon_conf *config, log_test_t lt); -void free_config(struct daemon_conf *config); +void aup_free_config(struct daemon_conf *config); // normalize.c void init_normalizer(normalize_data *d); diff -Nru audit-3.0/auparse/interpret.c audit-3.0.7/auparse/interpret.c --- audit-3.0/auparse/interpret.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/interpret.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,7 +1,7 @@ /* * interpret.c - Lookup values to something more readable -* Copyright (c) 2007-09,2011-16,2018-19 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. +* Copyright (c) 2007-09,2011-16,2018-21 Red Hat Inc. +* All Rights Reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -44,12 +44,15 @@ #include #include #include -#include // FIXME: remove when ipx.h is fixed -#include +#ifdef HAVE_IPX_HEADERS + #include // FIXME: remove when ipx.h is fixed + #include +#endif #include #include #include #include +#include /* PATH_MAX */ #ifdef USE_FANOTIFY #include #else @@ -120,6 +123,7 @@ #include "inethooktabs.h" #include "netactiontabs.h" #include "bpftabs.h" +#include "openat2-resolvetabs.h" typedef enum { AVC_UNSET, AVC_DENIED, AVC_GRANTED } avc_t; typedef enum { S_UNSET=-1, S_FAILED, S_SUCCESS } success_t; @@ -394,9 +398,11 @@ } /////////// Interpretation list functions /////////////// +#define NEVER_LOADED 0xFFFF void init_interpretation_list(void) { nvlist_create(&il); + il.cnt = NEVER_LOADED; } /* @@ -411,7 +417,10 @@ if (buffer == NULL) return 0; - buf = strdup(buffer); + if (il.cnt == NEVER_LOADED) + il.cnt = 0; + + il.record = buf = strdup(buffer); if (strncmp(buf, "SADDR=", 6) == 0) { // We have SOCKADDR record. It has no other values. // Handle it by itself. @@ -420,23 +429,25 @@ val = ptr; ptr = strchr(val, '}'); if (ptr) { - n.name = strdup("saddr"); - n.val = strdup(val); - nvlist_append(&il, &n); + // Just change the case + n.name = strcpy(buf, "saddr"); + n.val = val; + if (nvlist_append(&il, &n)) + goto err_out; nvlist_interp_fixup(&il); - free(buf); return 1; } } +err_out: free(buf); + il.record = NULL; + il.cnt = NEVER_LOADED; return 0; } else { // We handle everything else in this branch ptr = audit_strsplit_r(buf, &saved); - if (ptr == NULL) { - free(buf); - return 0; - } + if (ptr == NULL) + goto err_out; do { char tmp; @@ -447,7 +458,7 @@ val++; } else // Malformed - skip continue; - n.name = strdup(ptr); + n.name = ptr; char *c = n.name; while (*c) { *c = tolower(*c); @@ -460,14 +471,19 @@ } else tmp = 0; - n.val = strdup(val); - nvlist_append(&il, &n); + n.val = val; + if (nvlist_append(&il, &n)) + continue; // assuming we loaded something nvlist_interp_fixup(&il); if (ptr) *ptr = tmp; - } while((ptr = audit_strsplit_r(NULL, &saved))); + } while ((ptr = audit_strsplit_r(NULL, &saved))); } - free(buf); + + // If for some reason it was useless, delete buf + if (il.cnt == 0) + goto err_out; + return 1; } @@ -478,6 +494,9 @@ { nvnode *n; + if (il.cnt == NEVER_LOADED) + return NULL; + nvlist_first(&il); if (nvlist_find_name(&il, name)) { n = nvlist_get_cur(&il); @@ -494,7 +513,20 @@ void free_interpretation_list(void) { - nvlist_clear(&il); + if (il.cnt != NEVER_LOADED) { + nvlist_clear(&il, 0); + il.cnt = NEVER_LOADED; + } +} + +// This uses a sentinel to determine if the list has ever been loaded. +// If never loaded, returns 0. Otherwise it returns 1 higher than how +// many interpretations are loaded. +unsigned int interpretation_list_cnt(void) +{ + if (il.cnt == NEVER_LOADED) + return 0; + return il.cnt+1; } //////////// Start Field Value Interpretations ///////////// @@ -560,7 +592,7 @@ return buf; } -void aulookup_destroy_uid_list(void) +void lookup_destroy_uid_list(void) { if (uid_cache_created == 0) return; @@ -624,6 +656,18 @@ gid_cache_created = 0; } +void _auparse_flush_caches(void) +{ + if (uid_cache_created) { + destroy_lru(uid_cache); + uid_cache_created = 0; + } + if (gid_cache_created) { + destroy_lru(gid_cache); + gid_cache_created = 0; + } +} + static const char *print_uid(const char *val, unsigned int base) { int uid; @@ -799,6 +843,9 @@ { char *out; + if (val == NULL) + return strdup(" "); + if (*val == '"') { char *term; val++; @@ -828,6 +875,65 @@ return strdup(val); // Something is wrong with string, just send as is } +// This code is loosely based on glibc-2.27 realpath. +static char working[PATH_MAX]; +static char *path_norm(const char *name) +{ + char *rpath, *dest; + const char *start, *end, *rpath_limit; + int old_errno = errno; + + errno = EINVAL; + if (name == NULL) + return NULL; + if (name[0] == 0) + return NULL; + errno = old_errno; + + // If not absolute, give it back as is + if (name[0] == '.') + return strdup(name); + + rpath = working; + dest = rpath + 1; + rpath_limit = rpath + PATH_MAX; + + for (start = name; *start; start = end) { + // Remove duplicate '/' + while (*start == '/') + ++start; + + // Find end of path component + for (end = start; *end && *end != '/'; ++end) + ; //empty + + // if it ends with a slash, we're done + if (end - start == 0) + break; + else if (end - start == 1 && start[0] == '.') + ; //empty + else if (end - start == 2 && start[0] == '.' && + start[1] == '.') { + // Back up to previous component, ignore if root + if (dest > rpath + 1) + while ((--dest)[-1] != '/'); + } else { + if (dest[-1] != '/') + *dest++ = '/'; + + // If it will overflow, chop it at last component + if (dest + (end - start) >= rpath_limit) { + *dest = 0; + break; + } + // Otherwise copy next component + dest = mempcpy (dest, start, end - start); + *dest = 0; + } + } + return strdup(working); +} + static const char *print_escaped_ext(const idata *id) { if (id->cwd) { @@ -850,9 +956,8 @@ str2 = NULL; str1 = NULL; } - errno = 0; - out = realpath(str3, NULL); - if (errno) { // If there's an error, just return the original + out = path_norm(str3); + if (!out) { // If there's an error, just return the original free(str1); free(str2); return str3; @@ -1123,13 +1228,19 @@ // Now print address for some families switch (saddr->sa_family) { case AF_LOCAL: - { + if (slen < 4) { + rc = asprintf(&out, + "{ saddr_fam=%s sockaddr len too short }", + str); + break; + } else { const struct sockaddr_un *un = (const struct sockaddr_un *)saddr; + if (un->sun_path[0]) rc = asprintf(&out, - "{ saddr_fam=%s path=%s }", str, - un->sun_path); + "{ saddr_fam=%s path=%.108s }", + str, un->sun_path); else // abstract name rc = asprintf(&out, "{ saddr_fam=%s path=%.108s }", @@ -1171,6 +1282,7 @@ x->sax25_call.ax25_call[6]); } break; +#ifdef HAVE_IPX_HEADERS case AF_IPX: { const struct sockaddr_ipx *ip = @@ -1180,6 +1292,7 @@ str, ip->sipx_port, ip->sipx_network); } break; +#endif case AF_ATMPVC: { const struct sockaddr_atmpvc* at = @@ -1218,11 +1331,16 @@ str); break; case AF_NETLINK: - { + if (slen < sizeof(struct sockaddr_nl)) { + rc = asprintf(&out, + "{ saddr_fam=%s len too short }", + str); + break; + } else { const struct sockaddr_nl *n = (const struct sockaddr_nl *)saddr; rc = asprintf(&out, - "{ saddr_fam=%s nlnk-fam=%u nlnk-pid=%u }", + "{ saddr_fam=%s nlnk-fam=%u nlnk-pid=%u }", str, n->nl_family, n->nl_pid); } break; @@ -1242,7 +1360,7 @@ { int flags, cnt = 0; size_t i; - char *out, buf[80]; + char *out, buf[sizeof(flag_strings)+FLAG_NUM_ENTRIES+1]; errno = 0; flags = strtoul(val, NULL, 16); @@ -1377,7 +1495,7 @@ size_t i; unsigned int flags; int cnt = 0; - char *out, buf[sizeof(open_flag_strings)+8]; + char *out, buf[sizeof(open_flag_strings)+OPEN_FLAG_NUM_ENTRIES+1]; errno = 0; flags = strtoul(val, NULL, 16); @@ -1414,8 +1532,8 @@ static const char *print_clone_flags(const char *val) { unsigned int flags, i, clone_sig; - int cnt = 0; - char *out, buf[sizeof(clone_flag_strings)+16];// + 10 for signal name + int cnt = 0; // + 10 for signal name + char *out, buf[sizeof(clone_flag_strings)+CLONE_FLAG_NUM_ENTRIES+10]; errno = 0; flags = strtoul(val, NULL, 16); @@ -1524,7 +1642,7 @@ { unsigned int prot, i, limit; int cnt = 0; - char buf[144]; + char buf[sizeof(prot_strings)+PROT_NUM_ENTRIES+1]; char *out; errno = 0; @@ -1566,7 +1684,7 @@ { unsigned int maps, i; int cnt = 0; - char buf[sizeof(mmap_strings)+8]; + char buf[sizeof(mmap_strings)+MMAP_NUM_ENTRIES+1]; char *out; errno = 0; @@ -1677,7 +1795,7 @@ { unsigned int mounts, i; int cnt = 0; - char buf[sizeof(mount_strings)+8]; + char buf[sizeof(mount_strings)+MOUNT_NUM_ENTRIES+1]; char *out; errno = 0; @@ -1732,7 +1850,7 @@ { unsigned int rec, i; int cnt = 0; - char buf[sizeof(recv_strings)+8]; + char buf[sizeof(recv_strings)+RECV_NUM_ENTRIES+1]; char *out; errno = 0; @@ -1764,7 +1882,7 @@ static const char *print_access(const char *val) { unsigned long mode; - char buf[16]; + char buf[sizeof(access_strings)+ACCESS_NUM_ENTRIES+1]; unsigned int i, cnt = 0; errno = 0; @@ -1801,7 +1919,16 @@ { char *out; - if (strcmp(val, "-100") == 0) { + errno = 0; + uint32_t i = strtoul(val, NULL, 16); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + if (i == 0xffffff9c) { if (asprintf(&out, "AT_FDCWD") < 0) out = NULL; } else { @@ -2011,7 +2138,7 @@ { unsigned int flags, partial, i; int cnt = 0; - char *out, buf[sizeof(shm_mode_strings)+sizeof(ipccmd_strings)+8]; + char *out, buf[sizeof(shm_mode_strings)+sizeof(ipccmd_strings)+SHM_MODE_NUM_ENTRIES+IPCCMD_NUM_ENTRIES+1]; errno = 0; flags = strtoul(val, NULL, 16); @@ -2092,7 +2219,7 @@ { unsigned int flags, i; int cnt = 0; - char buf[sizeof(umount_strings)+8]; + char buf[sizeof(umount_strings)+UMOUNT_NUM_ENTRIES+1]; char *out; errno = 0; @@ -2211,6 +2338,40 @@ return strdup(str); } +static const char *print_openat2_resolve(const char *val) +{ + size_t i; + unsigned long long resolve; + int cnt = 0; + char *out, buf[sizeof(openat2_resolve_strings)+8]; + + errno = 0; + resolve = strtoull(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + buf[0] = 0; + for (i=0; ia1 & O_CREAT)) return print_mode_short(val, 16); + if (strcmp(sys, "open_by_handle_at") == 0) + return print_open_flags(val); } else if (*sys == 'f') { if (strcmp(sys, "fchmodat") == 0) return print_mode_short(val, 16); - else if (strcmp(sys, "faccessat") == 0) + else if (strncmp(sys, "faccessat", 9) == 0) return print_access(val); } else if (*sys == 's') { if (strcmp(sys, "setresuid") == 0) @@ -2456,11 +2619,18 @@ return print_recv(val); else if (strcmp(sys, "readlinkat") == 0) return print_dirfd(val); + else if (strncmp(sys, "renameat", 8) == 0) + return print_dirfd(val); } else if (*sys == 'l') { if (strcmp(sys, "linkat") == 0) return print_dirfd(val); else if (strcmp(sys, "lseek") == 0) return print_seek(val); + } else if (*sys == 'c') { + if (strcmp(sys, "clone") == 0) + return print_clone_flags(val); + else if (strcmp(sys, "clone2") == 0) + return print_clone_flags(val); } else if (strstr(sys, "chown")) return print_gid(val, 16); @@ -2843,6 +3013,31 @@ return out; } +static const char *nlmcgrp[2]= { "audit-none", "audit-netlink-multicast" }; +static const char *print_nlmcgrp(const char *val) +{ + unsigned long nl; + + errno = 0; + nl = strtoul(val, NULL, 16); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + switch (nl) + { + default: + return strdup(nlmcgrp[0]); +#ifdef AUDIT_NLGRP_MAX + case AUDIT_NLGRP_READLOG: + return strdup(nlmcgrp[1]); +#endif + } +} + int lookup_type(const char *name) { int i; @@ -2854,11 +3049,11 @@ /* * This is the main entry point for the auparse library. Call chain is: - * auparse_interpret_field -> nvlist_interp_cur_val -> interpret + * auparse_interpret_field -> nvlist_interp_cur_val -> do_interpret */ -const char *interpret(const rnode *r, auparse_esc_t escape_mode) +const char *do_interpret(rnode *r, auparse_esc_t escape_mode) { - const nvlist *nv = &r->nv; + nvlist *nv = &r->nv; int type; idata id; nvnode *n; @@ -2946,10 +3141,11 @@ const char *out; // Check the interpretations list first - if (il.head) { + if (interpretation_list_cnt()) { nvlist_first(&il); if (nvlist_find_name(&il, id->name)) { - const char *val = il.cur->interp_val; + nvnode* node = &il.array[il.cur]; + const char *val = node->interp_val; if (val) { // If we don't know what it is when auditd @@ -3083,6 +3279,12 @@ case AUPARSE_TYPE_FANOTIFY: out = print_fanotify(id->val); break; + case AUPARSE_TYPE_NLMCGRP: + out = print_nlmcgrp(id->val); + break; + case AUPARSE_TYPE_RESOLVE: + out = print_openat2_resolve(id->val); + break; case AUPARSE_TYPE_MAC_LABEL: case AUPARSE_TYPE_UNCLASSIFIED: default: diff -Nru audit-3.0/auparse/interpret.h audit-3.0.7/auparse/interpret.h --- audit-3.0/auparse/interpret.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/interpret.h 2022-01-23 19:36:56.000000000 +0000 @@ -34,9 +34,10 @@ void init_interpretation_list(void); int load_interpretation_list(const char *buf); void free_interpretation_list(void); +unsigned int interpretation_list_cnt(void); int lookup_type(const char *name); -const char *interpret(const rnode *r, auparse_esc_t escape_mode); -void aulookup_destroy_uid_list(void); +const char *do_interpret(rnode *r, auparse_esc_t escape_mode); +void lookup_destroy_uid_list(void); void aulookup_destroy_gid_list(void); char *au_unescape(char *buf); diff -Nru audit-3.0/auparse/normalize-internal.h audit-3.0.7/auparse/normalize-internal.h --- audit-3.0/auparse/normalize-internal.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/normalize-internal.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * normalize-internal.h - * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2016-18,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -71,6 +71,8 @@ #define NORM_SYSTEM_MEMORY 35 #define NORM_SCHEDULER 36 #define NORM_AV 37 +#define NORM_BPF 38 +#define NORM_EV_LISTEN 39 // This enum is used to map what the system objects are #define NORM_WHAT_UNKNOWN 0 @@ -118,5 +120,6 @@ #define NORM_EVTYPE_DAC_DECISION 16 #define NORM_EVTYPE_GROUP_CHANGE 17 #define NORM_EVTYPE_AV_DECISION 18 +#define NORM_EVTYPE_BPF 19 #endif diff -Nru audit-3.0/auparse/normalize.c audit-3.0.7/auparse/normalize.c --- audit-3.0/auparse/normalize.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/normalize.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* normalize.c -- - * Copyright 2016-18 Red Hat Inc., Durham, North Carolina. + * Copyright 2016-18,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -53,6 +53,7 @@ #define D au->norm_data static int syscall_success; +static value_t find_simple_object(auparse_state_t *au, int type); void init_normalizer(normalize_data *d) { @@ -99,6 +100,16 @@ syscall_success = -1; } +static void set_system_subject_what(auparse_state_t *au) +{ + D.actor.what = strdup("system"); +} + +static void set_unknown_subject_what(auparse_state_t *au) +{ + D.actor.what = strdup("unknown-acct"); +} + static unsigned int set_subject_what(auparse_state_t *au) { int uid = NORM_ACCT_UNSET - 1; @@ -118,6 +129,7 @@ } } } + set_unknown_subject_what(au); return 1; } @@ -131,7 +143,7 @@ else if (uid < NORM_ACCT_MAX_USER) D.actor.what = strdup("user-acct"); else - D.actor.what = strdup("unknown-acct"); + set_unknown_subject_what(au); return 0; } @@ -334,9 +346,11 @@ if ((strcmp(str, "unset") == 0) && errno == 0) { // Only move it if its safe to if (cnt < limit) { - auparse_next_field(au); + if (auparse_next_field(au) == 0) + return; cnt++; - } + } else + return; } else break; } @@ -494,7 +508,23 @@ static int set_program_obj(auparse_state_t *au) { auparse_first_record(au); - if (auparse_find_field(au, "exe")) { + int type = auparse_get_type(au); + + if (type == AUDIT_BPF) { + if (auparse_find_field(au, "prog-id")) { + D.thing.primary = set_record(0, + auparse_get_record_num(au)); + D.thing.primary = set_field(D.thing.primary, + auparse_get_field_num(au)); + } + } else if (type == AUDIT_EVENT_LISTENER) { + if (auparse_find_field(au, "nl-mcgrp")) { + D.thing.primary = set_record(0, + auparse_get_record_num(au)); + D.thing.primary = set_field(D.thing.primary, + auparse_get_field_num(au)); + } + } else if (auparse_find_field(au, "exe")) { const char *exe = auparse_interpret_field(au); if ((strncmp(exe, "/usr/bin/python", 15) == 0) || (strncmp(exe, "/usr/bin/sh", 11) == 0) || @@ -515,6 +545,7 @@ auparse_get_field_num(au)); return 0; } + return 1; } @@ -559,8 +590,19 @@ objtype = NORM_MAC_CONFIG; break; } else if (ttype == AUDIT_FANOTIFY) { + // We want to go ahead with syscall to get objects tmp_objkind = NORM_AV; break; + } else if (ttype == AUDIT_TIME_INJOFFSET || + ttype == AUDIT_TIME_ADJNTPVAL) { + objtype = NORM_SYSTEM_TIME; + break; + } else if (ttype == AUDIT_BPF) { + objtype = NORM_BPF; + break; + } else if (ttype == AUDIT_EVENT_LISTENER) { + objtype = NORM_EV_LISTEN; + break; } rc = auparse_next_record(au); } @@ -606,7 +648,7 @@ break; case NORM_FILE_LDMOD: act = "loaded-kernel-module"; - D.thing.what = NORM_WHAT_FILE; + D.thing.what = NORM_WHAT_FILE; auparse_goto_record_num(au, 1); set_prime_object(au, "name", 1);// FIXME:is this needed? break; @@ -847,6 +889,34 @@ D.how = strdup(syscall); } break; + case NORM_BPF: + auparse_first_record(au); + f = auparse_find_field(au, "op"); + if (f) { + const char *str = auparse_get_field_str(au); + if (strcmp(str, "LOAD") == 0) + act = "loaded-bpf-program"; + else + act = "unloaded-bpf-program"; + } else + act = "bpf-program"; + D.thing.what = NORM_WHAT_PROCESS; + set_program_obj(au); + break; + case NORM_EV_LISTEN: + auparse_first_record(au); + f = auparse_find_field(au, "op"); + if (f) { + const char *str = auparse_get_field_str(au); + if (strcmp(str, "connect") == 0) + act = "connected-to"; + else + act = "disconnected-from"; + } else + act = "connected"; + D.thing.what = NORM_WHAT_SOCKET; + set_program_obj(au); + break; default: { const char *k; @@ -871,7 +941,7 @@ act = "accessed-mac-policy-controlled-object"; else if (tmp_objkind == NORM_AV) act = "accessed-policy-controlled-file"; - + if (act) D.action = strdup(act); @@ -908,7 +978,9 @@ case AUDIT_USYS_CONFIG: case AUDIT_CONFIG_CHANGE: case AUDIT_NETFILTER_CFG: - case AUDIT_FEATURE_CHANGE ... AUDIT_REPLACE: + case AUDIT_FEATURE_CHANGE: + case AUDIT_TIME_INJOFFSET: + case AUDIT_TIME_ADJNTPVAL: case AUDIT_USER_DEVICE: case AUDIT_SOFTWARE_UPDATE: kind = NORM_EVTYPE_CONFIG; @@ -925,6 +997,7 @@ case AUDIT_TTY: kind = NORM_EVTYPE_TTY; break; + case AUDIT_EVENT_LISTENER: case AUDIT_FIRST_DAEMON ... AUDIT_LAST_DAEMON: kind = NORM_EVTYPE_AUDIT_DAEMON; break; @@ -969,6 +1042,9 @@ case AUDIT_FANOTIFY: kind = NORM_EVTYPE_AV_DECISION; break; + case AUDIT_BPF: + kind = NORM_EVTYPE_BPF; + break; default: kind = NORM_EVTYPE_UNKNOWN; } @@ -976,6 +1052,44 @@ return evtype_i2s(kind); } +const char *find_config_change_object(auparse_state_t *au) +{ + const char *f; + + // Check if its an audit rule + auparse_first_record(au); + f = auparse_find_field(au, "key"); + if (f) { + const char *str = auparse_get_field_str(au); + if (str && strcmp(str, "(null)")) + return f; + } + + // Next lets find the individual objects being set + auparse_first_record(au); + f = auparse_find_field(au, "audit_enabled"); + if (f) + return f; + auparse_first_record(au); + f = auparse_find_field(au, "audit_pid"); + if (f) + return f; + auparse_first_record(au); + f = auparse_find_field(au, "audit_backlog_limit"); + if (f) + return f; + auparse_first_record(au); + f = auparse_find_field(au, "audit_failure"); + if (f) + return f; + auparse_first_record(au); + f = auparse_find_field(au, "actions"); // seccomp-logging + if (f) + return f; + + return NULL; +} + static int normalize_compound(auparse_state_t *au) { const char *f, *syscall = NULL; @@ -983,20 +1097,20 @@ otype = type = auparse_get_type(au); - // All compound events have a syscall record - // Some start with a record type and follow with a syscall - if (type == AUDIT_NETFILTER_CFG || type == AUDIT_ANOM_PROMISCUOUS || - type == AUDIT_AVC || type == AUDIT_SELINUX_ERR || - type == AUDIT_MAC_POLICY_LOAD || type == AUDIT_MAC_STATUS || - type == AUDIT_MAC_CONFIG_CHANGE || type == AUDIT_FANOTIFY) { - auparse_next_record(au); - type = auparse_get_type(au); - } else if (type == AUDIT_ANOM_LINK) { - auparse_next_record(au); - auparse_next_record(au); - type = auparse_get_type(au); + // All compound events have a syscall record, find it + if (type != AUDIT_SYSCALL) { + do { + // If we go off the end without finding a syscall + // record, don't parse corrupt events + if (auparse_next_record(au) < 0) + return 1; + type = auparse_get_type(au); + } while (type && type != AUDIT_SYSCALL); } + if (!type) + return 1; + // Determine the kind of event using original event type D.evkind = normalize_determine_evkind(otype); @@ -1104,6 +1218,21 @@ if (act) D.action = strdup(act); // FIXME: AUDIT_ANOM_LINK needs an object + } else if (otype == AUDIT_CONFIG_CHANGE) { + const char *f; + + auparse_first_record(au); + f = auparse_find_field(au, "op"); + if (f) { + value_t o; + + // Fix the action + D.action = strdup(auparse_interpret_field(au)); + + // Next fix the object + o = find_simple_object(au, AUDIT_CONFIG_CHANGE); + D.thing.primary = o; + } } else normalize_syscall(au, syscall); } @@ -1210,25 +1339,7 @@ D.thing.what = NORM_WHAT_PRINTER; break; case AUDIT_CONFIG_CHANGE: - f = auparse_find_field(au, "key"); - if (f == NULL) { - auparse_first_record(au); - f = auparse_find_field(au, "audit_enabled"); - if (f == NULL) { - auparse_first_record(au); - f = auparse_find_field(au, "audit_pid"); - if (f == NULL) { - auparse_first_record(au); - f = auparse_find_field(au, - "audit_backlog_limit"); - if (f == NULL) { - auparse_first_record(au); - f = auparse_find_field(au, - "audit_failure"); - } - } - } - } + f = find_config_change_object(au); D.thing.what = NORM_WHAT_AUDIT_CONFIG; break; case AUDIT_MAC_CONFIG_CHANGE: @@ -1363,10 +1474,6 @@ const char *f, *act = NULL; int type = auparse_get_type(au); - // netfilter_cfg sometimes emits 1 record events - if (type == AUDIT_NETFILTER_CFG) - return 1; - // Some older OS do not have PROCTITLE records if (type == AUDIT_SYSCALL) return normalize_compound(au); @@ -1377,7 +1484,8 @@ // This is for events that follow: // auid, (op), (uid), stuff if (type == AUDIT_CONFIG_CHANGE || type == AUDIT_FEATURE_CHANGE || - type == AUDIT_SECCOMP || type == AUDIT_ANOM_ABEND) { + type == AUDIT_SECCOMP || type == AUDIT_ANOM_ABEND || + type == AUDIT_ANOM_PROMISCUOUS) { // Subject - primary set_prime_subject(au, "auid", 0); @@ -1483,6 +1591,13 @@ D.how = strdup(sig); } } + if (type == AUDIT_ANOM_PROMISCUOUS) { + auparse_first_field(au); + set_prime_object(au, "dev", 0); + set_secondary_subject(au, "uid", 0); + + D.thing.what = NORM_WHAT_SOCKET; + } // Results set_results(au, 0); @@ -1524,6 +1639,29 @@ return 0; } + // NETFILTER_CFG is atypical + if (type == AUDIT_NETFILTER_CFG) { + // Subject attrs + collect_simple_subj_attr(au); + // how + f = auparse_find_field(au, "comm"); + if (f) { + const char *sig = auparse_interpret_field(au); + D.how = strdup(sig); + } + D.action = strdup("loaded-firewall-rule-to"); + auparse_first_record(au); + f = auparse_find_field(au, "table"); + if (f) { + D.thing.primary = set_record(0, + auparse_get_record_num(au)); + D.thing.primary = set_field(D.thing.primary, + auparse_get_field_num(au)); + } + set_system_subject_what(au); + D.thing.what = NORM_WHAT_FIREWALL; + return 0; + } /* This one is also atypical and comes from the kernel */ if (type == AUDIT_AVC) { // how @@ -1535,28 +1673,41 @@ auparse_first_record(au); // Subject - if (set_prime_subject(au, "scontext", 0)) - auparse_first_record(au); + set_prime_subject(au, "scontext", 0); + set_unknown_subject_what(au); + auparse_first_record(au); // Object if (D.opt == NORM_OPT_ALL) { // We will only collect this when everything is asked // for because it messes up text format otherwise - if (set_prime_object(au, "tcontext", 0)) - auparse_first_record(au); + set_prime_object(au, "tcontext", 0); + auparse_first_record(au); } + // Ideally we would choose tclass + D.thing.what = NORM_WHAT_UNKNOWN; + // action act = normalize_record_map_i2s(type); if (act) D.action = strdup(act); + // find the denial + auparse_first_record(au); + f = auparse_find_field(au, "seresult"); + if (f) { + D.results = set_record(0, 0); + D.results = set_field(D.results, + auparse_get_field_num(au)); + } + // This is slim pickings without a syscall record return 0; } /* Daemon events are atypical because they never transit the kernel */ - if (type >= AUDIT_FIRST_DAEMON && + if (type >= AUDIT_FIRST_DAEMON && type < AUDIT_LAST_DAEMON) { // Subject - primary set_prime_subject(au, "auid", 0); @@ -1571,6 +1722,8 @@ // Subject attrs collect_simple_subj_attr(au); + free((void *)D.actor.what); + D.actor.what = strdup("auditd"); // action act = normalize_record_map_i2s(type); @@ -1580,8 +1733,80 @@ // Object type D.thing.what = NORM_WHAT_SERVICE; + // How start:init, everything else:signal + if (type == AUDIT_DAEMON_START) + D.how = strdup("init"); + else if (type < AUDIT_DAEMON_ACCEPT && type != AUDIT_DAEMON_ABORT) + D.how = strdup("signal"); + + // Results + set_results(au, 0); + return 0; + } + + // BPF events are atypical + if (type == AUDIT_BPF) { + set_system_subject_what(au); + auparse_first_record(au); + f = auparse_find_field(au, "op"); + if (f) { + const char *str = auparse_get_field_str(au); + if (strcmp(str, "LOAD") == 0) + act = "loaded-bpf-program"; + else + act = "unloaded-bpf-program"; + } else + act = "bpf-program"; + + D.action = strdup(act); + D.thing.what = NORM_WHAT_PROCESS; + set_program_obj(au); + return 0; + } + + // LISTENER events are atypical + if (type == AUDIT_EVENT_LISTENER) { + // Subject - primary + set_prime_subject(au, "auid", 0); + + // Secondary - optional + auparse_first_record(au); + set_secondary_subject(au, "uid", 0); + + // Session + auparse_first_record(au); + add_session(au, 0); + + // Subject attrs + collect_simple_subj_attr(au); + + auparse_first_record(au); + f = auparse_find_field(au, "op"); + if (f) { + const char *str = auparse_get_field_str(au); + if (strcmp(str, "connect") == 0) + act = "connected-to"; + else + act = "disconnected-from"; + } else + act = "connected"; + D.action = strdup(act); + + set_program_obj(au); + D.thing.what = NORM_WHAT_SOCKET; + + // How + auparse_first_record(au); + f = auparse_find_field(au, "exe"); + if (f) { + const char *exe = auparse_interpret_field(au); + D.how = strdup(exe); + } + // Results + auparse_first_record(au); set_results(au, 0); + return 0; } @@ -1660,7 +1885,30 @@ collect_userspace_subj_attr(au, type); // Results - set_results(au, 0); + if (type != AUDIT_USER_AVC) + set_results(au, 0); + else { + // find the denial + auparse_first_record(au); + f = auparse_find_field(au, "seresult"); + if (f) { + D.results = set_record(0, 0); + D.results = set_field(D.results, + auparse_get_field_num(au)); + } + + // Subject + auparse_first_record(au); + set_prime_subject(au, "scontext", 0); + + // Object + if (D.opt == NORM_OPT_ALL) { + // We will only collect this when everything is asked + // for because it messes up text format otherwise + auparse_first_record(au); + set_prime_object(au, "tcontext", 0); + } + } // action if (type == AUDIT_USER_DEVICE) { @@ -1675,18 +1923,21 @@ D.action = strdup(act); // object - D.thing.primary = find_simple_object(au, type); - D.thing.secondary = find_simple_obj_secondary(au, type); - D.thing.two = find_simple_obj_primary2(au, type); - - // object attrs - rare on simple events - if (D.opt == NORM_OPT_ALL) { - if (type == AUDIT_USER_DEVICE) { - add_obj_attr(au, "uuid", 0); - } else if (type == AUDIT_SOFTWARE_UPDATE) { - auparse_first_record(au); - add_obj_attr(au, "key_enforce", 0); - add_obj_attr(au, "gpg_res", 0); + if (type != AUDIT_USER_AVC) { + auparse_first_record(au); + D.thing.primary = find_simple_object(au, type); + D.thing.secondary = find_simple_obj_secondary(au, type); + D.thing.two = find_simple_obj_primary2(au, type); + + // object attrs - rare on simple events + if (D.opt == NORM_OPT_ALL) { + if (type == AUDIT_USER_DEVICE) { + add_obj_attr(au, "uuid", 0); + } else if (type == AUDIT_SOFTWARE_UPDATE) { + auparse_first_record(au); + add_obj_attr(au, "key_enforce", 0); + add_obj_attr(au, "gpg_res", 0); + } } } @@ -1764,7 +2015,7 @@ if (num > 1) rc = normalize_compound(au); else - rc = normalize_simple(au); + rc = normalize_simple(au); // Reset the cursor auparse_first_record(au); diff -Nru audit-3.0/auparse/normalize_evtypetab.h audit-3.0.7/auparse/normalize_evtypetab.h --- audit-3.0/auparse/normalize_evtypetab.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/normalize_evtypetab.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* normalize_evtypetab.h -- - * Copyright 2017 Red Hat Inc., Durham, North Carolina. + * Copyright 2017,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -41,4 +41,4 @@ _S(NORM_EVTYPE_DAC_DECISION, "dac-decision" ) _S(NORM_EVTYPE_GROUP_CHANGE, "group-change" ) _S(NORM_EVTYPE_AV_DECISION, "av-decision" ) - +_S(NORM_EVTYPE_BPF, "bpf-program" ) diff -Nru audit-3.0/auparse/normalize_obj_kind_map.h audit-3.0.7/auparse/normalize_obj_kind_map.h --- audit-3.0/auparse/normalize_obj_kind_map.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/normalize_obj_kind_map.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * normalize_obj_kind_map.h - * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2016-18,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or diff -Nru audit-3.0/auparse/normalize_record_map.h audit-3.0.7/auparse/normalize_record_map.h --- audit-3.0/auparse/normalize_record_map.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/normalize_record_map.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * normalize_record_map.h - * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2016-18,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -32,7 +32,7 @@ _S(AUDIT_CRED_DISP, "disposed-credentials") _S(AUDIT_USER_START, "started-session") _S(AUDIT_USER_END, "ended-session") -_S(AUDIT_USER_AVC, "access-permission") +_S(AUDIT_USER_AVC, "accessed-mac-policy-controlled-object") _S(AUDIT_USER_CHAUTHTOK, "changed-password") _S(AUDIT_USER_ERR, "caused-account-error") _S(AUDIT_CRED_REFR, "refreshed-credentials") @@ -84,6 +84,9 @@ //_S(AUDIT_REPLACE,"") _S(AUDIT_KERN_MODULE, "loaded-kernel-module") _S(AUDIT_FANOTIFY, "accessed-policy-controlled-file") +//_S(AUDIT_BPF, "") +//_S(AUDIT_EVENT_LISTENER, "") +//_S(AUDIT_OPENAT2, "") _S(AUDIT_AVC, "accessed-mac-policy-controlled-object") _S(AUDIT_MAC_POLICY_LOAD, "loaded-selinux-policy") _S(AUDIT_MAC_STATUS, "changed-selinux-enforcement-to") @@ -91,8 +94,10 @@ //_S(AUDIT_MAC_UNLBL_ALLOW, "") _S(AUDIT_MAC_MAP_ADD, "added-mac-network-domain-mapping-to") _S(AUDIT_MAC_MAP_DEL, "deleted-mac-network-domain-mapping-from") +_S(AUDIT_ANOM_PROMISCUOUS, "changed-socket-promiscuous-mode") _S(AUDIT_ANOM_ABEND, "crashed-program") _S(AUDIT_ANOM_LINK, "used-suspcious-link") +_S(AUDIT_ANOM_CREAT, "created-suspicious-file") //_S(AUDIT_INTEGRITY_DATA,"") //_S(AUDIT_INTEGRITY_METADATA,"") //_S(AUDIT_INTEGRITY_STATUS,"") diff -Nru audit-3.0/auparse/normalize_syscall_map.h audit-3.0.7/auparse/normalize_syscall_map.h --- audit-3.0/auparse/normalize_syscall_map.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/normalize_syscall_map.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * normalize_syscall_map.h - * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2016-17,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -24,6 +24,7 @@ _S(NORM_FILE_STAT, "access") _S(NORM_FILE_STAT, "faccessat") +_S(NORM_FILE_STAT, "faccessat2") _S(NORM_FILE_CHPERM, "chmod") _S(NORM_FILE_CHPERM, "fchmod") _S(NORM_FILE_CHPERM, "fchmodat") @@ -40,19 +41,25 @@ _S(NORM_FILE_DIR, "mkdir") _S(NORM_FILE_DIR, "mkdirat") _S(NORM_FILE_MOUNT, "mount") +_S(NORM_FILE_MOUNT, "move_mount") +_S(NORM_FILE_MOUNT, "fsmount") +_S(NORM_FILE_MOUNT, "fspick") _S(NORM_FILE_STAT, "newfstatat") _S(NORM_FILE_STAT, "stat") _S(NORM_FILE_STAT, "fstat") _S(NORM_FILE_STAT, "lstat") _S(NORM_FILE_STAT, "stat64") +_S(NORM_FILE_STAT, "statx") _S(NORM_FILE_SYS_STAT, "statfs") _S(NORM_FILE_SYS_STAT, "fstatfs") _S(NORM_FILE, "creat") _S(NORM_FILE, "fallocate") _S(NORM_FILE, "truncate") _S(NORM_FILE, "ftruncate") +_S(NORM_FILE, "memfd_create") _S(NORM_FILE, "open") _S(NORM_FILE, "openat") +_S(NORM_FILE, "openat2") _S(NORM_FILE, "readlink") _S(NORM_FILE, "readlinkat") _S(NORM_FILE_CHATTR, "removexattr") diff -Nru audit-3.0/auparse/nvlist.c audit-3.0.7/auparse/nvlist.c --- audit-3.0/auparse/nvlist.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/nvlist.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,7 +1,7 @@ /* * nvlist.c - Minimal linked list library for name-value pairs -* Copyright (c) 2006-07,2016 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. +* Copyright (c) 2006-07,2016,2021 Red Hat Inc. +* All Rights Reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -31,57 +31,42 @@ void nvlist_create(nvlist *l) { - l->head = NULL; - l->cur = NULL; - l->cnt = 0; -} - -static void nvlist_last(nvlist *l) -{ - register nvnode* node; - - if (l->head == NULL) - return; - - node = l->head; - while (node->next) - node = node->next; - l->cur = node; + if (l) { + memset(&l->array[0], 0, sizeof(nvnode) * NFIELDS); + l->cur = 0; + l->cnt = 0; + l->record = NULL; + l->end = NULL; + } } nvnode *nvlist_next(nvlist *l) { - if (l->cur) - l->cur = l->cur->next; - return l->cur; + // Since cur will be incremented, check for 1 less that total + if (l->cnt && l->cur < (l->cnt - 1)) { + l->cur++; + return &l->array[l->cur]; + } + return NULL; } -void nvlist_append(nvlist *l, nvnode *node) +// 0 on success and 1 on error +int nvlist_append(nvlist *l, nvnode *node) { - nvnode* newnode = malloc(sizeof(nvnode)); + // FIXME: on overflow switch to linked list + if (l->cnt >= NFIELDS || node->name == NULL) + return 1; + nvnode *newnode = &l->array[l->cnt]; newnode->name = node->name; newnode->val = node->val; newnode->interp_val = NULL; - newnode->item = l->cnt; - newnode->next = NULL; - - // if we are at top, fix this up - if (l->head == NULL) - l->head = newnode; - else { // Otherwise add pointer to newnode - if (l->cnt == (l->cur->item+1)) { - l->cur->next = newnode; - } - else { - nvlist_last(l); - l->cur->next = newnode; - } - } + newnode->item = l->cnt; // make newnode current - l->cur = newnode; + l->cur = l->cnt; l->cnt++; + return 0; } /* @@ -89,23 +74,16 @@ */ void nvlist_interp_fixup(nvlist *l) { - if (l->cur) { - l->cur->interp_val = l->cur->val; - l->cur->val = NULL; - } + nvnode* node = &l->array[l->cur]; + node->interp_val = node->val; + node->val = NULL; } nvnode *nvlist_goto_rec(nvlist *l, unsigned int i) { - register nvnode* node; - - node = l->head; /* start at the beginning */ - while (node) { - if (node->item == i) { - l->cur = node; - return node; - } else - node = node->next; + if (i <= l->cnt) { + l->cur = i; + return &l->array[l->cur]; } return NULL; } @@ -115,52 +93,79 @@ */ int nvlist_find_name(nvlist *l, const char *name) { - register nvnode* node = l->cur; + unsigned int i = l->cur; + register nvnode *node; + + if (l->cnt == 0) + return 0; - while (node) { - if (strcmp(node->name, name) == 0) { - l->cur = node; + do { + node = &l->array[i]; + if (node->name && strcmp(node->name, name) == 0) { + l->cur = i; return 1; } - else - node = node->next; - } + i++; + } while (i < l->cnt); return 0; } extern int interp_adjust_type(int rtype, const char *name, const char *val); -int nvlist_get_cur_type(const rnode *r) +int nvlist_get_cur_type(rnode *r) { - const nvlist *l = &r->nv; - return auparse_interp_adjust_type(r->type, l->cur->name, l->cur->val); + nvlist *l = &r->nv; + nvnode *node = &l->array[l->cur]; + return auparse_interp_adjust_type(r->type, node->name, node->val); } -const char *nvlist_interp_cur_val(const rnode *r, auparse_esc_t escape_mode) +const char *nvlist_interp_cur_val(rnode *r, auparse_esc_t escape_mode) { - const nvlist *l = &r->nv; - if (l->cur->interp_val) - return l->cur->interp_val; - return interpret(r, escape_mode); + nvlist *l = &r->nv; + if (l->cnt == 0) + return NULL; + nvnode *node = &l->array[l->cur]; + if (node->interp_val) + return node->interp_val; + return do_interpret(r, escape_mode); } -void nvlist_clear(nvlist* l) +// This function determines if a chunk of memory is part of the parsed up +// record. If it is, do not free it since it gets free'd at the very end. +// NOTE: This function causes invalid-pointer-pair errors with ASAN +static inline int not_in_rec_buf(nvlist *l, const char *ptr) { - nvnode* nextnode; - register nvnode* current; + if (ptr >= l->record && ptr < l->end) + return 0; + return 1; +} - if (l->head == NULL) +// free_interp does not apply to thing coming from interpretation_list +void nvlist_clear(nvlist *l, int free_interp) +{ + unsigned int i = 0; + register nvnode *current; + + if (l->cnt == 0) return; - current = l->head; - while (current) { - nextnode=current->next; - free(current->name); - free(current->val); - free(current->interp_val); - free(current); - current=nextnode; + while (i < l->cnt) { + current = &l->array[i]; + if (free_interp) { + free(current->interp_val); + // A couple items are not in parsed up list. + // These all come from the aup_list_append path. + if (not_in_rec_buf(l, current->name)) { + // seperms & key values are strdup'ed + if (not_in_rec_buf(l, current->val)) + free(current->val); + free(current->name); + } + } + i++; } - l->head = NULL; - l->cur = NULL; + free((void *)l->record); + l->record = NULL; + l->end = NULL; + l->cur = 0; l->cnt = 0; } diff -Nru audit-3.0/auparse/nvlist.h audit-3.0.7/auparse/nvlist.h --- audit-3.0/auparse/nvlist.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/nvlist.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * nvlist.h - Header file for nvlist.c -* Copyright (c) 2006-07,2016 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2006-07,2016,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -32,20 +32,24 @@ static inline unsigned int nvlist_get_cnt(nvlist *l) { return l->cnt; } -static inline void nvlist_first(nvlist *l) { l->cur = l->head; } -static inline nvnode *nvlist_get_cur(const nvlist *l) { return l->cur; } -static inline const char *nvlist_get_cur_name(const nvlist *l) {if (l->cur) return l->cur->name; else return NULL;} -static inline const char *nvlist_get_cur_val(const nvlist *l) {if (l->cur) return l->cur->val; else return NULL;} -static inline const char *nvlist_get_cur_val_interp(const nvlist *l) {if (l->cur) return l->cur->interp_val; else return NULL;} +static inline void nvlist_first(nvlist *l) { l->cur = 0; } +static inline nvnode *nvlist_get_cur(nvlist *l) + { return &l->array[l->cur]; } +static inline const char *nvlist_get_cur_name(nvlist *l) + {if (l->cnt) { nvnode *node = &l->array[l->cur]; return node->name; } else return NULL;} +static inline const char *nvlist_get_cur_val(nvlist *l) + {if (l->cnt) { nvnode *node = &l->array[l->cur]; return node->val; } else return NULL;} +static inline const char *nvlist_get_cur_val_interp(nvlist *l) + {if (l->cnt) { nvnode *node = &l->array[l->cur]; return node->interp_val; } else return NULL;} AUDIT_HIDDEN_START void nvlist_create(nvlist *l); -void nvlist_clear(nvlist* l); +void nvlist_clear(nvlist *l, int free_interp); nvnode *nvlist_next(nvlist *l); -int nvlist_get_cur_type(const rnode *r); -const char *nvlist_interp_cur_val(const rnode *r, auparse_esc_t escape_mode); -void nvlist_append(nvlist *l, nvnode *node); +int nvlist_get_cur_type(rnode *r); +const char *nvlist_interp_cur_val(rnode *r, auparse_esc_t escape_mode); +int nvlist_append(nvlist *l, nvnode *node); void nvlist_interp_fixup(nvlist *l); /* Given a numeric index, find that record. */ diff -Nru audit-3.0/auparse/openat2-resolvetab.h audit-3.0.7/auparse/openat2-resolvetab.h --- audit-3.0/auparse/openat2-resolvetab.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/auparse/openat2-resolvetab.h 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,29 @@ +/* openat2-resolvetab.h -- + * Copyright 2021 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Richard Guy Briggs + * Location: include/uapi/linux/openat2.h + */ + +_S(0x01, "RESOLVE_NO_XDEV" ) +_S(0x02, "RESOLVE_NO_MAGICLINKS" ) +_S(0x04, "RESOLVE_NO_SYMLINKS" ) +_S(0x08, "RESOLVE_BENEATH" ) +_S(0x10, "RESOLVE_IN_ROOT" ) +_S(0x20, "RESOLVE_CACHED" ) diff -Nru audit-3.0/auparse/rnode.h audit-3.0.7/auparse/rnode.h --- audit-3.0/auparse/rnode.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/rnode.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,6 +1,5 @@ - /* rnode.h -- - * Copyright 2007,2016-17 Red Hat Inc., Durham, North Carolina. + * Copyright 2007,2016-17,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -24,21 +23,24 @@ #ifndef RNODE_HEADER #define RNODE_HEADER -/* This is the node of the linked list. Any data elements that are +#define NFIELDS 36 + +/* This is the data node of the fields list. Any data elements that are * per field goes here. */ typedef struct _nvnode{ char *name; // The name string char *val; // The value field - char *interp_val; // The value field interpretted + char *interp_val; // The value field interpreted unsigned int item; // Which item of the same event - struct _nvnode* next; // Next nvpair node pointer } nvnode; -/* This is the field linked list head. */ +/* This is the field list head. */ typedef struct { - nvnode *head; // List head - nvnode *cur; // Pointer to current node + nvnode array[NFIELDS];// array of fields + unsigned int cur; // Index to current node unsigned int cnt; // How many items in this list + char *record; // Holds the parsed up record + char *end; // End of the parsed up record } nvlist; diff -Nru audit-3.0/auparse/test/Makefile.am audit-3.0.7/auparse/test/Makefile.am --- audit-3.0/auparse/test/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/test/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -29,17 +29,17 @@ lookup_test_SOURCES = lookup_test.c lookup_test_LDADD = ${top_builddir}/auparse/libauparse.la \ - ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a + ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la auparse_test_SOURCES = auparse_test.c auparse_test_LDFLAGS = -static auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \ - ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a + ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la auparselol_test_SOURCES = auparselol_test.c auparselol_test_LDFLAGS = -static auparselol_test_LDADD = ${top_builddir}/auparse/libauparse.la \ - ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a + ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la drop_srcdir = sed 's,$(srcdir)/test,test,' diff -Nru audit-3.0/auparse/test/Makefile.in audit-3.0.7/auparse/test/Makefile.in --- audit-3.0/auparse/test/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/auparse/test/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -130,7 +130,7 @@ auparse_test_OBJECTS = $(am_auparse_test_OBJECTS) auparse_test_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la \ ${top_builddir}/lib/libaudit.la \ - ${top_builddir}/common/libaucommon.a + ${top_builddir}/common/libaucommon.la AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -142,7 +142,7 @@ auparselol_test_OBJECTS = $(am_auparselol_test_OBJECTS) auparselol_test_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la \ ${top_builddir}/lib/libaudit.la \ - ${top_builddir}/common/libaucommon.a + ${top_builddir}/common/libaucommon.la auparselol_test_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(auparselol_test_LDFLAGS) $(LDFLAGS) \ @@ -151,7 +151,7 @@ lookup_test_OBJECTS = $(am_lookup_test_OBJECTS) lookup_test_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la \ ${top_builddir}/lib/libaudit.la \ - ${top_builddir}/common/libaucommon.a + ${top_builddir}/common/libaucommon.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -359,6 +359,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -378,17 +379,17 @@ AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib lookup_test_SOURCES = lookup_test.c lookup_test_LDADD = ${top_builddir}/auparse/libauparse.la \ - ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a + ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la auparse_test_SOURCES = auparse_test.c auparse_test_LDFLAGS = -static auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \ - ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a + ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la auparselol_test_SOURCES = auparselol_test.c auparselol_test_LDFLAGS = -static auparselol_test_LDADD = ${top_builddir}/auparse/libauparse.la \ - ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a + ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la drop_srcdir = sed 's,$(srcdir)/test,test,' all: all-am diff -Nru audit-3.0/auparse/typetab.h audit-3.0.7/auparse/typetab.h --- audit-3.0/auparse/typetab.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/auparse/typetab.h 2022-01-23 19:36:56.000000000 +0000 @@ -142,3 +142,5 @@ _S(AUPARSE_TYPE_FANOTIFY, "resp" ) _S(AUPARSE_TYPE_ESCAPED, "sw" ) _S(AUPARSE_TYPE_ESCAPED, "root_dir" ) +_S(AUPARSE_TYPE_NLMCGRP, "nl-mcgrp" ) +_S(AUPARSE_TYPE_RESOLVE, "resolve" ) diff -Nru audit-3.0/bindings/Makefile.am audit-3.0.7/bindings/Makefile.am --- audit-3.0/bindings/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/bindings/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/Makefile.in audit-3.0.7/bindings/Makefile.in --- audit-3.0/bindings/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/bindings/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -346,6 +347,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/bindings/golang/Makefile.am audit-3.0.7/bindings/golang/Makefile.am --- audit-3.0/bindings/golang/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/bindings/golang/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/golang/Makefile.in audit-3.0.7/bindings/golang/Makefile.in --- audit-3.0/bindings/golang/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/bindings/golang/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -287,6 +288,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/bindings/python/Makefile.in audit-3.0.7/bindings/python/Makefile.in --- audit-3.0/bindings/python/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/bindings/python/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -326,6 +326,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/bindings/python/auparse_python.c audit-3.0.7/bindings/python/auparse_python.c --- audit-3.0/bindings/python/auparse_python.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/bindings/python/auparse_python.c 2022-01-23 19:36:56.000000000 +0000 @@ -665,6 +665,26 @@ } /******************************** + * auparse_set_eoe_timeout + ********************************/ +PyDoc_STRVAR(set_eoe_timeout_doc, +"set_eoe_timeout(tmo) Set audit parser end of event timeout\n\ +\n\ +This function sets the timeout used to determine if an event is complete.\n\ +Returns None.\n\ +"); +static PyObject * +AuParser_set_eoe_timeout(AuParser *self, PyObject *args) +{ + int tmo; + + if (!PyArg_ParseTuple(args, "i", &tmo)) return NULL; + auparse_set_eoe_timeout(tmo); + + Py_RETURN_NONE; +} + +/******************************** * auparse_reset ********************************/ PyDoc_STRVAR(reset_doc, @@ -2140,6 +2160,7 @@ {"feed_age_events", (PyCFunction)AuParser_feed_age_events, METH_NOARGS, feed_age_events_doc}, {"add_callback", (PyCFunction)AuParser_add_callback, METH_VARARGS, add_callback_doc}, {"set_escape_mode", (PyCFunction)AuParser_set_escape_mode, METH_VARARGS, set_escape_mode_doc}, + {"set_eoe_timeout", (PyCFunction)AuParser_set_eoe_timeout, METH_VARARGS, set_eoe_timeout_doc}, {"reset", (PyCFunction)AuParser_reset, METH_NOARGS, reset_doc}, {"search_add_expression", (PyCFunction)AuParser_search_add_expression, METH_VARARGS, search_add_expression_doc}, {"search_add_item", (PyCFunction)AuParser_search_add_item, METH_VARARGS, search_add_item_doc}, @@ -2366,10 +2387,13 @@ PyModule_AddIntConstant(m, "AUPARSE_TYPE_PROCTITLE", AUPARSE_TYPE_PROCTITLE); PyModule_AddIntConstant(m, "AUPARSE_TYPE_HOOK", AUPARSE_TYPE_HOOK); PyModule_AddIntConstant(m, "AUPARSE_TYPE_NETACTION", AUPARSE_TYPE_NETACTION); + PyModule_AddIntConstant(m, "AUPARSE_TYPE_MACPROTO,", AUPARSE_TYPE_MACPROTO); PyModule_AddIntConstant(m, "AUPARSE_TYPE_IOCTL_REQ", AUPARSE_TYPE_IOCTL_REQ); PyModule_AddIntConstant(m, "AUPARSE_TYPE_ESCAPED_KEY", AUPARSE_TYPE_ESCAPED_KEY); PyModule_AddIntConstant(m, "AUPARSE_TYPE_ESCAPED_FILE", AUPARSE_TYPE_ESCAPED_FILE); PyModule_AddIntConstant(m, "AUPARSE_TYPE_FANOTIFY", AUPARSE_TYPE_FANOTIFY); + PyModule_AddIntConstant(m, "AUPARSE_TYPE_NLMCGRP", AUPARSE_TYPE_NLMCGRP); + PyModule_AddIntConstant(m, "AUPARSE_TYPE_RESOLVE", AUPARSE_TYPE_RESOLVE); /* Escape types */ PyModule_AddIntConstant(m, "AUPARSE_ESC_RAW", AUPARSE_ESC_RAW); diff -Nru audit-3.0/bindings/python/python2/Makefile.am audit-3.0.7/bindings/python/python2/Makefile.am --- audit-3.0/bindings/python/python2/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/bindings/python/python2/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/python/python2/Makefile.in audit-3.0.7/bindings/python/python2/Makefile.in --- audit-3.0/bindings/python/python2/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/bindings/python/python2/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -369,6 +370,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/bindings/python/python3/Makefile.am audit-3.0.7/bindings/python/python3/Makefile.am --- audit-3.0/bindings/python/python3/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/bindings/python/python3/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/python/python3/Makefile.in audit-3.0.7/bindings/python/python3/Makefile.in --- audit-3.0/bindings/python/python3/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/bindings/python/python3/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -368,6 +369,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/bindings/swig/Makefile.am audit-3.0.7/bindings/swig/Makefile.am --- audit-3.0/bindings/swig/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/bindings/swig/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/swig/Makefile.in audit-3.0.7/bindings/swig/Makefile.in --- audit-3.0/bindings/swig/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/bindings/swig/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -348,6 +349,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/bindings/swig/python/Makefile.am audit-3.0.7/bindings/swig/python/Makefile.am --- audit-3.0/bindings/swig/python/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/bindings/swig/python/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/swig/python/Makefile.in audit-3.0.7/bindings/swig/python/Makefile.in --- audit-3.0/bindings/swig/python/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/bindings/swig/python/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -350,6 +350,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -379,8 +380,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/swig/python/audit.py audit-3.0.7/bindings/swig/python/audit.py --- audit-3.0/bindings/swig/python/audit.py 2020-12-16 20:44:49.000000000 +0000 +++ audit-3.0.7/bindings/swig/python/audit.py 2022-01-23 19:37:04.000000000 +0000 @@ -445,6 +445,7 @@ AUDIT_APPARMOR_HINT = _audit.AUDIT_APPARMOR_HINT AUDIT_APPARMOR_STATUS = _audit.AUDIT_APPARMOR_STATUS AUDIT_APPARMOR_ERROR = _audit.AUDIT_APPARMOR_ERROR +AUDIT_APPARMOR_KILL = _audit.AUDIT_APPARMOR_KILL AUDIT_FIRST_KERN_CRYPTO_MSG = _audit.AUDIT_FIRST_KERN_CRYPTO_MSG AUDIT_LAST_KERN_CRYPTO_MSG = _audit.AUDIT_LAST_KERN_CRYPTO_MSG AUDIT_INTEGRITY_FIRST_MSG = _audit.AUDIT_INTEGRITY_FIRST_MSG @@ -470,6 +471,9 @@ AUDIT_ANOM_MOD_ACCT = _audit.AUDIT_ANOM_MOD_ACCT AUDIT_ANOM_ROOT_TRANS = _audit.AUDIT_ANOM_ROOT_TRANS AUDIT_ANOM_LOGIN_SERVICE = _audit.AUDIT_ANOM_LOGIN_SERVICE +AUDIT_ANOM_LOGIN_ROOT = _audit.AUDIT_ANOM_LOGIN_ROOT +AUDIT_ANOM_ORIGIN_FAILURES = _audit.AUDIT_ANOM_ORIGIN_FAILURES +AUDIT_ANOM_SESSION = _audit.AUDIT_ANOM_SESSION AUDIT_FIRST_ANOM_RESP = _audit.AUDIT_FIRST_ANOM_RESP AUDIT_LAST_ANOM_RESP = _audit.AUDIT_LAST_ANOM_RESP AUDIT_RESP_ANOMALY = _audit.AUDIT_RESP_ANOMALY @@ -487,6 +491,7 @@ AUDIT_RESP_HALT = _audit.AUDIT_RESP_HALT AUDIT_RESP_ORIGIN_BLOCK = _audit.AUDIT_RESP_ORIGIN_BLOCK AUDIT_RESP_ORIGIN_BLOCK_TIMED = _audit.AUDIT_RESP_ORIGIN_BLOCK_TIMED +AUDIT_RESP_ORIGIN_UNBLOCK_TIMED = _audit.AUDIT_RESP_ORIGIN_UNBLOCK_TIMED AUDIT_FIRST_USER_LSPP_MSG = _audit.AUDIT_FIRST_USER_LSPP_MSG AUDIT_LAST_USER_LSPP_MSG = _audit.AUDIT_LAST_USER_LSPP_MSG AUDIT_USER_ROLE_CHANGE = _audit.AUDIT_USER_ROLE_CHANGE @@ -525,6 +530,8 @@ AUDIT_VIRT_MIGRATE_IN = _audit.AUDIT_VIRT_MIGRATE_IN AUDIT_VIRT_MIGRATE_OUT = _audit.AUDIT_VIRT_MIGRATE_OUT AUDIT_LAST_VIRT_MSG = _audit.AUDIT_LAST_VIRT_MSG +AUDIT_URINGOP = _audit.AUDIT_URINGOP +AUDIT_OPENAT2 = _audit.AUDIT_OPENAT2 AUDIT_KEY_SEPARATOR = _audit.AUDIT_KEY_SEPARATOR AUDIT_FILTER_MASK = _audit.AUDIT_FILTER_MASK AUDIT_FILTER_UNSET = _audit.AUDIT_FILTER_UNSET @@ -776,9 +783,6 @@ def audit_add_watch(rulep, path): return _audit.audit_add_watch(rulep, path) -def audit_add_dir(rulep, path): - return _audit.audit_add_dir(rulep, path) - def audit_add_watch_dir(type, rulep, path): return _audit.audit_add_watch_dir(type, rulep, path) @@ -794,8 +798,8 @@ def audit_delete_rule_data(fd, rule, flags, action): return _audit.audit_delete_rule_data(fd, rule, flags, action) -def audit_value_needs_encoding(str, len): - return _audit.audit_value_needs_encoding(str, len) +def audit_value_needs_encoding(str, size): + return _audit.audit_value_needs_encoding(str, size) def audit_encode_value(final, buf, size): return _audit.audit_encode_value(final, buf, size) @@ -827,9 +831,6 @@ def audit_rule_init_data(rule): return _audit.audit_rule_init_data(rule) -def audit_rule_syscall_data(rule, scall): - return _audit.audit_rule_syscall_data(rule, scall) - def audit_rule_syscallbyname_data(rule, scall): return _audit.audit_rule_syscallbyname_data(rule, scall) diff -Nru audit-3.0/bindings/swig/python3/Makefile.am audit-3.0.7/bindings/swig/python3/Makefile.am --- audit-3.0/bindings/swig/python3/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/bindings/swig/python3/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/swig/python3/Makefile.in audit-3.0.7/bindings/swig/python3/Makefile.in --- audit-3.0/bindings/swig/python3/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/bindings/swig/python3/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -350,6 +350,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -379,8 +380,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/swig/python3/audit.py audit-3.0.7/bindings/swig/python3/audit.py --- audit-3.0/bindings/swig/python3/audit.py 2020-12-16 20:44:50.000000000 +0000 +++ audit-3.0.7/bindings/swig/python3/audit.py 2022-01-23 19:37:04.000000000 +0000 @@ -445,6 +445,7 @@ AUDIT_APPARMOR_HINT = _audit.AUDIT_APPARMOR_HINT AUDIT_APPARMOR_STATUS = _audit.AUDIT_APPARMOR_STATUS AUDIT_APPARMOR_ERROR = _audit.AUDIT_APPARMOR_ERROR +AUDIT_APPARMOR_KILL = _audit.AUDIT_APPARMOR_KILL AUDIT_FIRST_KERN_CRYPTO_MSG = _audit.AUDIT_FIRST_KERN_CRYPTO_MSG AUDIT_LAST_KERN_CRYPTO_MSG = _audit.AUDIT_LAST_KERN_CRYPTO_MSG AUDIT_INTEGRITY_FIRST_MSG = _audit.AUDIT_INTEGRITY_FIRST_MSG @@ -470,6 +471,9 @@ AUDIT_ANOM_MOD_ACCT = _audit.AUDIT_ANOM_MOD_ACCT AUDIT_ANOM_ROOT_TRANS = _audit.AUDIT_ANOM_ROOT_TRANS AUDIT_ANOM_LOGIN_SERVICE = _audit.AUDIT_ANOM_LOGIN_SERVICE +AUDIT_ANOM_LOGIN_ROOT = _audit.AUDIT_ANOM_LOGIN_ROOT +AUDIT_ANOM_ORIGIN_FAILURES = _audit.AUDIT_ANOM_ORIGIN_FAILURES +AUDIT_ANOM_SESSION = _audit.AUDIT_ANOM_SESSION AUDIT_FIRST_ANOM_RESP = _audit.AUDIT_FIRST_ANOM_RESP AUDIT_LAST_ANOM_RESP = _audit.AUDIT_LAST_ANOM_RESP AUDIT_RESP_ANOMALY = _audit.AUDIT_RESP_ANOMALY @@ -487,6 +491,7 @@ AUDIT_RESP_HALT = _audit.AUDIT_RESP_HALT AUDIT_RESP_ORIGIN_BLOCK = _audit.AUDIT_RESP_ORIGIN_BLOCK AUDIT_RESP_ORIGIN_BLOCK_TIMED = _audit.AUDIT_RESP_ORIGIN_BLOCK_TIMED +AUDIT_RESP_ORIGIN_UNBLOCK_TIMED = _audit.AUDIT_RESP_ORIGIN_UNBLOCK_TIMED AUDIT_FIRST_USER_LSPP_MSG = _audit.AUDIT_FIRST_USER_LSPP_MSG AUDIT_LAST_USER_LSPP_MSG = _audit.AUDIT_LAST_USER_LSPP_MSG AUDIT_USER_ROLE_CHANGE = _audit.AUDIT_USER_ROLE_CHANGE @@ -525,6 +530,8 @@ AUDIT_VIRT_MIGRATE_IN = _audit.AUDIT_VIRT_MIGRATE_IN AUDIT_VIRT_MIGRATE_OUT = _audit.AUDIT_VIRT_MIGRATE_OUT AUDIT_LAST_VIRT_MSG = _audit.AUDIT_LAST_VIRT_MSG +AUDIT_URINGOP = _audit.AUDIT_URINGOP +AUDIT_OPENAT2 = _audit.AUDIT_OPENAT2 AUDIT_KEY_SEPARATOR = _audit.AUDIT_KEY_SEPARATOR AUDIT_FILTER_MASK = _audit.AUDIT_FILTER_MASK AUDIT_FILTER_UNSET = _audit.AUDIT_FILTER_UNSET @@ -776,9 +783,6 @@ def audit_add_watch(rulep: "struct audit_rule_data **", path: "char const *") -> "int": return _audit.audit_add_watch(rulep, path) -def audit_add_dir(rulep: "struct audit_rule_data **", path: "char const *") -> "int": - return _audit.audit_add_dir(rulep, path) - def audit_add_watch_dir(type: "int", rulep: "struct audit_rule_data **", path: "char const *") -> "int": return _audit.audit_add_watch_dir(type, rulep, path) @@ -794,8 +798,8 @@ def audit_delete_rule_data(fd: "int", rule: "audit_rule_data", flags: "int", action: "int") -> "int": return _audit.audit_delete_rule_data(fd, rule, flags, action) -def audit_value_needs_encoding(str: "char const *", len: "unsigned int") -> "int": - return _audit.audit_value_needs_encoding(str, len) +def audit_value_needs_encoding(str: "char const *", size: "unsigned int") -> "int": + return _audit.audit_value_needs_encoding(str, size) def audit_encode_value(final: "char *", buf: "char const *", size: "unsigned int") -> "char *": return _audit.audit_encode_value(final, buf, size) @@ -827,9 +831,6 @@ def audit_rule_init_data(rule: "audit_rule_data") -> "void": return _audit.audit_rule_init_data(rule) -def audit_rule_syscall_data(rule: "audit_rule_data", scall: "int") -> "int": - return _audit.audit_rule_syscall_data(rule, scall) - def audit_rule_syscallbyname_data(rule: "audit_rule_data", scall: "char const *") -> "int": return _audit.audit_rule_syscallbyname_data(rule, scall) diff -Nru audit-3.0/bindings/swig/src/Makefile.am audit-3.0.7/bindings/swig/src/Makefile.am --- audit-3.0/bindings/swig/src/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/bindings/swig/src/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/bindings/swig/src/Makefile.in audit-3.0.7/bindings/swig/src/Makefile.in --- audit-3.0/bindings/swig/src/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/bindings/swig/src/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -286,6 +287,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/common/Makefile.am audit-3.0.7/common/Makefile.am --- audit-3.0/common/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/common/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -24,7 +25,7 @@ AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib noinst_HEADERS = common.h -libaucommon_a_DEPENDENCIES = ../config.h -libaucommon_a_SOURCES = audit-fgets.c strsplit.c -noinst_LIBRARIES = libaucommon.a +libaucommon_la_DEPENDENCIES = ../config.h +libaucommon_la_SOURCES = audit-fgets.c strsplit.c +noinst_LTLIBRARIES = libaucommon.la diff -Nru audit-3.0/common/Makefile.in audit-3.0.7/common/Makefile.in --- audit-3.0/common/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/common/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -126,16 +127,14 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_VPATH_FILES = -LIBRARIES = $(noinst_LIBRARIES) -ARFLAGS = cru -AM_V_AR = $(am__v_AR_@AM_V@) -am__v_AR_ = $(am__v_AR_@AM_DEFAULT_V@) -am__v_AR_0 = @echo " AR " $@; -am__v_AR_1 = -libaucommon_a_AR = $(AR) $(ARFLAGS) -libaucommon_a_LIBADD = -am_libaucommon_a_OBJECTS = audit-fgets.$(OBJEXT) strsplit.$(OBJEXT) -libaucommon_a_OBJECTS = $(am_libaucommon_a_OBJECTS) +LTLIBRARIES = $(noinst_LTLIBRARIES) +libaucommon_la_LIBADD = +am_libaucommon_la_OBJECTS = audit-fgets.lo strsplit.lo +libaucommon_la_OBJECTS = $(am_libaucommon_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -151,15 +150,11 @@ DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/audit-fgets.Po \ - ./$(DEPDIR)/strsplit.Po +am__depfiles_remade = ./$(DEPDIR)/audit-fgets.Plo \ + ./$(DEPDIR)/strsplit.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ @@ -176,8 +171,8 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libaucommon_a_SOURCES) -DIST_SOURCES = $(libaucommon_a_SOURCES) +SOURCES = $(libaucommon_la_SOURCES) +DIST_SOURCES = $(libaucommon_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -346,6 +341,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -362,9 +358,9 @@ CONFIG_CLEAN_FILES = *.rej *.orig AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib noinst_HEADERS = common.h -libaucommon_a_DEPENDENCIES = ../config.h -libaucommon_a_SOURCES = audit-fgets.c strsplit.c -noinst_LIBRARIES = libaucommon.a +libaucommon_la_DEPENDENCIES = ../config.h +libaucommon_la_SOURCES = audit-fgets.c strsplit.c +noinst_LTLIBRARIES = libaucommon.la all: all-am .SUFFIXES: @@ -399,13 +395,19 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -clean-noinstLIBRARIES: - -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } -libaucommon.a: $(libaucommon_a_OBJECTS) $(libaucommon_a_DEPENDENCIES) $(EXTRA_libaucommon_a_DEPENDENCIES) - $(AM_V_at)-rm -f libaucommon.a - $(AM_V_AR)$(libaucommon_a_AR) libaucommon.a $(libaucommon_a_OBJECTS) $(libaucommon_a_LIBADD) - $(AM_V_at)$(RANLIB) libaucommon.a +libaucommon.la: $(libaucommon_la_OBJECTS) $(libaucommon_la_DEPENDENCIES) $(EXTRA_libaucommon_la_DEPENDENCIES) + $(AM_V_CCLD)$(LINK) $(libaucommon_la_OBJECTS) $(libaucommon_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -413,8 +415,8 @@ distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audit-fgets.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strsplit.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audit-fgets.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strsplit.Plo@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -536,7 +538,7 @@ done check-am: all-am check: check-am -all-am: Makefile $(LIBRARIES) $(HEADERS) +all-am: Makefile $(LTLIBRARIES) $(HEADERS) installdirs: install: install-am install-exec: install-exec-am @@ -570,12 +572,12 @@ @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -f ./$(DEPDIR)/audit-fgets.Po - -rm -f ./$(DEPDIR)/strsplit.Po + -rm -f ./$(DEPDIR)/audit-fgets.Plo + -rm -f ./$(DEPDIR)/strsplit.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -621,8 +623,8 @@ installcheck-am: maintainer-clean: maintainer-clean-am - -rm -f ./$(DEPDIR)/audit-fgets.Po - -rm -f ./$(DEPDIR)/strsplit.Po + -rm -f ./$(DEPDIR)/audit-fgets.Plo + -rm -f ./$(DEPDIR)/strsplit.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -644,7 +646,7 @@ .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ - clean-generic clean-libtool clean-noinstLIBRARIES \ + clean-generic clean-libtool clean-noinstLTLIBRARIES \ cscopelist-am ctags ctags-am distclean distclean-compile \ distclean-generic distclean-libtool distclean-tags distdir dvi \ dvi-am html html-am info info-am install install-am \ diff -Nru audit-3.0/common/audit-fgets.c audit-3.0.7/common/audit-fgets.c --- audit-3.0/common/audit-fgets.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/common/audit-fgets.c 2022-01-23 19:36:56.000000000 +0000 @@ -51,6 +51,9 @@ return 0; } +/* Function to read the next chunk of data from the given fd. If we have + * data to return, we pass the line length for success. 0 for no data. And + * -1 if there was an error reading the fd. */ int audit_fgets(char *buf, size_t blen, int fd) { int complete = 0; @@ -119,5 +122,5 @@ } *current = 0; } - return complete; + return complete ? line_len : 0; } diff -Nru audit-3.0/config.h.in audit-3.0.7/config.h.in --- audit-3.0/config.h.in 2020-12-16 20:44:39.000000000 +0000 +++ audit-3.0.7/config.h.in 2022-01-23 19:36:59.000000000 +0000 @@ -44,6 +44,12 @@ /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H +/* IPX packet interpretation */ +#undef HAVE_IPX_HEADERS + +/* Define to 1 if linux/fs.h defined kernel_rwf_t */ +#undef HAVE_KERNEL_RWF_T + /* Define to 1 if you have the `kqueue' function. */ #undef HAVE_KQUEUE @@ -56,6 +62,12 @@ /* Define if tcp_wrappers support is enabled */ #undef HAVE_LIBWRAP +/* Define to 1 if you have the header file. */ +#undef HAVE_LINUX_AIO_ABI_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_LINUX_FS_H + /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H @@ -128,6 +140,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_TIMERFD_H + /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H diff -Nru audit-3.0/configure audit-3.0.7/configure --- audit-3.0/configure 2020-12-16 20:44:38.000000000 +0000 +++ audit-3.0.7/configure 2022-01-23 19:36:59.000000000 +0000 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision: 1.3 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for audit 3.0. +# Generated by GNU Autoconf 2.69 for audit 3.0.7. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -588,8 +588,8 @@ # Identity of this package. PACKAGE_NAME='audit' PACKAGE_TARNAME='audit' -PACKAGE_VERSION='3.0' -PACKAGE_STRING='audit 3.0' +PACKAGE_VERSION='3.0.7' +PACKAGE_STRING='audit 3.0.7' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -642,6 +642,8 @@ USE_ARM_TRUE DEBUG_FALSE DEBUG_TRUE +ENABLE_EXPERIMENTAL_FALSE +ENABLE_EXPERIMENTAL_TRUE ENABLE_SYSTEMD_FALSE ENABLE_SYSTEMD_TRUE ENABLE_GSSAPI_FALSE @@ -785,6 +787,7 @@ docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -825,6 +828,7 @@ enable_zos_remote enable_gssapi_krb5 enable_systemd +enable_experimental with_debug with_warn with_arm @@ -882,6 +886,7 @@ sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1134,6 +1139,15 @@ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1271,7 +1285,7 @@ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1384,7 +1398,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures audit 3.0 to adapt to many kinds of systems. +\`configure' configures audit 3.0.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1424,6 +1438,7 @@ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1455,7 +1470,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of audit 3.0:";; + short | recursive ) echo "Configuration of audit 3.0.7:";; esac cat <<\_ACEOF @@ -1478,6 +1493,7 @@ --disable-zos-remote Disable audisp ZOS remote plugin --enable-gssapi-krb5 Enable GSSAPI Kerberos 5 support [default=no] --enable-systemd Enable systemd init scripts [default=no] + --enable-experimental Enable experimental audit components [default=no] Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1580,7 +1596,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -audit configure 3.0 +audit configure 3.0.7 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1942,6 +1958,60 @@ } # ac_fn_c_check_header_mongrel +# ac_fn_c_check_type LINENO TYPE VAR INCLUDES +# ------------------------------------------- +# Tests whether TYPE exists after having included INCLUDES, setting cache +# variable VAR accordingly. +ac_fn_c_check_type () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + eval "$3=no" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +if (sizeof ($2)) + return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +if (sizeof (($2))) + return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +else + eval "$3=yes" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_type + # ac_fn_c_compute_int LINENO EXPR VAR INCLUDES # -------------------------------------------- # Tries to find the compile-time value of EXPR in a program that includes @@ -2231,7 +2301,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by audit $as_me 3.0, which was +It was created by audit $as_me 3.0.7, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3210,7 +3280,7 @@ # Define the identity of the package. PACKAGE='audit' - VERSION='3.0' + VERSION='3.0.7' cat >>confdefs.h <<_ACEOF @@ -12346,7 +12416,20 @@ OLDLIBS="$LIBS" -for ac_header in sys/inotify.h sys/epoll.h sys/event.h port.h poll.h sys/select.h sys/eventfd.h sys/signalfd.h +for ac_header in sys/inotify.h sys/epoll.h sys/event.h port.h poll.h sys/timerfd.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + +for ac_header in sys/select.h sys/eventfd.h sys/signalfd.h linux/aio_abi.h linux/fs.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" @@ -12551,6 +12634,17 @@ done +ac_fn_c_check_type "$LINENO" "__kernel_rwf_t" "ac_cv_type___kernel_rwf_t" "#include +" +if test "x$ac_cv_type___kernel_rwf_t" = xyes; then : + + +$as_echo "#define HAVE_KERNEL_RWF_T 1" >>confdefs.h + + +fi + + if test -z "$LIBEV_M4_AVOID_LIBM"; then LIBM=m fi @@ -14724,6 +14818,7 @@ fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext +OLDLIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing pthread_yield" >&5 $as_echo_n "checking for library containing pthread_yield... " >&6; } if ${ac_cv_search_pthread_yield+:} false; then : @@ -14782,6 +14877,7 @@ fi +LIBS="$OLDLIBS" ALLWARNS="" ALLDEBUG="-g" @@ -14939,7 +15035,7 @@ if ${am_cv_python_version+:} false; then : $as_echo_n "(cached) " >&6 else - am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"` + am_cv_python_version=`$PYTHON -c "import sys; print('%u.%u' % sys.version_info[:2])"` fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5 $as_echo "$am_cv_python_version" >&6; } @@ -15362,8 +15458,6 @@ $as_echo "$enable_listener" >&6; } #audisp zos-remote plugin -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to include audisp ZOS remote plugin" >&5 -$as_echo_n "checking whether to include audisp ZOS remote plugin... " >&6; } # Check whether --enable-zos-remote was given. if test "${enable_zos_remote+set}" = set; then : enableval=$enable_zos_remote; enable_zos_remote=$enableval @@ -15427,6 +15521,9 @@ as_fn_error $? "openldap libraries found but headers are missing" "$LINENO" 5 fi fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to include audisp ZOS remote plugin" >&5 +$as_echo_n "checking whether to include audisp ZOS remote plugin... " >&6; } if test "x$enable_zos_remote" != "xno"; then ENABLE_ZOS_REMOTE_TRUE= ENABLE_ZOS_REMOTE_FALSE='#' @@ -15516,6 +15613,8 @@ #systemd +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable systemd" >&5 +$as_echo_n "checking whether to enable systemd... " >&6; } # Check whether --enable-systemd was given. if test "${enable_systemd+set}" = set; then : enableval=$enable_systemd; case "${enableval}" in @@ -15536,6 +15635,34 @@ ENABLE_SYSTEMD_FALSE= fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $want_systemd" >&5 +$as_echo "$want_systemd" >&6; } + +# ids +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable experimental options" >&5 +$as_echo_n "checking whether to enable experimental options... " >&6; } +# Check whether --enable-experimental was given. +if test "${enable_experimental+set}" = set; then : + enableval=$enable_experimental; case "${enableval}" in + yes) want_exper="yes" ;; + no) want_exper="no" ;; + *) as_fn_error $? "bad value ${enableval} for --enable-experimental" "$LINENO" 5 ;; + esac +else + want_exper="no" + +fi + + if test x$want_exper = xyes; then + ENABLE_EXPERIMENTAL_TRUE= + ENABLE_EXPERIMENTAL_FALSE='#' +else + ENABLE_EXPERIMENTAL_TRUE='#' + ENABLE_EXPERIMENTAL_FALSE= +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $want_exper" >&5 +$as_echo "$want_exper" >&6; } # linux/fanotify.h ac_fn_c_check_header_mongrel "$LINENO" "linux/fanotify.h" "ac_cv_header_linux_fanotify_h" "$ac_includes_default" @@ -15920,6 +16047,21 @@ fi +# linux/ipx.h - deprecated in 2018 +ac_fn_c_check_header_mongrel "$LINENO" "linux/ipx.h" "ac_cv_header_linux_ipx_h" "$ac_includes_default" +if test "x$ac_cv_header_linux_ipx_h" = xyes; then : + ipx_headers=yes +else + ipx_headers=no +fi + + +if test $ipx_headers = yes ; then + +$as_echo "#define HAVE_IPX_HEADERS 1" >>confdefs.h + +fi + # See if we want to support lower capabilities for plugins @@ -16017,7 +16159,7 @@ #AC_SUBST(libev_LIBS) -ac_config_files="$ac_config_files Makefile common/Makefile lib/Makefile lib/audit.pc lib/test/Makefile auparse/Makefile auparse/test/Makefile auparse/auparse.pc src/Makefile src/libev/Makefile src/test/Makefile docs/Makefile rules/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/syslog/Makefile bindings/Makefile bindings/python/Makefile bindings/python/python2/Makefile bindings/python/python3/Makefile bindings/golang/Makefile bindings/swig/Makefile bindings/swig/src/Makefile bindings/swig/python/Makefile bindings/swig/python3/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile tools/auvirt/Makefile m4/Makefile" +ac_config_files="$ac_config_files Makefile common/Makefile lib/Makefile lib/audit.pc lib/test/Makefile auparse/Makefile auparse/test/Makefile auparse/auparse.pc src/Makefile src/libev/Makefile src/test/Makefile docs/Makefile rules/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/syslog/Makefile audisp/plugins/ids/Makefile audisp/plugins/ids/rules/Makefile audisp/plugins/statsd/Makefile bindings/Makefile bindings/python/Makefile bindings/python/python2/Makefile bindings/python/python3/Makefile bindings/golang/Makefile bindings/swig/Makefile bindings/swig/src/Makefile bindings/swig/python/Makefile bindings/swig/python3/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile tools/auvirt/Makefile m4/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -16187,6 +16329,10 @@ as_fn_error $? "conditional \"ENABLE_SYSTEMD\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_EXPERIMENTAL_TRUE}" && test -z "${ENABLE_EXPERIMENTAL_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_EXPERIMENTAL\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${DEBUG_TRUE}" && test -z "${DEBUG_FALSE}"; then as_fn_error $? "conditional \"DEBUG\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -16604,7 +16750,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by audit $as_me 3.0, which was +This file was extended by audit $as_me 3.0.7, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16670,7 +16816,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -audit config.status 3.0 +audit config.status 3.0.7 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -17105,6 +17251,9 @@ "audisp/plugins/remote/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/remote/Makefile" ;; "audisp/plugins/zos-remote/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/zos-remote/Makefile" ;; "audisp/plugins/syslog/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/syslog/Makefile" ;; + "audisp/plugins/ids/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/ids/Makefile" ;; + "audisp/plugins/ids/rules/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/ids/rules/Makefile" ;; + "audisp/plugins/statsd/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/statsd/Makefile" ;; "bindings/Makefile") CONFIG_FILES="$CONFIG_FILES bindings/Makefile" ;; "bindings/python/Makefile") CONFIG_FILES="$CONFIG_FILES bindings/python/Makefile" ;; "bindings/python/python2/Makefile") CONFIG_FILES="$CONFIG_FILES bindings/python/python2/Makefile" ;; diff -Nru audit-3.0/configure.ac audit-3.0.7/configure.ac --- audit-3.0/configure.ac 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/configure.ac 2022-01-23 19:36:56.000000000 +0000 @@ -1,7 +1,7 @@ dnl define([AC_INIT_NOTICE], [### Generated automatically using autoconf version] AC_ACVERSION [ -### Copyright 2005-19 Steve Grubb +### Copyright 2005-21 Steve Grubb ### ### Permission is hereby granted, free of charge, to any person obtaining a ### copy of this software and associated documentation files (the "Software"), @@ -29,7 +29,7 @@ ]) AC_REVISION($Revision: 1.3 $)dnl -AC_INIT(audit,3.0) +AC_INIT(audit,3.0.7) AC_PREREQ(2.12)dnl AM_CONFIG_HEADER(config.h) @@ -86,8 +86,10 @@ [] ) dnl; pthread_yield is used in zos-remote +OLDLIBS="$LIBS" AC_SEARCH_LIBS(pthread_yield, pthread, [AC_DEFINE(HAVE_PTHREAD_YIELD, 1, [Define to 1 if we have pthread_yield])], []) +LIBS="$OLDLIBS" ALLWARNS="" ALLDEBUG="-g" @@ -238,7 +240,6 @@ AC_MSG_RESULT($enable_listener) #audisp zos-remote plugin -AC_MSG_CHECKING(whether to include audisp ZOS remote plugin) AC_ARG_ENABLE(zos-remote, [AS_HELP_STRING([--disable-zos-remote], [Disable audisp ZOS remote plugin])], @@ -254,6 +255,8 @@ AC_MSG_ERROR(openldap libraries found but headers are missing) fi fi + +AC_MSG_CHECKING(whether to include audisp ZOS remote plugin) AM_CONDITIONAL(ENABLE_ZOS_REMOTE, test "x$enable_zos_remote" != "xno") AC_MSG_RESULT($enable_zos_remote) @@ -280,6 +283,7 @@ AM_CONDITIONAL(ENABLE_GSSAPI, test x$want_gssapi_krb5 = xyes) #systemd +AC_MSG_CHECKING(whether to enable systemd) AC_ARG_ENABLE(systemd, [AS_HELP_STRING([--enable-systemd],[Enable systemd init scripts @<:@default=no@:>@])], [case "${enableval}" in @@ -290,6 +294,21 @@ [want_systemd="no"] ) AM_CONDITIONAL(ENABLE_SYSTEMD, test x$want_systemd = xyes) +AC_MSG_RESULT($want_systemd) + +# ids +AC_MSG_CHECKING(whether to enable experimental options) +AC_ARG_ENABLE(experimental, + [AS_HELP_STRING([--enable-experimental],[Enable experimental audit components @<:@default=no@:>@])], + [case "${enableval}" in + yes) want_exper="yes" ;; + no) want_exper="no" ;; + *) AC_MSG_ERROR(bad value ${enableval} for --enable-experimental) ;; + esac], + [want_exper="no"] +) +AM_CONDITIONAL(ENABLE_EXPERIMENTAL, test x$want_exper = xyes) +AC_MSG_RESULT($want_exper) # linux/fanotify.h AC_CHECK_HEADER(linux/fanotify.h, [ AC_DEFINE(USE_FANOTIFY, [], @@ -399,6 +418,12 @@ AC_DEFINE_UNQUOTED(HAVE_LIBWRAP, [], Define if tcp_wrappers support is enabled ) fi +# linux/ipx.h - deprecated in 2018 +AC_CHECK_HEADER(linux/ipx.h, ipx_headers=yes, ipx_headers=no) +if test $ipx_headers = yes ; then + AC_DEFINE(HAVE_IPX_HEADERS,1,[IPX packet interpretation]) +fi + # See if we want to support lower capabilities for plugins LIBCAP_NG_PATH @@ -406,7 +431,7 @@ AC_SUBST(LIBWRAP_LIBS) #AC_SUBST(libev_LIBS) -AC_OUTPUT(Makefile common/Makefile lib/Makefile lib/audit.pc lib/test/Makefile auparse/Makefile auparse/test/Makefile auparse/auparse.pc src/Makefile src/libev/Makefile src/test/Makefile docs/Makefile rules/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/syslog/Makefile bindings/Makefile bindings/python/Makefile bindings/python/python2/Makefile bindings/python/python3/Makefile bindings/golang/Makefile bindings/swig/Makefile bindings/swig/src/Makefile bindings/swig/python/Makefile bindings/swig/python3/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile tools/auvirt/Makefile m4/Makefile) +AC_OUTPUT(Makefile common/Makefile lib/Makefile lib/audit.pc lib/test/Makefile auparse/Makefile auparse/test/Makefile auparse/auparse.pc src/Makefile src/libev/Makefile src/test/Makefile docs/Makefile rules/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/syslog/Makefile audisp/plugins/ids/Makefile audisp/plugins/ids/rules/Makefile audisp/plugins/statsd/Makefile bindings/Makefile bindings/python/Makefile bindings/python/python2/Makefile bindings/python/python3/Makefile bindings/golang/Makefile bindings/swig/Makefile bindings/swig/src/Makefile bindings/swig/python/Makefile bindings/swig/python3/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile tools/auvirt/Makefile m4/Makefile) echo . echo " diff -Nru audit-3.0/contrib/plugin/audisp-example.c audit-3.0.7/contrib/plugin/audisp-example.c --- audit-3.0/contrib/plugin/audisp-example.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/contrib/plugin/audisp-example.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* audisp-example.c -- - * Copyright 2012 Red Hat Inc., Durham, North Carolina. + * Copyright 2012 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -58,7 +58,7 @@ /* * SIGTERM handler */ -static void term_handler( int sig ) +static void term_handler(int sig) { stop = 1; } @@ -66,7 +66,7 @@ /* * SIGHUP handler: re-read config */ -static void hup_handler( int sig ) +static void hup_handler(int sig) { hup = 1; } @@ -74,6 +74,11 @@ static void reload_config(void) { hup = 0; + + /* + * Add your code here that re-reads the config file and changes + * how your plugin works. + */ } int main(int argc, char *argv[]) @@ -98,39 +103,43 @@ printf("audisp-example is exiting due to auparse init errors"); return -1; } + auparse_set_eoe_timeout(2); auparse_add_callback(au, handle_event, NULL, NULL); do { fd_set read_mask; - struct timeval tv; - int retval = 0; - int read_size = 0; + int retval; + int read_size = 1; /* Set to 1 so it's not EOF */ /* Load configuration */ if (hup) { reload_config(); } do { - /* If we timed out & have events, shake them loose */ - if (retval == 0 && auparse_feed_has_data(au)) - auparse_feed_age_events(au); - - tv.tv_sec = 3; - tv.tv_usec = 0; FD_ZERO(&read_mask); FD_SET(0, &read_mask); - if (auparse_feed_has_data(au)) + + if (auparse_feed_has_data(au)) { + struct timeval tv; + tv.tv_sec = 1; + tv.tv_usec = 0; retval= select(1, &read_mask, NULL, NULL, &tv); - else + } else retval= select(1, &read_mask, NULL, NULL, NULL); + + /* If we timed out & have events, shake them loose */ + if (retval == 0 && auparse_feed_has_data(au)) + auparse_feed_age_events(au); + } while (retval == -1 && errno == EINTR && !hup && !stop); /* Now the event loop */ if (!stop && !hup && retval > 0) { - while ((read_size = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH)) > 0) { + while ((read_size = read(0, tmp, + MAX_AUDIT_MESSAGE_LENGTH)) > 0) { auparse_feed(au, tmp, read_size); } } - if (read_size == 0) /* check eof */ + if (read_size == 0) /* EOF */ break; } while (stop == 0); @@ -164,7 +173,7 @@ } /* This function shows how to iterate through the fields of a record - * and print its name and raw value and interpretted value. */ + * and print its name and raw value and interpreted value. */ static void dump_fields_of_record(auparse_state_t *au) { printf("record type %d(%s) has %d fields\n", auparse_get_type(au), diff -Nru audit-3.0/debian/changelog audit-3.0.7/debian/changelog --- audit-3.0/debian/changelog 2021-06-21 21:44:10.000000000 +0000 +++ audit-3.0.7/debian/changelog 2022-03-17 17:50:40.000000000 +0000 @@ -1,18 +1,37 @@ -audit (1:3.0-2ubuntu2) impish; urgency=medium +audit (1:3.0.7-1build1) jammy; urgency=medium - * No-change rebuild due to OpenLDAP soname bump. + * No-change rebuild with Python 3.10 only. - -- Sergio Durigan Junior Mon, 21 Jun 2021 17:44:10 -0400 + -- Matthias Klose Thu, 17 Mar 2022 18:50:40 +0100 -audit (1:3.0-2ubuntu1) hirsute; urgency=medium +audit (1:3.0.7-1) unstable; urgency=medium - * Merge with Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - * d/p/fix-header-definitions-for-gcc-10-ftbfs.patch: Dropped (incorporated - in audit 3.0). + * New upstream version 3.0.7 + - debian/libaudit1.symbols: audit_add_dir has been dropped upstream + * debian/control: Tighten the dependencies against the libraries + * debian/control: Drop the Built-Using field from golang-redhat-audit-dev - -- Logan Rosen Sat, 23 Jan 2021 21:41:27 -0500 + -- Laurent Bigonville Fri, 11 Feb 2022 11:34:48 +0100 + +audit (1:3.0.6-1) unstable; urgency=medium + + * New upstream version 3.0.6 + * debian/control: Bump Standards-Version to 4.6.0 (no further changes) + + -- Laurent Bigonville Sat, 09 Oct 2021 11:45:31 +0200 + +audit (1:3.0.5-1) unstable; urgency=medium + + [ Helmut Grohne ] + * Drop unused intltool build dependency. (Closes: #981262) + + [ Laurent Bigonville ] + * New upstream version 3.0.5 + - debian/libauparse0.symbols: Add new exported symbols + * Drop d/p/0004-Turn-libaucommon-into-a-libtool-convenience-library-.patch, + merged upstream + + -- Laurent Bigonville Mon, 16 Aug 2021 11:22:57 +0200 audit (1:3.0-2) unstable; urgency=medium @@ -71,28 +90,6 @@ -- Laurent Bigonville Sun, 05 Apr 2020 15:19:09 +0200 -audit (1:2.8.5-3ubuntu3) hirsute; urgency=medium - - * No-change rebuild to drop python3.8 extensions. - - -- Matthias Klose Mon, 07 Dec 2020 18:46:48 +0100 - -audit (1:2.8.5-3ubuntu2) hirsute; urgency=medium - - * No-change rebuild to build with python3.9 as supported. - - -- Matthias Klose Sat, 24 Oct 2020 12:43:39 +0200 - -audit (1:2.8.5-3ubuntu1) groovy; urgency=medium - - * Merge with Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - * d/p/fix-header-definitions-for-gcc-10-ftbfs.patch: Cherry-pick - upstream patch to fix FTBFS with gcc-10 - - -- Alex Murray Thu, 06 Aug 2020 13:02:31 +0930 - audit (1:2.8.5-3) unstable; urgency=medium * d/p/06-do_not_hardcode_stdint_path.patch: Update the patch to fix the @@ -106,46 +103,6 @@ -- Laurent Bigonville Sat, 28 Mar 2020 10:13:52 +0100 -audit (1:2.8.5-2ubuntu6) focal; urgency=medium - - * No-change rebuild to drop python3.7. - - -- Matthias Klose Tue, 18 Feb 2020 10:42:38 +0100 - -audit (1:2.8.5-2ubuntu5) focal; urgency=medium - - * Revert previous upload; it ftbfs, and anyway libprelude should be kept - on i386 because it's a build-dependency so something is wrong with - germinate and should be fixed. - - -- Steve Langasek Tue, 10 Dec 2019 22:24:00 -0800 - -audit (1:2.8.5-2ubuntu4) focal; urgency=medium - - * Don't build audispd-plugins on i386, as it'll be uninstallable. - - -- Steve Langasek Tue, 10 Dec 2019 20:56:25 -0800 - -audit (1:2.8.5-2ubuntu3) focal; urgency=medium - - * Rebuild against new libprelude28. - - -- Gianfranco Costamagna Tue, 19 Nov 2019 09:06:40 +0100 - -audit (1:2.8.5-2ubuntu2) focal; urgency=medium - - * No-change rebuild to build with python3.8. - - -- Matthias Klose Fri, 18 Oct 2019 18:26:20 +0000 - -audit (1:2.8.5-2ubuntu1) eoan; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - -- Steve Langasek Thu, 15 Aug 2019 23:37:35 -0700 - audit (1:2.8.5-2) unstable; urgency=medium * Drop python-audit package, python 2 is EOL and it has not rdeps @@ -153,14 +110,6 @@ -- Laurent Bigonville Mon, 22 Jul 2019 09:16:54 +0200 -audit (1:2.8.5-1ubuntu1) eoan; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - -- Steve Langasek Mon, 15 Jul 2019 21:59:01 -0700 - audit (1:2.8.5-1) unstable; urgency=medium * New upstream version @@ -174,14 +123,6 @@ -- Laurent Bigonville Mon, 08 Jul 2019 16:10:07 +0200 -audit (1:2.8.4-3ubuntu1) eoan; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - -- Steve Langasek Mon, 29 Apr 2019 10:38:16 -0700 - audit (1:2.8.4-3) unstable; urgency=medium [ OndÅ™ej Nový ] @@ -214,26 +155,6 @@ -- Laurent Bigonville Tue, 28 Aug 2018 11:31:54 +0200 -audit (1:2.8.3-1ubuntu3) disco; urgency=medium - - * No-change rebuild to build without python3.6 support. - - -- Matthias Klose Sat, 03 Nov 2018 11:51:00 +0000 - -audit (1:2.8.3-1ubuntu2) cosmic; urgency=medium - - * No-change rebuild to build for python3.7. - - -- Matthias Klose Thu, 28 Jun 2018 09:24:15 +0000 - -audit (1:2.8.3-1ubuntu1) cosmic; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - -- Steve Langasek Tue, 15 May 2018 07:57:01 -0700 - audit (1:2.8.3-1) unstable; urgency=medium [ Karsten Merker ] @@ -251,14 +172,6 @@ -- Laurent Bigonville Thu, 26 Apr 2018 11:53:22 +0200 -audit (1:2.8.2-1ubuntu1) bionic; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - -- Steve Langasek Wed, 07 Feb 2018 15:59:52 -0800 - audit (1:2.8.2-1) unstable; urgency=medium * New bugfix upstream release @@ -300,20 +213,6 @@ -- Laurent Bigonville Tue, 03 Oct 2017 16:10:39 +0200 -audit (1:2.7.7-1ubuntu2) artful; urgency=medium - - * No-change rebuild to build to drop python3.5. - - -- Matthias Klose Sat, 05 Aug 2017 16:22:00 +0000 - -audit (1:2.7.7-1ubuntu1) artful; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - -- Steve Langasek Sun, 02 Jul 2017 22:20:22 -0700 - audit (1:2.7.7-1) unstable; urgency=medium * New upstream release @@ -350,38 +249,12 @@ -- Laurent Bigonville Tue, 27 Sep 2016 22:44:56 +0200 -audit (1:2.6.6-1ubuntu3) artful; urgency=medium - - * No-change rebuild against libprelude23 - - -- Steve Langasek Fri, 30 Jun 2017 01:04:04 +0000 - -audit (1:2.6.6-1ubuntu2) artful; urgency=medium - - * No change rebuild to add Python 3.6 support. - - -- Michael Hudson-Doyle Fri, 12 May 2017 10:59:06 +1200 - -audit (1:2.6.6-1ubuntu1) yakkety; urgency=medium - - * Merge with Debian; remaining changes: - - -- Matthias Klose Tue, 06 Sep 2016 14:37:46 +0200 - audit (1:2.6.6-1) unstable; urgency=medium * New upstream release -- Laurent Bigonville Mon, 15 Aug 2016 13:43:06 +0200 -audit (1:2.6.5-1ubuntu1) yakkety; urgency=medium - - * Merge with Debian; remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - -- Matthias Klose Tue, 02 Aug 2016 13:54:52 +0200 - audit (1:2.6.5-1) unstable; urgency=medium [ Laurent Bigonville ] @@ -446,24 +319,6 @@ -- Laurent Bigonville Thu, 05 May 2016 15:49:29 +0200 -audit (1:2.4.5-1ubuntu2) xenial; urgency=medium - - * No-change rebuild to drop python3.4 support. - - -- Matthias Klose Mon, 18 Jan 2016 20:42:29 +0000 - -audit (1:2.4.5-1ubuntu1) xenial; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - debian/auditd.init: The start command now requires $remote_fs to be - started because it may call /bin/augenrules, which depends on - /usr/bin/awk. $PATH must also be updated so that augenrules can find - awk. - - -- Steve Langasek Tue, 12 Jan 2016 17:07:39 -0800 - audit (1:2.4.5-1) unstable; urgency=medium * New upstream release @@ -472,18 +327,6 @@ -- Laurent Bigonville Sat, 26 Dec 2015 02:52:39 +0100 -audit (1:2.4.4-4ubuntu1) xenial; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - debian/auditd.init: The start command now requires $remote_fs to be - started because it may call /bin/augenrules, which depends on - /usr/bin/awk. $PATH must also be updated so that augenrules can find - awk. - - -- Steve Langasek Fri, 30 Oct 2015 11:22:43 -0700 - audit (1:2.4.4-4) unstable; urgency=medium * Build python3 bindings for all python3 versions (Closes: #800117) @@ -519,23 +362,6 @@ -- Laurent Bigonville Mon, 24 Aug 2015 23:29:11 +0200 -audit (1:2.4.2-1ubuntu1) wily; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - debian/auditd.init: The start command now requires $remote_fs to be - started because it may call /bin/augenrules, which depends on - /usr/bin/awk. $PATH must also be updated so that augenrules can find - awk. - * Dropped changes, included upstream: - - Backport ppc64el support changeset - * Re-add build-dependency on libwrap; it's only used by the listener so - it's a spurious build-dependency in Ubuntu, but nothing we need to carry - a delta for since libwrap is in main. - - -- Steve Langasek Wed, 12 Aug 2015 12:43:25 -0700 - audit (1:2.4.2-1) unstable; urgency=medium * New upstream release @@ -553,40 +379,6 @@ -- Laurent Bigonville Sun, 07 Sep 2014 16:57:08 +0200 -audit (1:2.3.7-1ubuntu3) wily; urgency=medium - - * No-change rebuild against libprelude2v5 - - -- Steve Langasek Mon, 10 Aug 2015 23:26:20 +0000 - -audit (1:2.3.7-1ubuntu2) vivid; urgency=medium - - * Backport ppc64el support changeset from upstream (LP: #1410522) - - -- Adam Conrad Tue, 21 Apr 2015 11:15:01 +0100 - -audit (1:2.3.7-1ubuntu1) utopic; urgency=medium - - * Merge from Debian testing (LP: #1357387). Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - debian/control, debian/rules: Remove libwrap0-dev Build-Dependency and - --with-libwrap configure argument since libwrap is only used by the - auditd network listener - - debian/auditd.init: The start command now requires $remote_fs to be - started because it may call /bin/augenrules, which depends on - /usr/bin/awk. $PATH must also be updated so that augenrules can find - awk. - * Dropped changes: - - debian/auditd.preinst, debian/auditd.postinst, debian/auditd.postrm: - Migrate from the Ubuntu-specific way of providing a rules directory - (/etc/audit/rules.d/) to the new, upstream rules directory feature based - on /sbin/augenrules. This migration logic was present in the 14.04 LTS - and can now be dropped because all supported upgrade paths will include - the 14.04 LTS package. - - -- Tyler Hicks Fri, 03 Oct 2014 13:06:42 +0100 - audit (1:2.3.7-1) unstable; urgency=medium * New upstream release @@ -656,48 +448,6 @@ -- Laurent Bigonville Mon, 30 Dec 2013 14:12:17 +0100 -audit (1:2.3.2-2ubuntu1) trusty; urgency=low - - * Migrate from the Ubuntu-specific way of providing a rules directory - (/etc/audit/rules.d/) to the new, upstream rules directory feature based - on /sbin/augenrules. If USE_AUGENRULES is set to "yes" in - /etc/default/auditd, then the auditd init script will use - /etc/audit/rules.d/*.rules files to generate /etc/audit/audit.rules. - Instead of generating the /etc/audit/audit.rules file, the old - Ubuntu-specific way of handling a rules directory parsed - /etc/audit/audit.rules, in addition to the /etc/audit/rules.d/*.rules - files. - - debian/auditd.preinst, debian/auditd.postinst, debian/auditd.postrm: - When upgrading from a version without augenrules, check for a - pre-existing rules directory (/etc/audit/rules.d/). If it exists and is - populated with rules files, move /etc/audit/audit.rules to - /etc/audit/rules.d/audit.rules and set USE_AUGENRULES to "yes". This - migration logic should be dropped after the 14.04 release. - * Merge from Debian testing (LP: #1251795). Remaining changes: - - debian/rules: Disable auditd network listener, with --disable-listener, - to reduce the risk of a remote attack on auditd, which runs as root - - debian/control, debian/rules: Remove libwrap0-dev Build-Dependency and - --with-libwrap configure argument since libwrap is only used by the - auditd network listener - * Dropped changes: - - debian/auditd.init: apply the intent of Peter Moody's patch to add - support for rules.d directory for splitting out audit.d rules - + The new augenrules tool, called from the init script, replaces this - - debian/control: The upstream audit sources embed and build against their - own version of libev. This is not desirable, but there's no reason to - list libev-dev as a build dependency at this time. - + Debian commented out the libev Build-Dependency - - debian/patches/FTBFS-python-multiarch.diff: No longer needed - - debian/patches/fix-asprintf-warnings.patch, - debian/patches/fix-unused-result-warnings.patch - debian/patches/fix-discards-const-qualifier-warnings.patch: Present in - upstream release - * debian/auditd.init: The start command now requires $remote_fs to be - started because it may call /bin/augenrules, which depends on - /usr/bin/awk. $PATH must also be updated so that augenrules can find awk. - - -- Tyler Hicks Fri, 15 Nov 2013 17:24:58 -0800 - audit (1:2.3.2-2) unstable; urgency=low * QA upload. @@ -760,67 +510,6 @@ -- Laurent Bigonville Thu, 21 Mar 2013 21:39:45 +0100 -audit (1:2.2.2-1ubuntu4) raring; urgency=low - - * debian/patches/fix-unused-result-warnings.patch: Adjust patch to reflect a - change made by upstream. Don't treat nice() failures as fatal during an - auditd reconfigure. (LP: #1123510) - * debian/patches/fix-asprintf-warnings.patch, - debian/patches/fix-unused-result-warnings.patch, - debian/patches/fix-discards-const-qualifier-warnings.patch: Update patch - tags with potential release version and SVN commit id to indicate that - these patches were merged upstream. - - -- Tyler Hicks Mon, 11 Feb 2013 13:25:46 -0800 - -audit (1:2.2.2-1ubuntu3) raring; urgency=low - - * Fix important build warnings (LP: #1026852) - - debian/patches/fix-asprintf-warnings.patch: Linux asprintf() - implementations do not provide guarantees around the strp variable upon - error so its return code must be checked. - - debian/patches/fix-unused-result-warnings.patch: Be sure to check the - return code of various important functions and create an appropriate - error path. - - debian/patches/fix-discards-const-qualifier-warnings.patch: Fix some - areas where the const qualifier was not being respected. - - -- Tyler Hicks Fri, 08 Feb 2013 18:36:06 -0800 - -audit (1:2.2.2-1ubuntu2) raring; urgency=low - - * Disable auditd network listener with --disable-listener (LP: #1026852) - - debian/rules: Reduce the risk of a remote attack on auditd, which - runs as root, by not building the code that listens for audit messages - over the network. This will prevent users from using auditd as a - centralized audit message aggregator, but this feature is rarely used. - * Don't build against libwrap since only auditd's network listener used it - - debian/control: Remove libwrap0-dev Build-Dependency - - debian/rules: Remove --with-libwrap from configure arguments - * Remove libev-dev Build-Dependency (LP: #1026852) - - debian/control: The upstream audit sources embed and build against their - own version of libev. This is not desirable, but there's no reason to - list libev-dev as a build dependency at this time. - - -- Tyler Hicks Wed, 06 Feb 2013 13:51:35 -0800 - -audit (1:2.2.2-1ubuntu1) raring; urgency=low - - * Merge from Debian experimental (LP: #1092760). Remaining changes: - - debian/auditd.init: apply the intent of Peter Moody's patch to add - support for rules.d directory for splitting out audit.d rules - * The new upstream release fixes two outstanding Ubuntu bugs: - - audispd binary has incorrent permissions (LP: #683220) - + In auditd, relax some permission checks for external apps - - auditctl uses wrong syscall to determine uid (LP: #957519) - + In auditctl, check usage against euid rather than uid - * Fix FTBFS caused by Python mulitarch layout which splits Python header - files across multiple directories - - debian/patches/FTBFS-python-multiarch.diff: Use python-config to - determine the appropriate include directories - - -- Tyler Hicks Thu, 20 Dec 2012 18:10:24 -0800 - audit (1:2.2.2-1) experimental; urgency=low * QA upload. @@ -883,13 +572,6 @@ -- Mehdi Dogguy Tue, 31 Jan 2012 16:34:34 +0100 -audit (1.7.18-1ubuntu1) precise; urgency=low - - * debian/auditd.init: apply the intent of Peter Moody's patch to add support - for rules.d directory for splitting out audit.d rules (LP: #730872) - - -- Andrew Pollock Thu, 29 Dec 2011 15:11:11 -0800 - audit (1.7.18-1) unstable; urgency=low * New upstream release. diff -Nru audit-3.0/debian/control audit-3.0.7/debian/control --- audit-3.0/debian/control 2021-01-24 02:41:27.000000000 +0000 +++ audit-3.0.7/debian/control 2022-02-11 10:34:48.000000000 +0000 @@ -1,12 +1,10 @@ Source: audit Priority: optional -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Laurent Bigonville +Maintainer: Laurent Bigonville Build-Depends: debhelper-compat (= 12), dh-python , # dh-golang, dpkg-dev (>= 1.16.1~), - intltool, libcap-ng-dev, # audit sources embed their own patched version of libev # libev-dev, @@ -18,7 +16,7 @@ libpython3-all-dev , swig Build-Depends-Indep: golang-go -Standards-Version: 4.5.1 +Standards-Version: 4.6.0 Section: libs Homepage: https://people.redhat.com/sgrubb/audit/ Vcs-Git: https://salsa.debian.org/debian/audit.git @@ -28,7 +26,12 @@ Package: auditd Section: admin Architecture: linux-any -Depends: lsb-base (>= 3.0-6), mawk | gawk, ${misc:Depends}, ${shlibs:Depends} +Depends: libaudit1 (= ${binary:Version}), + libauparse0 (= ${binary:Version}), + lsb-base (>= 3.0-6), + mawk | gawk, + ${misc:Depends}, + ${shlibs:Depends} Suggests: audispd-plugins Breaks: audispd-plugins (<< 1:3.0~) Pre-Depends: ${misc:Pre-Depends} @@ -42,7 +45,7 @@ Package: libauparse0 Architecture: linux-any Pre-Depends: ${misc:Pre-Depends} -Depends: ${misc:Depends}, ${shlibs:Depends} +Depends: libaudit1 (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} Multi-Arch: same Description: Dynamic library for parsing security auditing The libauparse package contains the dynamic libraries needed for @@ -98,7 +101,11 @@ Package: python3-audit Section: python Architecture: linux-any -Depends: ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends} +Depends: libaudit1 (= ${binary:Version}), + libauparse0 (= ${binary:Version}), + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} Provides: ${python3:Provides} Build-Profiles: Description: Python3 bindings for security auditing @@ -110,7 +117,6 @@ Section: devel Architecture: all Depends: ${misc:Depends} -Built-Using: ${misc:Built-Using} Multi-Arch: foreign Description: Go client bindings for the libaudit library The package contains the Go bindings to libaudit that only allows for logging @@ -121,7 +127,10 @@ Package: audispd-plugins Section: admin Architecture: linux-any -Depends: auditd (>= 1:3.0~), ${misc:Depends}, ${shlibs:Depends} +Depends: auditd (= ${binary:Version}), + libauparse0 (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} Build-Profiles: Description: Plugins for the audit event dispatcher The audispd-plugins package provides plugins for the real-time diff -Nru audit-3.0/debian/libaudit1.symbols audit-3.0.7/debian/libaudit1.symbols --- audit-3.0/debian/libaudit1.symbols 2021-01-24 02:41:27.000000000 +0000 +++ audit-3.0.7/debian/libaudit1.symbols 2022-02-11 10:34:48.000000000 +0000 @@ -8,7 +8,6 @@ _audit_permadded@Base 1:2.2.1 _audit_syscalladded@Base 1:2.2.1 audit_action_to_name@Base 1:2.2.1 - audit_add_dir@Base 1:2.2.1 audit_add_rule_data@Base 1:2.2.1 audit_add_watch@Base 1:2.2.1 audit_add_watch_dir@Base 1:2.2.1 diff -Nru audit-3.0/debian/libauparse0.symbols audit-3.0.7/debian/libauparse0.symbols --- audit-3.0/debian/libauparse0.symbols 2021-01-24 02:41:27.000000000 +0000 +++ audit-3.0.7/debian/libauparse0.symbols 2022-02-11 10:34:48.000000000 +0000 @@ -1,5 +1,6 @@ libauparse.so.0 libauparse0 #MINVER# * Build-Depends-Package: libauparse-dev + _auparse_flush_caches@Base 1:3.0.5 _auparse_free_interpretations@Base 1:2.6 _auparse_load_interpretations@Base 1:2.6 _auparse_lookup_interpretation@Base 1:2.6.1 @@ -10,6 +11,7 @@ auparse_feed@Base 1:2.2.1 auparse_feed_age_events@Base 1:2.5.1 auparse_feed_has_data@Base 1:2.2.2 + auparse_feed_has_ready_event@Base 1:3.0.5 auparse_find_field@Base 1:2.2.1 auparse_find_field_next@Base 1:2.2.1 auparse_first_field@Base 1:2.2.1 @@ -43,6 +45,7 @@ auparse_interpret_sock_address@Base 1:2.8 auparse_interpret_sock_family@Base 1:2.8 auparse_interpret_sock_port@Base 1:2.8 + auparse_new_buffer@Base 1:3.0.5 auparse_next_event@Base 1:2.2.1 auparse_next_field@Base 1:2.2.1 auparse_next_record@Base 1:2.2.1 @@ -66,6 +69,7 @@ auparse_normalize_subject_primary@Base 1:2.7.7 auparse_normalize_subject_secondary@Base 1:2.7.7 auparse_reset@Base 1:2.2.1 + auparse_set_eoe_timeout@Base 1:3.0.5 auparse_set_escape_mode@Base 1:2.4.4 auparse_timestamp_compare@Base 1:2.2.1 ausearch_add_expression@Base 1:2.2.1 @@ -77,3 +81,4 @@ ausearch_clear@Base 1:2.2.1 ausearch_next_event@Base 1:2.2.1 ausearch_set_stop@Base 1:2.2.1 + find_config_change_object@Base 1:3.0.5 diff -Nru audit-3.0/debian/patches/0004-Turn-libaucommon-into-a-libtool-convenience-library-.patch audit-3.0.7/debian/patches/0004-Turn-libaucommon-into-a-libtool-convenience-library-.patch --- audit-3.0/debian/patches/0004-Turn-libaucommon-into-a-libtool-convenience-library-.patch 2021-01-24 02:41:27.000000000 +0000 +++ audit-3.0.7/debian/patches/0004-Turn-libaucommon-into-a-libtool-convenience-library-.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,113 +0,0 @@ -From: Laurent Bigonville -Date: Tue, 5 Jan 2021 19:29:44 +0100 -Subject: Turn libaucommon into a libtool convenience library (#147) - -This makes sure that the functions compiled into libaucommon -(audit_strsplit_r,...) end up in the libaudit/libauparse static library - -Fixes: #146 ---- - audisp/plugins/remote/Makefile.am | 2 +- - audisp/plugins/syslog/Makefile.am | 2 +- - auparse/Makefile.am | 4 ++-- - auparse/test/Makefile.am | 6 +++--- - common/Makefile.am | 6 +++--- - lib/Makefile.am | 4 ++-- - 6 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/audisp/plugins/remote/Makefile.am b/audisp/plugins/remote/Makefile.am -index 0066e25..bd3f301 100644 ---- a/audisp/plugins/remote/Makefile.am -+++ b/audisp/plugins/remote/Makefile.am -@@ -33,7 +33,7 @@ man_MANS = audisp-remote.8 audisp-remote.conf.5 - check_PROGRAMS = test-queue - TESTS = $(check_PROGRAMS) - --audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.a -+audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.la - audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c - audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef - audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -diff --git a/audisp/plugins/syslog/Makefile.am b/audisp/plugins/syslog/Makefile.am -index 55ca77b..353229e 100644 ---- a/audisp/plugins/syslog/Makefile.am -+++ b/audisp/plugins/syslog/Makefile.am -@@ -29,7 +29,7 @@ plugin_conf = syslog.conf - sbin_PROGRAMS = audisp-syslog - man_MANS = audisp-syslog.8 - --audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.a -+audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.la - audisp_syslog_SOURCES = audisp-syslog.c - audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef - audisp_syslog_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -diff --git a/auparse/Makefile.am b/auparse/Makefile.am -index b853003..d180c34 100644 ---- a/auparse/Makefile.am -+++ b/auparse/Makefile.am -@@ -45,8 +45,8 @@ libauparse_la_SOURCES = lru.c interpret.c nvlist.c ellist.c \ - normalize_record_map.h normalize_syscall_map.h - nodist_libauparse_la_SOURCES = $(BUILT_SOURCES) - --libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a --libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.a -+libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la -+libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.la - libauparse_la_LDFLAGS = -Wl,-z,relro - - message.c: -diff --git a/auparse/test/Makefile.am b/auparse/test/Makefile.am -index 89ffcc4..11d10b0 100644 ---- a/auparse/test/Makefile.am -+++ b/auparse/test/Makefile.am -@@ -29,17 +29,17 @@ AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib - - lookup_test_SOURCES = lookup_test.c - lookup_test_LDADD = ${top_builddir}/auparse/libauparse.la \ -- ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a -+ ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la - - auparse_test_SOURCES = auparse_test.c - auparse_test_LDFLAGS = -static - auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \ -- ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a -+ ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la - - auparselol_test_SOURCES = auparselol_test.c - auparselol_test_LDFLAGS = -static - auparselol_test_LDADD = ${top_builddir}/auparse/libauparse.la \ -- ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a -+ ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la - - drop_srcdir = sed 's,$(srcdir)/test,test,' - -diff --git a/common/Makefile.am b/common/Makefile.am -index 9e00cbc..8b9aacb 100644 ---- a/common/Makefile.am -+++ b/common/Makefile.am -@@ -24,7 +24,7 @@ CONFIG_CLEAN_FILES = *.rej *.orig - AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib - - noinst_HEADERS = common.h --libaucommon_a_DEPENDENCIES = ../config.h --libaucommon_a_SOURCES = audit-fgets.c strsplit.c --noinst_LIBRARIES = libaucommon.a -+libaucommon_la_DEPENDENCIES = ../config.h -+libaucommon_la_SOURCES = audit-fgets.c strsplit.c -+noinst_LTLIBRARIES = libaucommon.la - -diff --git a/lib/Makefile.am b/lib/Makefile.am -index 107c444..12e5861 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -38,8 +38,8 @@ include_HEADERS = libaudit.h - libaudit_la_SOURCES = libaudit.c message.c netlink.c \ - lookup_table.c audit_logging.c deprecated.c \ - dso.h private.h errormsg.h --libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.a --libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.a -+libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la -+libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.la - libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO) - nodist_libaudit_la_SOURCES = $(BUILT_SOURCES) - diff -Nru audit-3.0/debian/patches/series audit-3.0.7/debian/patches/series --- audit-3.0/debian/patches/series 2021-01-24 02:41:27.000000000 +0000 +++ audit-3.0.7/debian/patches/series 2022-02-11 10:34:48.000000000 +0000 @@ -1,4 +1,3 @@ 01-no-refusemanualstop.patch 02-restorecon-path.patch 03-Set-log_group-adm.patch -0004-Turn-libaucommon-into-a-libtool-convenience-library-.patch diff -Nru audit-3.0/debian/rules audit-3.0.7/debian/rules --- audit-3.0/debian/rules 2021-01-24 02:41:27.000000000 +0000 +++ audit-3.0.7/debian/rules 2022-02-11 10:34:48.000000000 +0000 @@ -43,7 +43,6 @@ --libdir=/lib/${DEB_HOST_MULTIARCH} \ --enable-shared=audit \ --enable-gssapi-krb5 \ - --disable-listener \ --with-apparmor \ --with-libwrap \ --with-libcap-ng \ diff -Nru audit-3.0/docs/Makefile.am audit-3.0.7/docs/Makefile.am --- audit-3.0/docs/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ # Makefile.am -- -# Copyright 2004-09,2012,2014-18 Red Hat Inc., Durham, North Carolina. +# Copyright 2004-09,2012,2014-18 Red Hat Inc. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -32,11 +33,14 @@ audit_log_acct_message.3 audit_log_user_avc_message.3 \ audit_log_user_command.3 audit_log_user_comm_message.3 \ audit_log_user_message.3 audit_log_semanage_message.3 \ -audit_open.3 audit_request_rules_list_data.3 \ +auparse_new_buffer.3 audit_open.3 audit_close.3 \ +audit_is_enabled.3 audit_request_rules_list_data.3 \ audit_request_signal_info.3 audit_request_status.3 audit.rules.7 \ audit_set_backlog_limit.3 audit_set_enabled.3 audit_set_failure.3 \ audit_setloginuid.3 audit_set_pid.3 audit_set_rate_limit.3 \ -audit_update_watch_perms.3 auparse_add_callback.3 \ +audit_update_watch_perms.3 audit_value_needs_encoding.3 \ +audit_encode_value.3 auparse_add_callback.3 audit_name_to_syscall.3 \ +audit_syscall_to_name.3 \ auparse_destroy.3 auparse_feed.3 auparse_feed_age_events.3 \ auparse_feed_has_data.3 auparse_find_field.3 \ auparse_find_field_next.3 auparse_first_field.3 auparse_first_record.3 \ @@ -53,7 +57,7 @@ auparse_next_event.3 auparse_next_field.3 auparse_next_record.3 \ auparse_node_compare.3 auparse_reset.3 auparse_set_escape_mode.3 \ auparse_normalize.3 auparse_normalize_functions.3 \ -auparse_timestamp_compare.3 ausearch-expression.5 \ +auparse_timestamp_compare.3 auparse_set_eoe_timeout.3 ausearch-expression.5 \ aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_interpreted_item.3 \ ausearch_add_expression.3 ausearch_add_timestamp_item.3 ausearch_add_regex.3 \ ausearch_add_timestamp_item_ex.3 ausearch_clear.3 \ diff -Nru audit-3.0/docs/Makefile.in audit-3.0.7/docs/Makefile.in --- audit-3.0/docs/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/docs/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -15,7 +15,7 @@ @SET_MAKE@ # Makefile.am -- -# Copyright 2004-09,2012,2014-18 Red Hat Inc., Durham, North Carolina. +# Copyright 2004-09,2012,2014-18 Red Hat Inc. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -321,6 +322,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -344,11 +346,14 @@ audit_log_acct_message.3 audit_log_user_avc_message.3 \ audit_log_user_command.3 audit_log_user_comm_message.3 \ audit_log_user_message.3 audit_log_semanage_message.3 \ -audit_open.3 audit_request_rules_list_data.3 \ +auparse_new_buffer.3 audit_open.3 audit_close.3 \ +audit_is_enabled.3 audit_request_rules_list_data.3 \ audit_request_signal_info.3 audit_request_status.3 audit.rules.7 \ audit_set_backlog_limit.3 audit_set_enabled.3 audit_set_failure.3 \ audit_setloginuid.3 audit_set_pid.3 audit_set_rate_limit.3 \ -audit_update_watch_perms.3 auparse_add_callback.3 \ +audit_update_watch_perms.3 audit_value_needs_encoding.3 \ +audit_encode_value.3 auparse_add_callback.3 audit_name_to_syscall.3 \ +audit_syscall_to_name.3 \ auparse_destroy.3 auparse_feed.3 auparse_feed_age_events.3 \ auparse_feed_has_data.3 auparse_find_field.3 \ auparse_find_field_next.3 auparse_first_field.3 auparse_first_record.3 \ @@ -365,7 +370,7 @@ auparse_next_event.3 auparse_next_field.3 auparse_next_record.3 \ auparse_node_compare.3 auparse_reset.3 auparse_set_escape_mode.3 \ auparse_normalize.3 auparse_normalize_functions.3 \ -auparse_timestamp_compare.3 ausearch-expression.5 \ +auparse_timestamp_compare.3 auparse_set_eoe_timeout.3 ausearch-expression.5 \ aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_interpreted_item.3 \ ausearch_add_expression.3 ausearch_add_timestamp_item.3 ausearch_add_regex.3 \ ausearch_add_timestamp_item_ex.3 ausearch_clear.3 \ diff -Nru audit-3.0/docs/audispd-zos-remote.8 audit-3.0.7/docs/audispd-zos-remote.8 --- audit-3.0/docs/audispd-zos-remote.8 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audispd-zos-remote.8 2022-01-23 19:36:56.000000000 +0000 @@ -18,7 +18,7 @@ .\" Changelog: .\" 2007-10-06, created by Klaus Heinrich Kiwi .\" -.TH AUDISP-RACF 8 "Oct 2007" "IBM" "System Administration Utilities" +.TH AUDISPD-ZOS-REMOTE 8 "Oct 2007" "IBM" "System Administration Utilities" .SH NAME audispd\-zos\-remote \- z/OS Remote-services Audit dispatcher plugin .SH SYNOPSIS @@ -71,7 +71,7 @@ .SH IBM z/OS ITDS Server and RACF configuration In order to use this plugin, you must have an IBM z/OS v1R8 (or higher) server with IBM Tivoli Directory Server (ITDS) configured for Remote Audit service. For more detailed information about how to configure the z/OS server for Remote Auditing, refer to -.B z/OS V1R8.0-9.0 Intergrated Security Services Enterprise Identity Mapping (EIM) Guide and Reference +.B z/OS V1R8.0-9.0 Integrated Security Services Enterprise Identity Mapping (EIM) Guide and Reference .nf .RI ( http://publibz.boulder.ibm.com/cgi\-bin/bookmgr_OS390/FRAMESET/EIMA1140/CCONTENTS?DT=20070827115119 ), chapter "2.0 - Working with remote services". @@ -196,7 +196,7 @@ this list will bring all the field names and values in a .B fieldname=value format, as a type 114 -.RB ( "Appication specific Data" ) +.RB ( "Application specific Data" ) relocate. The plug-in will try to interpret those fields (i.e.: use human-readable username .B root instead of numeric userid @@ -222,14 +222,14 @@ The user ID associated with the ITDS doesn't have READ access to the IRR.AUDITX FACILITY Class profile. See .B IBM z/OS RACF Server configuration .TP -.B UNSUF_AUTH - The user has unsuficient authority for the requested function +.B UNSUF_AUTH - The user has unsufficient authority for the requested function The RACF user ID used to perform Remote Audit requests (as configured in .BR zos-remote.conf (5)) don't have access to the IRR.LDAP.REMOTE.AUDIT FACILITY Class profile. See .B IBM z/OS RACF Server configuration .SH BUGS -The plugin currently does remote auditing in a best-effort basis, and will dischard events in case the z/OS server cannot be contacted (network failures) or in any other case that event submission fails. +The plugin currently does remote auditing in a best-effort basis, and will discard events in case the z/OS server cannot be contacted (network failures) or in any other case that event submission fails. .SH FILES /etc/audit/plugins.d/audispd\-zos\-remote.conf diff -Nru audit-3.0/docs/audit.rules.7 audit-3.0.7/docs/audit.rules.7 --- audit-3.0/docs/audit.rules.7 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit.rules.7 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUDIT.RULES: "7" "Jan 2019" "Red Hat" "System Administration Utilities" +.TH AUDIT.RULES "7" "Jan 2019" "Red Hat" "System Administration Utilities" .SH NAME audit.rules \- a set of rules loaded in the kernel audit system .SH DESCRIPTION @@ -43,7 +43,7 @@ .SS System Call The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. -The Linux kernel has 4 rule matching lists or filters as they are sometimes called. They are: task, exit, user, and exclude. The task list is checked only during the fork or clone syscalls. It is rarely used in practice. +The Linux kernel has 5 rule matching lists or filters as they are sometimes called. They are: task, exit, user, exclude, and filesystem. The task list is checked only during the fork or clone syscalls. It is rarely used in practice. The exit filter is the place where all syscall and file system audit requests are evaluated. @@ -71,7 +71,7 @@ .RE The action and list are separated by a comma but no space in between. Valid lists are: -.IR task ", " exit ", " user ", and " exclude ". Their meaning was explained earlier. +.IR task ", " exit ", " user ", " exclude ", and " filesystem ". Their meaning was explained earlier. Next in the rule would normally be the .B \-S @@ -113,7 +113,7 @@ This will give an ordered listing of the keys associated with rules that have been triggering. If, for example, you had a syscall audit rule that triggered on the failure to open files with EPERM that had a key field of access like this: .nf -\-a always,exit \-F arch=b64 \-S open \-S openat \-F exit=\-EPERM \-k access +\-a always,exit \-F arch=b64 \-S open \-S openat \-S openat2 \-F exit=\-EPERM \-k access .fi Then you can isolate these failures with ausearch and pipe the results to aureport for display. Suppose your investigation noticed a lot of the access denied events. If you wanted to see the files that unauthorized access has been attempted, you could run the following command: @@ -166,10 +166,10 @@ The following rule shows how to audit failed access to files due to permission problems. Note that it takes two rules for each arch ABI to audit this since file access can fail with two different failure codes indicating permission problems. .nf -.B \-a always,exit \-F arch=b32 \-S open \-S openat \-F exit=\-EACCES \-k access -.B \-a always,exit \-F arch=b32 \-S open \-S openat \-F exit=\-EPERM \-k access -.B \-a always,exit \-F arch=b64 \-S open \-S openat \-F exit=\-EACCES \-k access -.B \-a always,exit \-F arch=b64 \-S open \-S openat \-F exit=\-EPERM \-k access +.B \-a always,exit \-F arch=b32 \-S open \-S openat \-S openat2 \-F exit=\-EACCES \-k access +.B \-a always,exit \-F arch=b32 \-S open \-S openat \-S openat2 \-F exit=\-EPERM \-k access +.B \-a always,exit \-F arch=b64 \-S open \-S openat \-S openat2 \-F exit=\-EACCES \-k access +.B \-a always,exit \-F arch=b64 \-S open \-S openat \-S openat2 \-F exit=\-EPERM \-k access .fi .SH HARD WIRED EVENTS diff -Nru audit-3.0/docs/audit_add_rule_data.3 audit-3.0.7/docs/audit_add_rule_data.3 --- audit-3.0/docs/audit_add_rule_data.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_add_rule_data.3 2022-01-23 19:36:56.000000000 +0000 @@ -4,11 +4,11 @@ .SH "SYNOPSIS" .B #include .sp -int audit_add_rule_data (int fd, struct audit_rule_data *rule, int flags, int action); +int audit_add_rule_data(int fd, struct audit_rule_data *rule, int flags, int action); .SH "DESCRIPTION" -audit_add_rule adds an audit rule previously constructed with audit_rule_fieldpair_data(3) to one of several kernel event filters. The filter is specified by the flags argument. Possible values for flags are: +audit_add_rule_data adds an audit rule previously constructed with audit_rule_fieldpair_data(3) to one of several kernel event filters. The filter is specified by the flags argument. Possible values for flags are: .TP 3 \(bu @@ -45,7 +45,7 @@ .SH "SEE ALSO" -.BR audit_rule_fieldpair_data(3), +.BR audit_rule_fieldpair_data (3), .BR audit_delete_rule_data (3), .BR auditctl (8). diff -Nru audit-3.0/docs/audit_close.3 audit-3.0.7/docs/audit_close.3 --- audit-3.0/docs/audit_close.3 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/docs/audit_close.3 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,27 @@ +.TH "AUDIT_CLOSE" "3" "Apr 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_close \- Close the audit netlink socket connection +.SH "SYNOPSIS" +.nf +.B #include +.PP +.BI "void audit_close(int " fd ); +.fi +.SH "DESCRIPTION" +.BR audit_close () +closes the NETLINK_AUDIT socket that communicates with the kernel part of the Linux Audit Subsystem. +.I fd +must have been returned by +.BR audit_open (3). + +.SH "RETURN VALUE" + +None. + +.SH "SEE ALSO" + +.BR audit_open (3), +.BR netlink (7). + +.SH AUTHOR +Steve Grubb diff -Nru audit-3.0/docs/audit_delete_rule_data.3 audit-3.0.7/docs/audit_delete_rule_data.3 --- audit-3.0/docs/audit_delete_rule_data.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_delete_rule_data.3 2022-01-23 19:36:56.000000000 +0000 @@ -4,7 +4,7 @@ .SH "SYNOPSIS" .B #include .sp -int audit_delete_rule_data (int fd, struct audit_rule_data *rule, int flags, int action); +int audit_delete_rule_data(int fd, struct audit_rule_data *rule, int flags, int action); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_detect_machine.3 audit-3.0.7/docs/audit_detect_machine.3 --- audit-3.0/docs/audit_detect_machine.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_detect_machine.3 2022-01-23 19:36:56.000000000 +0000 @@ -4,7 +4,7 @@ .SH "SYNOPSIS" .B #include .sp -int audit_detect_machine (void); +int audit_detect_machine(void); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_encode_nv_string.3 audit-3.0.7/docs/audit_encode_nv_string.3 --- audit-3.0/docs/audit_encode_nv_string.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_encode_nv_string.3 2022-01-23 19:36:56.000000000 +0000 @@ -9,7 +9,7 @@ .SH DESCRIPTION This function is used to encode a name/value pair. This should be used on any field being logged that potentially contains a space, a double-quote, or a control character. Any value containing those have to be specially encoded for the auparse library to correctly handle the value. The encoding method is designed to prevent log injection attacks where malicious values could cause parsing errors. -To use this function, pass the name string and value strings on their respective arguments. If the value is likely to have a NUL value embedded within it, you will need to pass a value length that tells in bytes how big the value is. Otherwise, you can pass a 0 for vlen and the function will simply use strlen against the value pointer. Also be aware that the name of the field will cause auparse to do certain things when interpretting the value. If the name is uid, a user id value in decimal is expected. Make sure that well known names are used for their intended purpose or that there is no chance of name collision with something new. +To use this function, pass the name string and value strings on their respective arguments. If the value is likely to have a NUL value embedded within it, you will need to pass a value length that tells in bytes how big the value is. Otherwise, you can pass a 0 for vlen and the function will simply use strlen against the value pointer. Also be aware that the name of the field will cause auparse to do certain things when interpreting the value. If the name is uid, a user id value in decimal is expected. Make sure that well known names are used for their intended purpose or that there is no chance of name collision with something new. .SH "RETURN VALUE" diff -Nru audit-3.0/docs/audit_encode_value.3 audit-3.0.7/docs/audit_encode_value.3 --- audit-3.0/docs/audit_encode_value.3 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/docs/audit_encode_value.3 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,36 @@ +.TH "AUDIT_ENCODE_VALUE" "3" "May 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_encode_value \- encode input string to ASCII code string +.SH "SYNOPSIS" +.nf +.B #include +.PP +.BI "char *audit_encode_value(char *" final ", const char *" buf ", unsigned int " size "); +.fi +.SH "DESCRIPTION" +.BR audit_encode_value () +encodes a string given by +.I buf +to a ASCII code string. +.I final +is the hexadecimal string encoded to ASCII code. +.I size +is the length of the string given by +.IR buf . + +e.g.: "foo bar" is encoded as "666F6F20626172". "\\1\\2\\3\\4" is encoded as "01020304". + +.SH "RETURN VALUE" + +Returns a encoded string same as +.I final +or, NULL on error. + +.SH "SEE ALSO" + +.BR audit_encode_nv_string (3), +.BR audit_value_needs_encoding (3). + +.SH AUTHOR +Steve Grubb + diff -Nru audit-3.0/docs/audit_get_reply.3 audit-3.0.7/docs/audit_get_reply.3 --- audit-3.0/docs/audit_get_reply.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_get_reply.3 2022-01-23 19:36:56.000000000 +0000 @@ -11,7 +11,7 @@ .SH "RETURN VALUE" -This function returns \-1 on error, 0 if error response received, and positive value on success. +This function returns \-errno on error, 0 if error response received, and positive value on success. .SH "SEE ALSO" diff -Nru audit-3.0/docs/audit_is_enabled.3 audit-3.0.7/docs/audit_is_enabled.3 --- audit-3.0/docs/audit_is_enabled.3 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/docs/audit_is_enabled.3 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,27 @@ +.TH "AUDIT_IS_ENABLED" "3" "May 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_is_enabled \- judge whether auditing is enabled or not +.SH "SYNOPSIS" +.nf +.B #include +.PP +.BI "int audit_is_enabled(int " fd "); +.fi +.SH "DESCRIPTION" +.BR audit_is_enabled () +judges whether auditing is enabled or not. +.I fd +must have been returned by +.BR audit_open (3). + +.SH "RETURN VALUE" + +This function will return 0 if auditing is NOT enabled and 1 if enabled, and -1 on error. + +.SH "SEE ALSO" + +.BR audit_set_enabled (3). + +.SH AUTHOR +Steve Grubb + diff -Nru audit-3.0/docs/audit_log_semanage_message.3 audit-3.0.7/docs/audit_log_semanage_message.3 --- audit-3.0/docs/audit_log_semanage_message.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_log_semanage_message.3 2022-01-23 19:36:56.000000000 +0000 @@ -13,7 +13,7 @@ .SH DESCRIPTION This function will log a message to the audit system using a predefined -message format. It should be used for all SE linux user and role +message format. It should be used for all SE Linux user and role manipulation operations. The function parameters are as follows: .nf diff -Nru audit-3.0/docs/audit_log_user_avc_message.3 audit-3.0.7/docs/audit_log_user_avc_message.3 --- audit-3.0/docs/audit_log_user_avc_message.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_log_user_avc_message.3 2022-01-23 19:36:56.000000000 +0000 @@ -33,7 +33,7 @@ .BR audit_log_user_message (3), .BR audit_log_acct_message (3), -.BR audit_log_user_avc_message (3), +.BR audit_log_user_comm_message (3), .BR audit_log_semanage_message (3). .SH AUTHOR diff -Nru audit-3.0/docs/audit_name_to_syscall.3 audit-3.0.7/docs/audit_name_to_syscall.3 --- audit-3.0/docs/audit_name_to_syscall.3 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/docs/audit_name_to_syscall.3 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,31 @@ +.TH "AUDIT_NAME_TO_SYSCALL" "3" "Nov 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_name_to_syscall \- Convert the syscall name to the numeric syscall value +.SH "SYNOPSIS" +.nf +.B #include +.PP +.BI "int audit_name_to_syscall(const char " *sc ", int " machine ); +.fi +.SH "DESCRIPTION" +.BR audit_name_to_syscall () +converts the syscall name to the numeric syscall value. +.I sc +is the syscall name. +.I machine +is the enum value of the machine type defined in machine_t. +.I machine +can be obtained by calling +.BR audit_detect_machine (3). + +.SH "RETURN VALUE" + +Returns -1 if an error occurs; otherwise, the return value is the numeric syscall value. + +.SH "SEE ALSO" + +.BR audit_syscall_to_name (3), +.BR audit_detect_machine (3). + +.SH AUTHOR +Steve Grubb diff -Nru audit-3.0/docs/audit_open.3 audit-3.0.7/docs/audit_open.3 --- audit-3.0/docs/audit_open.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_open.3 2022-01-23 19:36:56.000000000 +0000 @@ -4,7 +4,7 @@ .SH "SYNOPSIS" .B #include .sp -int audit_open (void); +int audit_open(void); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_request_rules_list_data.3 audit-3.0.7/docs/audit_request_rules_list_data.3 --- audit-3.0/docs/audit_request_rules_list_data.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_request_rules_list_data.3 2022-01-23 19:36:56.000000000 +0000 @@ -1,10 +1,10 @@ -.TH "AUDIT_REQUEST_LIST_DATA" "3" "Oct 2006" "Red Hat" "Linux Audit API" +.TH "AUDIT_REQUEST_RULES_LIST_DATA" "3" "Oct 2006" "Red Hat" "Linux Audit API" .SH NAME audit_request_rules_list_data \- Request list of current audit rules .SH "SYNOPSIS" .B #include .sp -int audit_request_rules_list_data (int fd); +int audit_request_rules_list_data(int fd); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_request_signal_info.3 audit-3.0.7/docs/audit_request_signal_info.3 --- audit-3.0/docs/audit_request_signal_info.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_request_signal_info.3 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH "AUDIT_" "3" "Feb 2007" "Red Hat" "Linux Audit API" +.TH "AUDIT_REQUEST_SIGNAL_INFO" "3" "Feb 2007" "Red Hat" "Linux Audit API" .SH NAME audit_request_signal_info \- Request signal info for the audit system .SH "SYNOPSIS" diff -Nru audit-3.0/docs/audit_request_status.3 audit-3.0.7/docs/audit_request_status.3 --- audit-3.0/docs/audit_request_status.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_request_status.3 2022-01-23 19:36:56.000000000 +0000 @@ -5,7 +5,7 @@ .B #include .sp -int audit_request_status (int fd); +int audit_request_status(int fd); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_set_backlog_limit.3 audit-3.0.7/docs/audit_set_backlog_limit.3 --- audit-3.0/docs/audit_set_backlog_limit.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_set_backlog_limit.3 2022-01-23 19:36:56.000000000 +0000 @@ -5,7 +5,7 @@ .B #include .sp -int audit_set_backlog_limit (int fd, int limit); +int audit_set_backlog_limit(int fd, uint32_t limit); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_set_backlog_wait_time.3 audit-3.0.7/docs/audit_set_backlog_wait_time.3 --- audit-3.0/docs/audit_set_backlog_wait_time.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_set_backlog_wait_time.3 2022-01-23 19:36:56.000000000 +0000 @@ -5,7 +5,7 @@ .B #include .sp -int audit_set_backlog_wait_time (int fd, int wait_time); +int audit_set_backlog_wait_time(int fd, uint32_t bwt); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_set_enabled.3 audit-3.0.7/docs/audit_set_enabled.3 --- audit-3.0/docs/audit_set_enabled.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_set_enabled.3 2022-01-23 19:36:56.000000000 +0000 @@ -5,7 +5,7 @@ .B #include .sp -int audit_set_enabled (int fd, int enabled); +int audit_set_enabled(int fd, uint32_t enabled); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_set_failure.3 audit-3.0.7/docs/audit_set_failure.3 --- audit-3.0/docs/audit_set_failure.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_set_failure.3 2022-01-23 19:36:56.000000000 +0000 @@ -5,7 +5,7 @@ .B #include .sp -int audit_set_failure(int fd, int failure); +int audit_set_failure(int fd, uint32_t failure); .SH "DESCRIPTION" @@ -29,7 +29,7 @@ .SH "SEE ALSO" -.BR audit_set_backlog (3), +.BR audit_set_backlog_limit (3), .BR audit_open (3), .BR auditd (8), .BR auditctl (8). diff -Nru audit-3.0/docs/audit_set_pid.3 audit-3.0.7/docs/audit_set_pid.3 --- audit-3.0/docs/audit_set_pid.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_set_pid.3 2022-01-23 19:36:56.000000000 +0000 @@ -5,7 +5,7 @@ .B #include .sp -int audit_set_pid (int fd, int pid, rep_wait_t wmode); +int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_set_rate_limit.3 audit-3.0.7/docs/audit_set_rate_limit.3 --- audit-3.0/docs/audit_set_rate_limit.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_set_rate_limit.3 2022-01-23 19:36:56.000000000 +0000 @@ -5,7 +5,7 @@ .B #include .sp -int audit_set_rate_limit (int fd, int limit); +int audit_set_rate_limit(int fd, uint32_t limit); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/audit_setloginuid.3 audit-3.0.7/docs/audit_setloginuid.3 --- audit-3.0/docs/audit_setloginuid.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/audit_setloginuid.3 2022-01-23 19:36:56.000000000 +0000 @@ -10,7 +10,7 @@ This function sets the task attribute loginuid with the value of uid. The loginuid value may only be set by programs with the CAP_AUDIT_CONTROL capability. This normally means the root account. .sp -The loginuid value is part of the task structure and is inheritted by child processes. It is used to track what account a user gained system access with. All system entry point programs should set this value right before changing to the uid of the user granted access so that audit events are properly attributed to the that user. +The loginuid value is part of the task structure and is inherited by child processes. It is used to track what account a user gained system access with. All system entry point programs should set this value right before changing to the uid of the user granted access so that audit events are properly attributed to the that user. .SH "RETURN VALUE" diff -Nru audit-3.0/docs/audit_syscall_to_name.3 audit-3.0.7/docs/audit_syscall_to_name.3 --- audit-3.0/docs/audit_syscall_to_name.3 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/docs/audit_syscall_to_name.3 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,31 @@ +.TH "AUDIT_SYSCALL_TO_NAME" "3" "Nov 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_syscall_to_name \- Convert the numeric syscall value to the syscall name +.SH "SYNOPSIS" +.nf +.B #include +.PP +.BI "const char *audit_syscall_to_name(int " sc ", int " machine ); +.fi +.SH "DESCRIPTION" +.BR audit_syscall_to_name () +converts the numeric syscall value to the syscall name. +.I sc +is the numeric syscall value. +.I machine +is the enum value of the machine type defined in machine_t. +.I machine +can be obtained by calling +.BR audit_detect_machine (3). + +.SH "RETURN VALUE" + +Returns NULL if an error occurs; otherwise, the return value is the syscall name. + +.SH "SEE ALSO" + +.BR audit_name_to_syscall (3), +.BR audit_detect_machine (3). + +.SH AUTHOR +Steve Grubb diff -Nru audit-3.0/docs/audit_value_needs_encoding.3 audit-3.0.7/docs/audit_value_needs_encoding.3 --- audit-3.0/docs/audit_value_needs_encoding.3 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/docs/audit_value_needs_encoding.3 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,27 @@ +.TH "AUDIT_VALUE_NEEDS_ENCODING" "3" "Apr 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_value_needs_encoding \- check a string to see if it needs encoding +.SH "SYNOPSIS" +.nf +.B #include +.PP +.BI "int audit_value_needs_encoding(const char *" str ", unsigned int " size "); +.fi +.SH "DESCRIPTION" +.BR audit_value_needs_encoding () +checks a string to see if it needs encoding. Specifically, this function checks if the string contains a space, a double-quote, or a control character. +.I str +is the string to check if encoding is needed. +.I size +is the length of str. + +.SH "RETURN VALUE" + +The return value if encoding is needed is 1. If not needed is 0. + +.SH "SEE ALSO" + +.BR audit_encode_nv_string (3). + +.SH AUTHOR +Steve Grubb diff -Nru audit-3.0/docs/auditctl.8 audit-3.0.7/docs/auditctl.8 --- audit-3.0/docs/auditctl.8 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auditctl.8 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUDITCTL: "8" "Aug 2018" "Red Hat" "System Administration Utilities" +.TH AUDITCTL "8" "July 2021" "Red Hat" "System Administration Utilities" .SH NAME auditctl \- a utility to assist controlling the kernel's audit system .SH SYNOPSIS @@ -52,7 +52,7 @@ .BI \-R\ file Read rules from a \fIfile\fP. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except they are not preceded by auditctl (since auditctl is the one executing the file) and you would not use shell escaping since auditctl is reading the file instead of bash. .TP -.BI \-\-signal signal +.BI \-\-signal\ signal Send a signal to the audit daemon. You must have privileges to do this. Supported signals are .I TERM, HUP, USR1, USR2, CONT. .TP @@ -261,7 +261,7 @@ Any \fIsyscall name\fP or \fInumber\fP may be used. The word '\fBall\fP' may also be used. If the given syscall is made by a program, then start an audit record. If a field rule is given and no syscall is specified, it will default to all syscalls. You may also specify multiple syscalls in the same rule by using multiple \-S options in the same rule. Doing so improves performance since fewer rules need to be evaluated. Alternatively, you may pass a comma separated list of syscall names. If you are on a bi-arch system, like x86_64, you should be aware that auditctl simply takes the text, looks it up for the native arch (in this case b64) and sends that rule to the kernel. If there are no additional arch directives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can have undesirable effects since there is no guarantee that any syscall has the same number on both 32 and 64 bit interfaces. You will likely want to control this and write 2 rules, one with arch equal to b32 and one with b64 to make sure the kernel finds the events that you intend. See the arch field discussion for more info. .TP .BI \-w\ path -Insert a watch for the file system object at \fIpath\fP. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning. The way that watches work is by tracking the inode internally. If you place a watch on a file, its the same as using the \-F path option on a syscall rule. If you place a watch on a directory, its the same as using the \-F dir option on a syscall rule. The \-w form of writing watches is for backwards compatibility and the syscall based form is more expressive. Unlike most syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel. The only valid options when using a watch are the \-p and \-k. If you need to anything fancy like audit a specific user accessing a file, then use the syscall auditing form with the path or dir fields. See the EXAMPLES section for an example of converting one form to another. +Insert a watch for the file system object at \fIpath\fP. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning. The way that watches work is by tracking the inode internally. If you place a watch on a file, its the same as using the \-F path option on a syscall rule. If you place a watch on a directory, its the same as using the \-F dir option on a syscall rule. The \-w form of writing watches is for backwards compatibility and the syscall based form is more expressive. Unlike most syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel. The only valid options when using a watch are the \-p and \-k. If you need to do anything fancy like audit a specific user accessing a file, then use the syscall auditing form with the path or dir fields. See the EXAMPLES section for an example of converting one form to another. .TP .BI \-W\ path Remove a watch for the file system object at \fIpath\fP. The rule must match exactly. See \fB-d\fP discussion for more info. @@ -292,7 +292,10 @@ To see all syscalls made by a specific program: .nf +# By pid: .B auditctl \-a always,exit \-S all \-F pid=1005 +# By executable path +.B auditctl \-a always,exit \-S all \-F exe=/usr/bin/ls .fi To see files opened by a specific user: @@ -327,12 +330,22 @@ .B auditctl \-a always,exit \-F dir=/home/ \-F uid=0 \-C auid!=obj_uid .fi +.SH DISABLED BY DEFAULT + +On many systems auditd is configured to install an +.B -a never,task +rule by default. This rule causes every new process to skip all audit rule processing. This is usually done to avoid a small performance overhead imposed by syscall auditing. If you want to use auditd, you need to remove that rule by deleting 10-no-audit.rules and adding 10-base-config.rules to the audit rules directory. + +If you have defined audit rules that are not matching when they should, check auditctl -l to make sure there is no never,task rule there. + .SH FILES .TP .I /etc/audit/audit.rules /etc/audit/audit-stop.rules .SH "SEE ALSO" .BR audit.rules (7), +.BR ausearch(8), +.BR aureport(8), .BR auditd (8). .SH AUTHOR diff -Nru audit-3.0/docs/auditd-plugins.5 audit-3.0.7/docs/auditd-plugins.5 --- audit-3.0/docs/auditd-plugins.5 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auditd-plugins.5 2022-01-23 19:36:56.000000000 +0000 @@ -1,6 +1,6 @@ -.TH AUDIT-PLUGINS: "5" "Aug 2018" "Red Hat" "System Administration Utilities" +.TH AUDITD-PLUGINS "5" "Aug 2018" "Red Hat" "System Administration Utilities" .SH NAME -audit-plugins \- realtime event receivers +auditd-plugins \- realtime event receivers .SH DESCRIPTION \fBauditd\fP can multiplex audit events in realtime. It takes audit events and distributes them to child programs that want to analyze events in realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes that signal to its child processes so that can reload the configuration or terminate. @@ -8,7 +8,7 @@ .B plugin_dir if the admin wished to locate plugins somewhere else. But auditd will install its plugins in the default location. -The plugin directory will be scanned and every pluging that is active will be started. If the plugin has a problem and exits, it will be started a maximum of +The plugin directory will be scanned and every plugin that is active will be started. If the plugin has a problem and exits, it will be started a maximum of .B max_restarts times as found in auditd.conf. diff -Nru audit-3.0/docs/auditd.8 audit-3.0.7/docs/auditd.8 --- audit-3.0/docs/auditd.8 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auditd.8 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH "AUDITD" "8" "Sept 2013" "Red Hat" "System Administration Utilities" +.TH "AUDITD" "8" "Sept 2021" "Red Hat" "System Administration Utilities" .SH NAME auditd \- The Linux Audit daemon .SH SYNOPSIS @@ -35,24 +35,41 @@ be passed to the dispatcher. (default: /etc/audit/) .SH SIGNALS .TP -SIGHUP +.B SIGHUP causes auditd to reconfigure. This means that auditd re-reads the configuration file. If there are no syntax errors, it will proceed to implement the requested changes. If the reconfigure is successful, a DAEMON_CONFIG event is recorded in the logs. If not successful, error handling is controlled by space_left_action, admin_space_left_action, disk_full_action, and disk_error_action parameters in auditd.conf. .TP -SIGTERM +.B SIGTERM caused auditd to discontinue processing audit events, write a shutdown audit event, and exit. .TP -SIGUSR1 +.B SIGUSR1 causes auditd to immediately rotate the logs. It will consult the max_log_file_action to see if it should keep the logs or not. .TP -SIGUSR2 +.B SIGUSR2 causes auditd to attempt to resume logging and passing events to plugins. This is usually needed after logging has been suspended or the internal queue is overflowed. Either of these conditions depends on the applicable configuration settings. .TP -SIGCONT +.B SIGCONT causes auditd to dump a report of internal state to /var/run/auditd.state. +.SH EXIT CODES +.TP +.B 1 +Cannot adjust priority, daemonize, open audit netlink, write the pid file, start up plugins, resolve the machine name, set audit pid, or other initialization tasks. + +.TP +.B 2 +Invalid or excessive command line arguments + +.TP +.B 4 +The audit daemon doesn't have sufficient privilege + +.TP +.B 6 +There is an error in the configuration file + .SH FILES .B /etc/audit/auditd.conf - configuration file for audit daemon diff -Nru audit-3.0/docs/auditd.conf.5 audit-3.0.7/docs/auditd.conf.5 --- audit-3.0/docs/auditd.conf.5 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auditd.conf.5 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUDITD.CONF: "5" "August 2018" "Red Hat" "System Administration Utilities" +.TH AUDITD.CONF "5" "August 2018" "Red Hat" "System Administration Utilities" .SH NAME auditd.conf \- audit daemon configuration file .SH DESCRIPTION @@ -148,7 +148,7 @@ .IR space_left is set to 25%, then the audit daemon sets .IR space_left -to approxiatemly 500 megabytes. Note that this calculation is performed when the audit daemon starts, so if you resize the filesystem containing +to approximately 500 megabytes. Note that this calculation is performed when the audit daemon starts, so if you resize the filesystem containing .IR log_file while the audit daemon is running, you should send the audit daemon SIGHUP to re-read the configuration file and recalculate the correct percentage. .TP @@ -207,8 +207,7 @@ .I single option will cause the audit daemon to put the computer system in single user mode. The .I halt -option will cause the audit daemon to shutdown the computer system. Except for r -otate, it will perform this action just one time. +option will cause the audit daemon to shutdown the computer system. Except for rotate, it will perform this action just one time. .TP .I disk_full_action This parameter tells the system what action to take when the system has @@ -286,7 +285,7 @@ by a dash (no spaces allowed). It indicates which client ports are allowed for incoming connections. If not specified, any port is allowed. Allowed values are 1..65535. For example, to require the -client use a priviledged port, specify +client use a privileged port, specify .I 1\-1023 for this parameter. You will also need to set the local_port option in the audisp-remote.conf file. Making sure that clients send from a privileged port is a security feature to prevent log injection attacks by untrusted users. .TP @@ -328,7 +327,7 @@ dispatcher for processing. The default is "no". .TP .I q_depth -This is a numeric value that tells how big to make the internal queue of the audit event dispatcher. A bigger queue lets it handle a flood of events better, but could hold events that are not processed when the daemon is terminated. If you get messages in syslog about events getting dropped, increase this value. The default value is 400. +This is a numeric value that tells how big to make the internal queue of the audit event dispatcher. A bigger queue lets it handle a flood of events better, but could hold events that are not processed when the daemon is terminated. If you get messages in syslog about events getting dropped, increase this value. The default value is 1200. .TP .I overflow_action This option determines how the daemon should react to overflowing its internal queue. When this happens, it means that more events are being received than it can pass along to child processes. This error means that it is going to lose the current event that it's trying to dispatch. This option has the following choices: @@ -350,7 +349,17 @@ .TP .I plugin_dir This is the location that auditd will use to search for its plugin configuration files. - +.TP +.I end_of_event_timeout +This is a non-negative number of seconds used by the userspace +.I auparse() +library routines and the +.I aureport(8) +, +.I ausearch(8) +utilities to consider an event is complete when parsing an event log stream. For an event stream being processed, if the time of the current event is over +.I end_of_event_timeout +seconds old, compared to co-located events, then the event is considered complete. See the NOTES section for more detail. .SH NOTES In a CAPP environment, the audit trail is considered so important that access to system resources must be denied if an audit trail cannot be created. In this environment, it would be suggested that /var/log/audit be on its own partition. This is to ensure that space detection is accurate and that no other process comes along and consumes part of it. .PP @@ -371,6 +380,47 @@ recreate a connection with the same host addresses and ports until the connection closure TIME_WAIT state times out. +.PP +Auditd events are made up of one or more records. The auditd system cannot guarantee that the set of records that make up an event will occur atomically, that is the stream will have interleaved records of different events, IE +.PP +.RS +.br +event0_record0 +.br +event1_record0 +.br +event2_record0 +.br +event1_record3 +.br +event2_record1 +.br +event1_record4 +.br +event3_record0 +.br +.RE +.PP +The auditd system does not guarantee that the records that make up an event will appear in order. Thus, when processing event streams, we need to maintain a list of events with their own list of records hence List of List (LOL) event processing. + +When processing an event stream we define the end of an event via +.P +.RS +record type = AUDIT_EOE (audit end of event type record), or +.br +record type = AUDIT_PROCTITLE (we note the AUDIT_PROCTITLE is always the last record), or +.br +record type = AUDIT_KERNEL (kernel events are one record events), or +.br +record type < AUDIT_FIRST_EVENT (only single record events appear before this type), or +.br +record type >= AUDIT_FIRST_ANOM_MSG (only single record events appear after this type), or +.br +record type >= AUDIT_MAC_UNLBL_ALLOW && record type <= AUDIT_MAC_CALIPSO_DEL (these are also one record events), or +.br +for the stream being processed, the time of the event is over end_of_event_timeout seconds old. +.RE + .SH FILES .TP .I /etc/audit/auditd.conf diff -Nru audit-3.0/docs/augenrules.8 audit-3.0.7/docs/augenrules.8 --- audit-3.0/docs/augenrules.8 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/augenrules.8 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUGENRULES: "8" "Apr 2013" "Red Hat" "System Administration Utilities" +.TH AUGENRULES "8" "Apr 2013" "Red Hat" "System Administration Utilities" .SH NAME augenrules \- a script that merges component audit rule files .SH SYNOPSIS @@ -36,6 +36,6 @@ /etc/audit/rules.d/ /etc/audit/audit.rules .SH "SEE ALSO" -.BR audit.rules (8), +.BR audit.rules (7), .BR auditctl (8), .BR auditd (8). diff -Nru audit-3.0/docs/auparse_add_callback.3 audit-3.0.7/docs/auparse_add_callback.3 --- audit-3.0/docs/auparse_add_callback.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auparse_add_callback.3 2022-01-23 19:36:56.000000000 +0000 @@ -58,7 +58,7 @@ . .SH "RETURN VALUE" -Returns the previous callback pointer. +None. .SH "SEE ALSO" diff -Nru audit-3.0/docs/auparse_destroy.3 audit-3.0.7/docs/auparse_destroy.3 --- audit-3.0/docs/auparse_destroy.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auparse_destroy.3 2022-01-23 19:36:56.000000000 +0000 @@ -4,9 +4,9 @@ .SH "SYNOPSIS" .B #include .sp -.B void auparse_destroy (auparse_state_t *au); +.B void auparse_destroy(auparse_state_t *au); -.B void auparse_destroy_ext (auparse_state_t *au, auparse_destroy_what_t what); +.B void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/auparse_find_field.3 audit-3.0.7/docs/auparse_find_field.3 --- audit-3.0/docs/auparse_find_field.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auparse_find_field.3 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH "AUPARSE_FIND_FIELD" "3" "Feb 2007" "Red Hat" "Linux Audit API" +.TH "AUPARSE_FIND_FIELD" "3" "June 2021" "Red Hat" "Linux Audit API" .SH NAME auparse_find_field \- search for field name .SH "SYNOPSIS" @@ -10,6 +10,8 @@ auparse_find_field will scan all records in an event to find the first occurrence of the field name passed to it. Searching begins from the cursor's current position. The field name is stored for subsequent searching. +NOTE: auparse creates 2 psuedo fields that do not exist in the natural record for SELinux AVC and USER_AVC decision and permissions. The field names are seresult and seperms respectively. + .SH "RETURN VALUE" Returns NULL field not found. If an error occurs errno will be set. Otherwise, it returns a pointer to the text value associated with the field. diff -Nru audit-3.0/docs/auparse_get_field_type.3 audit-3.0.7/docs/auparse_get_field_type.3 --- audit-3.0/docs/auparse_get_field_type.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auparse_get_field_type.3 2022-01-23 19:36:56.000000000 +0000 @@ -12,7 +12,7 @@ .SH "RETURN VALUE" -Returns AUPARSE_TYPE_UNCLASSIFIED if the field's data type has no known description or is an integer. Otherwise it returns another enum. Fields with the type AUPARSE_TYPE_ESCAPED must be interpretted to access their value since those field's raw value is encoded. +Returns AUPARSE_TYPE_UNCLASSIFIED if the field's data type has no known description or is an integer. Otherwise it returns another enum. Fields with the type AUPARSE_TYPE_ESCAPED must be interpreted to access their value since those field's raw value is encoded. .SH "SEE ALSO" diff -Nru audit-3.0/docs/auparse_get_milli.3 audit-3.0.7/docs/auparse_get_milli.3 --- audit-3.0/docs/auparse_get_milli.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auparse_get_milli.3 2022-01-23 19:36:56.000000000 +0000 @@ -18,7 +18,6 @@ .BR auparse_get_timestamp (3), .BR auparse_get_time (3). -.BR auparse_get_milli (3). .BR auparse_get_node (3). .SH AUTHOR diff -Nru audit-3.0/docs/auparse_get_type.3 audit-3.0.7/docs/auparse_get_type.3 --- audit-3.0/docs/auparse_get_type.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auparse_get_type.3 2022-01-23 19:36:56.000000000 +0000 @@ -16,7 +16,7 @@ .SH "SEE ALSO" -.BR auparse_get_type_name(3), auparse_next_record (3). +.BR auparse_get_type_name (3), auparse_next_record (3). .SH AUTHOR Steve Grubb diff -Nru audit-3.0/docs/auparse_get_type_name.3 audit-3.0.7/docs/auparse_get_type_name.3 --- audit-3.0/docs/auparse_get_type_name.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auparse_get_type_name.3 2022-01-23 19:36:56.000000000 +0000 @@ -16,7 +16,7 @@ .SH "SEE ALSO" -.BR auparse_get_type(3), auparse_next_record(3). +.BR auparse_get_type (3), auparse_next_record (3). .SH AUTHOR Steve Grubb diff -Nru audit-3.0/docs/auparse_new_buffer.3 audit-3.0.7/docs/auparse_new_buffer.3 --- audit-3.0/docs/auparse_new_buffer.3 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/docs/auparse_new_buffer.3 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,38 @@ +.TH "AUPARSE_NEW_BUFFER" "3" "Feb 2021" "Red Hat" "Linux Audit API" +.SH NAME +auparse_new_buffer \- replace the buffer in the parser +.SH "SYNOPSIS" +.B #include +.sp +.nf +int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len); +.fi + +.TP +.I au +The audit parse state +.TP +.I data +a buffer of data to give to the parser, it is +.I data_len +bytes long. The data is copied in the parser, upon return the caller may free or reuse the data buffer. +.TP +.I data_len +number of bytes in +.I data + +.SH "DESCRIPTION" + +.I auparse_new_buffer +replaces the data that the parser works on. +.I auparse_init() +must have been called with a source type of AUSOURCE_BUFFER. + +.SH "RETURN VALUE" + +Returns 1 if an error occurs; otherwise, 0 for success. + +.SH "SEE ALSO" + +.BR auparse_init (3) + diff -Nru audit-3.0/docs/auparse_set_eoe_timeout.3 audit-3.0.7/docs/auparse_set_eoe_timeout.3 --- audit-3.0/docs/auparse_set_eoe_timeout.3 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/docs/auparse_set_eoe_timeout.3 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,26 @@ +.TH "AUPARSE_SET_EOE_TIMEOUT" "3" "January 2021" "Red Hat" "Linux Audit API" +.SH NAME +auparse_set_eoe_timeout \- set the end of event timeout value +.SH "SYNOPSIS" +.B #include +.sp +int auparse_set_eoe_timeout(time_t new_tmo) + +.SH "DESCRIPTION" + +auparse_set_eoe_timeout is used to set the end of event timeout value (seconds). The value should be a positive integer. If this function is called, it overrides any setting in /etc/auditd.conf. +The function should be called after the \fIauparse_init()\fP function call. + +For details on the timeout, see the \fBend_of_event_timeout\fP configuration item description in \fIauditd.conf(5)\fP. + +.SH "RETURN VALUE" + +Returns \-1 if an error occurs; otherwise, 0 for success. + +.SH "SEE ALSO" + +.BR auparse_init (3). +.BR auditd.conf (8). + +.SH AUTHOR +Steve Grubb diff -Nru audit-3.0/docs/auparse_set_escape_mode.3 audit-3.0.7/docs/auparse_set_escape_mode.3 --- audit-3.0/docs/auparse_set_escape_mode.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/auparse_set_escape_mode.3 2022-01-23 19:36:56.000000000 +0000 @@ -8,7 +8,7 @@ .SH "DESCRIPTION" -auparse_set_escape_mode is used to set the escaping method that will be used to output interpretted text. The choices for the mode variable are: +auparse_set_escape_mode is used to set the escaping method that will be used to output interpreted text. The choices for the mode variable are: .RS .TP diff -Nru audit-3.0/docs/aureport.8 audit-3.0.7/docs/aureport.8 --- audit-3.0/docs/aureport.8 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/aureport.8 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUREPORT: "8" "March 2017" "Red Hat" "System Administration Utilities" +.TH AUREPORT "8" "March 2017" "Red Hat" "System Administration Utilities" .SH NAME aureport \- a tool that produces summary reports of audit daemon logs .SH SYNOPSIS @@ -24,6 +24,12 @@ .BR \-cr ,\ \-\-crypto Report about crypto events .TP +.BR \-\-debug +Write malformed events that are skipped to stderr. +.TP +.BR \-\-eoe\-timeout \ \fIseconds\fP +Set the end of event parsing timeout. See \fBend_of_event_timeout\fP in \fIauditd.conf(5)\fP for details. Note that setting this value will override any configured value found in /etc/auditd/auditd.conf. +.TP .BR \-e ,\ \-\-event Report about events .TP @@ -46,7 +52,7 @@ Interpret numeric entities into text. For example, uid is converted to account name. The conversion is done using the current resources of the machine where the search is being run. If you have renamed the accounts, or don't have the same accounts on your machine, you could get misleading results. .TP .BR \-if ,\ \-\-input \ \fIfile\fP\ |\ \fIdirectory\fP -Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. +Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. The path length is limited to 4064 bytes. .TP .B \-\-input\-logs Use the log file location from auditd.conf as input for analysis. This is needed if you are using aureport from a cron job. @@ -136,4 +142,5 @@ .SH "SEE ALSO" .BR ausearch (8), -.BR auditd (8). +.BR auditd (8), +.BR auditd.conf (5). diff -Nru audit-3.0/docs/ausearch.8 audit-3.0.7/docs/ausearch.8 --- audit-3.0/docs/ausearch.8 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/ausearch.8 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUSEARCH: "8" "March 2017" "Red Hat" "System Administration Utilities" +.TH AUSEARCH "8" "April 2021" "Red Hat" "System Administration Utilities" .SH NAME ausearch \- a tool to query audit daemon logs .SH SYNOPSIS @@ -49,6 +49,9 @@ Should the file or the last checkpointed event not be found, one of a number of errors will result and ausearch will terminate. See \fBEXIT STATUS\fP for detail. .TP +.BR \-\-eoe\-timeout \ \fIseconds\fP +Set the end of event parsing timeout. See \fBend_of_event_timeout\fP in \fIauditd.conf(5)\fP for details. Note that setting this value will override any configured value found in /etc/auditd/auditd.conf. +.TP .BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP Search for an event based on the given syscall \fIexit code or errno\fP. .TP @@ -92,7 +95,7 @@ Interpret numeric entities into text. For example, uid is converted to account name. If the audit logs are unenriched, the conversion is done using the current resources of the machine where the search is being run. If you have renamed the accounts, or don't have the same accounts on your machine, you could get misleading results. If the logs are enriched, it uses the supplemental data to do the conversion. This allows accurate log reporting even when run on a different machine than the original logs came from. .TP .BR \-if ,\ \-\-input \ \fIfile-name\fP\ |\ \fIdirectory\fP -Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. +Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. The path length is limited to 4064 bytes. .TP .BR \-\-input\-logs Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job. @@ -192,7 +195,7 @@ Search for an event with the given \fIuser ID\fP. .TP .BR \-ul ,\ \-\-loginuid \ \fIlogin-id\fP -Search for an event with the given \fIlogin user ID\fP. All entry point programs that are pamified need to be configured with pam_loginuid required for the session for searching on loginuid (auid) to be accurate. +Search for an event with the given \fIlogin user ID\fP. All entry point programs that are PAMified need to be configured with pam_loginuid required for the session for searching on loginuid (auid) to be accurate. .TP .BR \-uu ,\ \-\-uuid \ \fIguest-uuid\fP Search for an event with the given \fIguest UUID\fP. @@ -215,7 +218,7 @@ if OK, .TP 1 -if nothing found, or argument errors or minor file acces/read errors, +if nothing found, or argument errors or minor file access/read errors, .TP 10 invalid checkpoint data found in checkpoint file, @@ -232,4 +235,6 @@ .SH "SEE ALSO" .BR auditd (8), +.BR auditd.conf (5), +.BR aureport (8), .BR pam_loginuid (8). diff -Nru audit-3.0/docs/ausearch_add_expression.3 audit-3.0.7/docs/ausearch_add_expression.3 --- audit-3.0/docs/ausearch_add_expression.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/ausearch_add_expression.3 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH "AUSEARCH_ADD_expression" "3" "Feb 2008" "Red Hat" "Linux Audit API" +.TH "AUSEARCH_ADD_EXPRESSION" "3" "Feb 2008" "Red Hat" "Linux Audit API" .SH NAME ausearch_add_expression \- build up search expression .SH "SYNOPSIS" diff -Nru audit-3.0/docs/ausearch_add_regex.3 audit-3.0.7/docs/ausearch_add_regex.3 --- audit-3.0/docs/ausearch_add_regex.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/ausearch_add_regex.3 2022-01-23 19:36:56.000000000 +0000 @@ -4,7 +4,7 @@ .SH "SYNOPSIS" .B #include .sp -int ausearch_add_regex(auparse_state_t *au, const char *expr); +int ausearch_add_regex(auparse_state_t *au, const char *regexp); .SH "DESCRIPTION" diff -Nru audit-3.0/docs/autrace.8 audit-3.0.7/docs/autrace.8 --- audit-3.0/docs/autrace.8 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/autrace.8 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUTRACE: "8" "Jan 2007" "Red Hat" "System Administration Utilities" +.TH AUTRACE "8" "Jan 2007" "Red Hat" "System Administration Utilities" .SH NAME autrace \- a program similar to strace .SH SYNOPSIS diff -Nru audit-3.0/docs/get_auditfail_action.3 audit-3.0.7/docs/get_auditfail_action.3 --- audit-3.0/docs/get_auditfail_action.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/get_auditfail_action.3 2022-01-23 19:36:56.000000000 +0000 @@ -29,7 +29,7 @@ #include .sp .HP 19 -int\ \fBget_auditfail_action\fR\ (int *\fIfailmode\fR); +int\ \fBget_auditfail_action\fR(auditfail_t *\fIfailmode\fR); .ad .hy diff -Nru audit-3.0/docs/libaudit.conf.5 audit-3.0.7/docs/libaudit.conf.5 --- audit-3.0/docs/libaudit.conf.5 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/libaudit.conf.5 2022-01-23 19:36:56.000000000 +0000 @@ -1,10 +1,10 @@ -.TH LIBAUDIT.CONF: "5" "Oct 2009" "Red Hat" "System Administration Utilities" +.TH LIBAUDIT.CONF "5" "Oct 2009" "Red Hat" "System Administration Utilities" .SH NAME libaudit.conf \- libaudit configuration file .SH DESCRIPTION The file .I /etc/libaudit.conf -contains configuration information for user space applications that link to libaudit. The applications are responsible for querrying the settings in this file and obeying the admin's preferences. This file contains one configuration keyword per line, an equal sign, and then followed by appropriate configuration information. The keywords recognized are: +contains configuration information for user space applications that link to libaudit. The applications are responsible for querying the settings in this file and obeying the admin's preferences. This file contains one configuration keyword per line, an equal sign, and then followed by appropriate configuration information. The keywords recognized are: .IR failure_action ". These keywords are described below. diff -Nru audit-3.0/docs/set_aumessage_mode.3 audit-3.0.7/docs/set_aumessage_mode.3 --- audit-3.0/docs/set_aumessage_mode.3 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/set_aumessage_mode.3 2022-01-23 19:36:56.000000000 +0000 @@ -19,9 +19,9 @@ .el .ne 3 .IP "\\$1" \\$2 .. -.TH "SET_MESSAGE_MODE" 3 "2004-12-01" "Linux 2.6" "Linux Programmer's Manual" +.TH "SET_AUMESSAGE_MODE" 3 "2004-12-01" "Linux 2.6" "Linux Programmer's Manual" .SH NAME -set_message_mode \- Sets the message mode +set_aumessage_mode \- Sets the message mode .SH "SYNOPSIS" .ad l .hy 0 @@ -29,24 +29,32 @@ #include .sp .HP 23 -void\ \fBset_message_mode\fR\ (message_t\ \fImode\fR); +void\ \fBset_aumessage_mode\fR(message_t\ \fImode\fR, debug_message_t\ \fIdebug\fR); .ad .hy .SH "DESCRIPTION" .PP -\fBset_message_mode\fR sets the location where informational messages are sent. If \fImode\fR=0 (default), then informational messages are sent to stderr. If \fImode\fR=1, then informational messages are sent to syslog. +\fBset_aumessage_mode\fR sets the location where messages are sent and the output of the debug messages. + +If \fImode\fR=MSG_STDERR, then messages are sent to stderr. If \fImode\fR=MSG_SYSLOG, then messages are sent to syslog. If \fImode\fR=MSG_QUIET (default), then messages are not sent. + +If \fIdebug\fR=DBG_YES, then debug messages are output. If \fIdebug\fR=DBG_NO (default), then debug messages are not output. .SH "EXAMPLE" .nf /* Sample code */ -set_message_mode(MSG_SYSLOG) +set_aumessage_mode(MSG_SYSLOG, DBG_YES) .fi +.SH "RETURN VALUE" + +None. + .SH "SEE ALSO" .BR auditd (8), diff -Nru audit-3.0/docs/zos-remote.conf.5 audit-3.0.7/docs/zos-remote.conf.5 --- audit-3.0/docs/zos-remote.conf.5 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/docs/zos-remote.conf.5 2022-01-23 19:36:56.000000000 +0000 @@ -26,7 +26,7 @@ controls the configuration for the .BR audispd\-zos\-remote (8) Audit dispatcher plugin. The default location for this file is -.IR /etc/audisp/zos\-remote.conf , +.IR /etc/audit/zos\-remote.conf , however, a different file can be specified as the first argument to the .B audispd\-zos\-remote plugin. See @@ -56,7 +56,7 @@ .I q_depth The .B audispd\-zos\-remote -plugin will queue inputed events to the maximum of +plugin will queue inputted events to the maximum of .I q_depth events while trying to submit those remotely. This can handle burst of events or in case of a slow network connection. However, the .B audispd\-zos\-remote diff -Nru audit-3.0/init.d/Makefile.am audit-3.0.7/init.d/Makefile.am --- audit-3.0/init.d/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/init.d/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -25,7 +26,7 @@ auditd.cron libaudit.conf auditd.condrestart \ auditd.reload auditd.restart auditd.resume \ auditd.rotate auditd.state auditd.stop \ - audit-stop.rules augenrules + audit-stop.rules augenrules audit-functions libconfig = libaudit.conf if ENABLE_SYSTEMD initdir = /usr/lib/systemd/system @@ -51,6 +52,7 @@ if ENABLE_SYSTEMD mkdir -p ${DESTDIR}${initdir} mkdir -p ${DESTDIR}${legacydir} + mkdir -p ${DESTDIR}${libexecdir} $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir} $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume @@ -59,6 +61,7 @@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.stop ${DESTDIR}${legacydir}/stop $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.restart ${DESTDIR}${legacydir}/restart $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.condrestart ${DESTDIR}${legacydir}/condrestart + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/audit-functions ${DESTDIR}${libexecdir} else $(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd endif diff -Nru audit-3.0/init.d/Makefile.in audit-3.0.7/init.d/Makefile.in --- audit-3.0/init.d/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/init.d/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -319,6 +320,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -337,7 +339,7 @@ auditd.cron libaudit.conf auditd.condrestart \ auditd.reload auditd.restart auditd.resume \ auditd.rotate auditd.state auditd.stop \ - audit-stop.rules augenrules + audit-stop.rules augenrules audit-functions libconfig = libaudit.conf @ENABLE_SYSTEMD_FALSE@initdir = $(sysconfdir)/rc.d/init.d @@ -616,6 +618,7 @@ install-exec-hook: @ENABLE_SYSTEMD_TRUE@ mkdir -p ${DESTDIR}${initdir} @ENABLE_SYSTEMD_TRUE@ mkdir -p ${DESTDIR}${legacydir} +@ENABLE_SYSTEMD_TRUE@ mkdir -p ${DESTDIR}${libexecdir} @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir} @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume @@ -624,6 +627,7 @@ @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.stop ${DESTDIR}${legacydir}/stop @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.restart ${DESTDIR}${legacydir}/restart @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.condrestart ${DESTDIR}${legacydir}/condrestart +@ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/audit-functions ${DESTDIR}${libexecdir} @ENABLE_SYSTEMD_FALSE@ $(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd chmod 0750 $(DESTDIR)$(sbindir)/augenrules diff -Nru audit-3.0/init.d/audit-functions audit-3.0.7/init.d/audit-functions --- audit-3.0/init.d/audit-functions 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/init.d/audit-functions 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,52 @@ +# -*-Shell-script-*- + +# Make sure umask is sane +umask 022 + +#/usr/libexec/audit/audit-functions + +# killproc {program} [-signal] +killproc () +{ + local daemon="$1" + local sig= + [ -n "${2:-}" ] && sig=$2 + + # This matches src/auditd.c + local pid_file="/var/run/auditd.pid" + local pid_dir=$(dirname $pid_file) + + if [ ! -d "$pid_dir" ] ; then + return 4 + fi + + local pid= + if [ -f "$pid_file" ] ; then + # pid file exists, use it + while : ; do + read line + [ -z "$line" ] && break + for p in $line ; do + # pid is numeric and corresponds to a process + if [ -z "${p//[0-9]/}" ] && [ -d "/proc/$p" ] ; then + d=$(cat "/proc/$p/comm") + if [ "$d" = "$daemon" ] ; then + pid="$p" + break + fi + fi + done + done < "$pid_file" + else + # need to search /proc + p=$(pidof "$daemon") + if [ -n "$p" ] ; then + pid="$p" + fi + fi + + # At this point we should have a pid or the process is dead + if [ -n "$pid" ] && [ -n "$sig" ] ; then + kill "$sig" "$pid" >/dev/null 2>&1 + fi +} diff -Nru audit-3.0/init.d/auditd.conf audit-3.0.7/init.d/auditd.conf --- audit-3.0/init.d/auditd.conf 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/init.d/auditd.conf 2022-01-23 19:36:56.000000000 +0000 @@ -33,7 +33,8 @@ krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key distribute_network = no -q_depth = 400 +q_depth = 1200 overflow_action = SYSLOG max_restarts = 10 plugin_dir = /etc/audit/plugins.d +end_of_event_timeout = 2 diff -Nru audit-3.0/init.d/auditd.reload audit-3.0.7/init.d/auditd.reload --- audit-3.0/init.d/auditd.reload 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/init.d/auditd.reload 2022-01-23 19:36:56.000000000 +0000 @@ -7,7 +7,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -. /etc/rc.d/init.d/functions +. /usr/libexec/audit-functions printf "Reconfiguring: " /sbin/augenrules --load diff -Nru audit-3.0/init.d/auditd.resume audit-3.0.7/init.d/auditd.resume --- audit-3.0/init.d/auditd.resume 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/init.d/auditd.resume 2022-01-23 19:36:56.000000000 +0000 @@ -7,7 +7,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -. /etc/rc.d/init.d/functions +. /usr/libexec/audit-functions printf "Resuming logging: " killproc $prog -USR2 diff -Nru audit-3.0/init.d/auditd.rotate audit-3.0.7/init.d/auditd.rotate --- audit-3.0/init.d/auditd.rotate 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/init.d/auditd.rotate 2022-01-23 19:36:56.000000000 +0000 @@ -7,7 +7,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -. /etc/rc.d/init.d/functions +. /usr/libexec/audit-functions printf "Rotating logs: " killproc $prog -USR1 diff -Nru audit-3.0/init.d/auditd.service audit-3.0.7/init.d/auditd.service --- audit-3.0/init.d/auditd.service 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/init.d/auditd.service 2022-01-23 19:36:56.000000000 +0000 @@ -27,12 +27,17 @@ # By default we don't clear the rules on exit. To enable this, uncomment # the next line after copying the file to /etc/systemd/system/auditd.service #ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules +Restart=on-failure +# Do not restart for intentional exits. See EXIT CODES section in auditd(8). +RestartPreventExitStatus=2 4 6 ### Security Settings ### MemoryDenyWriteExecute=true LockPersonality=true ProtectControlGroups=true ProtectKernelModules=true +ProtectHome=true +RestrictRealtime=true [Install] WantedBy=multi-user.target diff -Nru audit-3.0/init.d/auditd.state audit-3.0.7/init.d/auditd.state --- audit-3.0/init.d/auditd.state 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/init.d/auditd.state 2022-01-23 19:36:56.000000000 +0000 @@ -8,7 +8,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" state_file="/var/run/auditd.state" -. /etc/rc.d/init.d/functions +. /usr/libexec/audit-functions printf "Getting auditd internal state: " killproc $prog -CONT diff -Nru audit-3.0/init.d/auditd.stop audit-3.0.7/init.d/auditd.stop --- audit-3.0/init.d/auditd.stop 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/init.d/auditd.stop 2022-01-23 19:36:56.000000000 +0000 @@ -7,8 +7,12 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -. /etc/rc.d/init.d/functions -pid="$(__pids_pidof "$prog")" +. /usr/libexec/audit-functions +pid= +p=$(pidof "$prog") +if [ -n "$p" ] ; then + pid="$p" +fi printf "Stopping logging: " killproc $prog -TERM diff -Nru audit-3.0/lib/Makefile.am audit-3.0.7/lib/Makefile.am --- audit-3.0/lib/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -38,8 +39,8 @@ libaudit_la_SOURCES = libaudit.c message.c netlink.c \ lookup_table.c audit_logging.c deprecated.c \ dso.h private.h errormsg.h -libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.a -libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.a +libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la +libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.la libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO) nodist_libaudit_la_SOURCES = $(BUILT_SOURCES) diff -Nru audit-3.0/lib/Makefile.in audit-3.0.7/lib/Makefile.in --- audit-3.0/lib/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/lib/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -592,6 +593,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -621,8 +623,8 @@ lookup_table.c audit_logging.c deprecated.c \ dso.h private.h errormsg.h -libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.a -libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.a +libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la +libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.la libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO) nodist_libaudit_la_SOURCES = $(BUILT_SOURCES) BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \ diff -Nru audit-3.0/lib/aarch64_table.h audit-3.0.7/lib/aarch64_table.h --- audit-3.0/lib/aarch64_table.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/aarch64_table.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* aarch64_table.h -- - * Copyright 2013-20 Red Hat Inc. + * Copyright 2013-21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -311,4 +311,18 @@ _S(433, "fspick") _S(434, "pidfd_open") _S(435, "clone3") +_S(436, "close_range") +_S(437, "openat2") +_S(438, "pidfd_getfd") +_S(439, "faccessat2") +_S(440, "process_madvise") +_S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(447, "memfd_secret") +_S(448, "process_mrelease") +_S(449, "futex_waitv") diff -Nru audit-3.0/lib/arm_table.h audit-3.0.7/lib/arm_table.h --- audit-3.0/lib/arm_table.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/arm_table.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* arm_table.h -- - * Copyright 2009-10,2013-20 Red Hat Inc. + * Copyright 2009-10,2013-21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -385,6 +385,26 @@ _S(399, "io_pgetevents") _S(400, "migrate_pages") _S(401, "kexec_file_load") +_S(403, "clock_gettime64") +_S(404, "clock_settime64") +_S(405, "clock_adjtime64") +_S(406, "clock_getres_time64") +_S(407, "clock_nanosleep_time64") +_S(408, "timer_gettime64") +_S(409, "timer_settime64") +_S(410, "timerfd_gettime64") +_S(411, "timerfd_settime64") +_S(412, "utimensat_time64") +_S(413, "pselect6_time64") +_S(414, "ppoll_time64") +_S(416, "io_pgetevents_time64") +_S(417, "recvmmsg_time64") +_S(418, "mq_timedsend_time64") +_S(419, "mq_timedreceive_time64") +_S(420, "semtimedop_time64") +_S(421, "rt_sigtimedwait_time64") +_S(422, "futex_time64") +_S(423, "sched_rr_get_interval64") _S(424, "pidfd_send_signal") _S(425, "io_uring_setup") _S(426, "io_uring_enter") @@ -397,3 +417,17 @@ _S(433, "fspick") _S(434, "pidfd_open") _S(435, "clone3") +_S(436, "close_range") +_S(437, "openat2") +_S(438, "pidfd_getfd") +_S(439, "faccessat2") +_S(440, "process_madvise") +_S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(448, "process_mrelease") +_S(449, "futex_waitv") + diff -Nru audit-3.0/lib/i386_table.h audit-3.0.7/lib/i386_table.h --- audit-3.0/lib/i386_table.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/i386_table.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* i386_table.h -- - * Copyright 2005-20 Red Hat Inc. + * Copyright 2005-21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -447,4 +447,18 @@ _S(433, "fspick") _S(434, "pidfd_open") _S(435, "clone3") +_S(436, "close_range") +_S(437, "openat2") +_S(438, "pidfd_getfd") +_S(439, "faccessat2") +_S(440, "process_madvise") +_S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(447, "memfd_secret") +_S(448, "process_mrelease") +_S(449, "futex_waitv") diff -Nru audit-3.0/lib/libaudit.c audit-3.0.7/lib/libaudit.c --- audit-3.0/lib/libaudit.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/libaudit.c 2022-01-23 19:36:56.000000000 +0000 @@ -38,7 +38,6 @@ #include #include /* O_NOFOLLOW needs gnu defined */ #include /* for PATH_MAX */ -#include #include #include /* AF_MAX */ #ifdef HAVE_LIBCAP_NG @@ -560,8 +559,7 @@ int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock) { -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ - defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 int rc; struct audit_features f; @@ -585,8 +583,7 @@ int audit_request_features(int fd) { -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ - defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 int rc; struct audit_features f; @@ -605,8 +602,7 @@ extern int audit_set_loginuid_immutable(int fd) { -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ - defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 return audit_set_feature(fd, AUDIT_FEATURE_LOGINUID_IMMUTABLE, 1, 1); #else errno = EINVAL; @@ -627,8 +623,7 @@ return; } -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ - defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) +#if defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) if ((rc = audit_request_status(fd)) > 0) { struct audit_reply rep; int i; @@ -747,11 +742,6 @@ return audit_add_watch_dir(AUDIT_WATCH, rulep, path); } -int audit_add_dir(struct audit_rule_data **rulep, const char *path) -{ - return audit_add_watch_dir(AUDIT_DIR, rulep, path); -} - int audit_add_watch_dir(int type, struct audit_rule_data **rulep, const char *path) { diff -Nru audit-3.0/lib/libaudit.h audit-3.0.7/lib/libaudit.h --- audit-3.0/lib/libaudit.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/libaudit.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ -/* libaudit.h -- - * Copyright 2004-2018 Red Hat Inc., Durham, North Carolina. +/* libaudit.h -- + * Copyright 2004-2018,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -15,7 +15,7 @@ * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * + * * Authors: * Steve Grubb * Rickard E. (Rik) Faith @@ -124,6 +124,7 @@ #define AUDIT_APPARMOR_HINT 1504 #define AUDIT_APPARMOR_STATUS 1505 #define AUDIT_APPARMOR_ERROR 1506 +#define AUDIT_APPARMOR_KILL 1507 #endif #define AUDIT_FIRST_KERN_CRYPTO_MSG 1600 @@ -136,7 +137,7 @@ #define AUDIT_INTEGRITY_LAST_MSG 1899 #ifndef AUDIT_INTEGRITY_DATA #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ -#define AUDIT_INTEGRITY_METADATA 1801 // Metadata integrity verification +#define AUDIT_INTEGRITY_METADATA 1801 // Metadata integrity verification #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */ #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */ @@ -145,6 +146,9 @@ #ifndef AUDIT_INTEGRITY_EVM_XATTR #define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */ #endif +#ifndef AUDIT_INTEGRITY_POLICY_RULE +#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* Integrity Policy rule */ +#endif #define AUDIT_FIRST_ANOM_MSG 2100 #define AUDIT_LAST_ANOM_MSG 2199 @@ -167,6 +171,9 @@ #define AUDIT_ANOM_MOD_ACCT 2116 // Changing an acct #define AUDIT_ANOM_ROOT_TRANS 2117 // User became root #define AUDIT_ANOM_LOGIN_SERVICE 2118 // Service acct attempted login +#define AUDIT_ANOM_LOGIN_ROOT 2119 // Root login attempted +#define AUDIT_ANOM_ORIGIN_FAILURES 2120 // Origin has too many failed login +#define AUDIT_ANOM_SESSION 2121 // The user session is bad #define AUDIT_FIRST_ANOM_RESP 2200 #define AUDIT_LAST_ANOM_RESP 2299 @@ -185,6 +192,7 @@ #define AUDIT_RESP_HALT 2212 /* take the system down */ #define AUDIT_RESP_ORIGIN_BLOCK 2213 /* Address blocked by iptables */ #define AUDIT_RESP_ORIGIN_BLOCK_TIMED 2214 /* Address blocked for time */ +#define AUDIT_RESP_ORIGIN_UNBLOCK_TIMED 2215 /* Address unblocked from timed */ #define AUDIT_FIRST_USER_LSPP_MSG 2300 #define AUDIT_LAST_USER_LSPP_MSG 2399 @@ -296,7 +304,15 @@ #endif #ifndef AUDIT_EVENT_LISTENER -#define AUDIT_EVENT_LISTENER 1335 /* audit mcast sock join/part */ +#define AUDIT_EVENT_LISTENER 1335 /* audit mcast sock join/part */ +#endif + +#ifndef AUDIT_URINGOP +#define AUDIT_URINGOP 1336 /* io_uring operations */ +#endif + +#ifndef AUDIT_OPENAT2 +#define AUDIT_OPENAT2 1337 /* openat2 open_how flags */ #endif #ifndef AUDIT_MAC_CALIPSO_ADD @@ -514,7 +530,7 @@ struct nlmsgerr *error; struct audit_sig_info *signal_info; struct daemon_conf *conf; -#ifdef AUDIT_FEATURE_BITMAP_ALL +#ifdef AUDIT_FEATURE_VERSION struct audit_features *features; #endif }; @@ -644,7 +660,6 @@ /* AUDIT_WATCH */ extern int audit_update_watch_perms(struct audit_rule_data *rule, int perms); extern int audit_add_watch(struct audit_rule_data **rulep, const char *path); -extern int audit_add_dir(struct audit_rule_data **rulep, const char *path); extern int audit_add_watch_dir(int type, struct audit_rule_data **rulep, const char *path); extern int audit_trim_subtrees(int fd); @@ -660,7 +675,7 @@ int flags, int action); /* The following are for standard formatting of messages */ -extern int audit_value_needs_encoding(const char *str, unsigned int len); +extern int audit_value_needs_encoding(const char *str, unsigned int size); extern char *audit_encode_value(char *final,const char *buf,unsigned int size); extern char *audit_encode_nv_string(const char *name, const char *value, unsigned int vlen); @@ -689,7 +704,6 @@ extern struct audit_rule_data *audit_rule_create_data(void); /* Initializes an existing audit_rule_data struct */ extern void audit_rule_init_data(struct audit_rule_data *rule); -extern int audit_rule_syscall_data(struct audit_rule_data *rule, int scall); extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule, const char *scall); /* Note that the following function takes a **, where audit_rule_fieldpair() diff -Nru audit-3.0/lib/machinetab.h audit-3.0.7/lib/machinetab.h --- audit-3.0/lib/machinetab.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/machinetab.h 2022-01-23 19:36:56.000000000 +0000 @@ -40,4 +40,5 @@ #endif #ifdef WITH_AARCH64 _S(MACH_AARCH64, "aarch64" ) +_S(MACH_AARCH64, "armv8l") #endif diff -Nru audit-3.0/lib/msg_typetab.h audit-3.0.7/lib/msg_typetab.h --- audit-3.0/lib/msg_typetab.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/msg_typetab.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* msg_typetab.h -- - * Copyright 2005-07,2009-18 Red Hat Inc., Durham, North Carolina. + * Copyright 2005-07,2009-18,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -127,6 +127,8 @@ _S(AUDIT_TIME_ADJNTPVAL, "TIME_ADJNTPVAL" ) _S(AUDIT_BPF, "BPF" ) _S(AUDIT_EVENT_LISTENER, "EVENT_LISTENER" ) +_S(AUDIT_URINGOP, "URINGOP" ) +_S(AUDIT_OPENAT2, "OPENAT2" ) _S(AUDIT_AVC, "AVC" ) _S(AUDIT_SELINUX_ERR, "SELINUX_ERR" ) _S(AUDIT_AVC_PATH, "AVC_PATH" ) @@ -158,6 +160,7 @@ _S(AUDIT_INTEGRITY_PCR, "INTEGRITY_PCR" ) _S(AUDIT_INTEGRITY_RULE, "INTEGRITY_RULE" ) _S(AUDIT_INTEGRITY_EVM_XATTR, "INTEGRITY_EVM_XATTR" ) +_S(AUDIT_INTEGRITY_POLICY_RULE, "INTEGRITY_POLICY_RULE" ) #ifdef WITH_APPARMOR _S(AUDIT_AA, "APPARMOR" ) @@ -167,6 +170,7 @@ _S(AUDIT_APPARMOR_HINT, "APPARMOR_HINT" ) _S(AUDIT_APPARMOR_STATUS, "APPARMOR_STATUS" ) _S(AUDIT_APPARMOR_ERROR, "APPARMOR_ERROR" ) +_S(AUDIT_APPARMOR_KILL, "APPARMOR_KILL" ) #endif _S(AUDIT_KERNEL, "KERNEL" ) _S(AUDIT_ANOM_LOGIN_FAILURES, "ANOM_LOGIN_FAILURES" ) @@ -188,6 +192,9 @@ _S(AUDIT_ANOM_MOD_ACCT, "ANOM_MOD_ACCT" ) _S(AUDIT_ANOM_ROOT_TRANS, "ANOM_ROOT_TRANS" ) _S(AUDIT_ANOM_LOGIN_SERVICE, "ANOM_LOGIN_SERVICE" ) +_S(AUDIT_ANOM_LOGIN_ROOT, "ANOM_LOGIN_ROOT" ) +_S(AUDIT_ANOM_ORIGIN_FAILURES, "ANOM_ORIGIN_FAILURES" ) +_S(AUDIT_ANOM_SESSION, "ANOM_SESSION" ) _S(AUDIT_RESP_ANOMALY, "RESP_ANOMALY" ) _S(AUDIT_RESP_ALERT, "RESP_ALERT" ) _S(AUDIT_RESP_KILL_PROC, "RESP_KILL_PROC" ) @@ -203,6 +210,7 @@ _S(AUDIT_RESP_HALT, "RESP_HALT" ) _S(AUDIT_RESP_ORIGIN_BLOCK, "RESP_ORIGIN_BLOCK" ) _S(AUDIT_RESP_ORIGIN_BLOCK_TIMED, "RESP_ORIGIN_BLOCK_TIMED" ) +_S(AUDIT_RESP_ORIGIN_UNBLOCK_TIMED, "RESP_ORIGIN_UNBLOCK_TIMED" ) _S(AUDIT_USER_ROLE_CHANGE, "USER_ROLE_CHANGE" ) _S(AUDIT_ROLE_ASSIGN, "ROLE_ASSIGN" ) _S(AUDIT_ROLE_REMOVE, "ROLE_REMOVE" ) diff -Nru audit-3.0/lib/netlink.c audit-3.0.7/lib/netlink.c --- audit-3.0/lib/netlink.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/netlink.c 2022-01-23 19:36:56.000000000 +0000 @@ -64,10 +64,10 @@ } if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { saved_errno = errno; - close(fd); audit_msg(LOG_ERR, "Error setting audit netlink socket CLOEXEC flag (%s)", strerror(errno)); + close(fd); errno = saved_errno; return -1; } @@ -147,8 +147,7 @@ rep->error = NULL; rep->signal_info = NULL; rep->conf = NULL; -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ - defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 rep->features = NULL; #endif if (!NLMSG_OK(rep->nlh, (unsigned int)len)) { @@ -173,8 +172,7 @@ case AUDIT_GET: rep->status = NLMSG_DATA(rep->nlh); break; -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ - defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 case AUDIT_GET_FEATURE: rep->features = NLMSG_DATA(rep->nlh); break; diff -Nru audit-3.0/lib/ppc_table.h audit-3.0.7/lib/ppc_table.h --- audit-3.0/lib/ppc_table.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/ppc_table.h 2022-01-23 19:36:56.000000000 +0000 @@ -388,4 +388,61 @@ _S(385, "pkey_free") _S(386, "pkey_mprotect") _S(387, "rseq") +_S(388, "io_pgetevents") +_S(392, "semtimedop") +_S(393, "semget") +_S(394, "semctl") +_S(395, "shmget") +_S(396, "shmctl") +_S(397, "shmat") +_S(398, "shmdt") +_S(399, "msgget") +_S(400, "msgsnd") +_S(401, "msgrcv") +_S(402, "msgctl") +_S(403, "clock_gettime64") +_S(404, "clock_settime64") +_S(405, "clock_adjtime64") +_S(406, "clock_getres_time64") +_S(407, "clock_nanosleep_time64") +_S(408, "timer_gettime64") +_S(409, "timer_settime64") +_S(410, "timerfd_gettime64") +_S(411, "timerfd_settime64") +_S(412, "utimensat_time64") +_S(413, "pselect6_time64") +_S(414, "ppoll_time64") +_S(416, "io_pgetevents_time64") +_S(417, "recvmmsg_time64") +_S(418, "mq_timedsend_time64") +_S(419, "mq_timedreceive_time64") +_S(420, "semtimedop_time64") +_S(421, "rt_sigtimedwait_time64") +_S(422, "futex_time64") +_S(423, "sched_rr_get_interval_time64") +_S(424, "pidfd_send_signal") +_S(425, "io_uring_setup") +_S(426, "io_uring_enter") +_S(427, "io_uring_register") +_S(428, "open_tree") +_S(429, "move_mount") +_S(430, "fsopen") +_S(431, "fsconfig") +_S(432, "fsmount") +_S(433, "fspick") +_S(434, "pidfd_open") +_S(435, "clone3") +_S(436, "close_range") +_S(437, "openat2") +_S(438, "pidfd_getfd") +_S(439, "faccessat2") +_S(440, "process_madvise") +_S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(448, "process_mrelease") +_S(449, "futex_waitv") diff -Nru audit-3.0/lib/s390_table.h audit-3.0.7/lib/s390_table.h --- audit-3.0/lib/s390_table.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/s390_table.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ -/* s390_table.h -- - * Copyright 2005-20 Red Hat Inc. +/* s390_table.h -- 32 bit + * Copyright 2005-21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -395,3 +395,17 @@ _S(433, "fspick") _S(434, "pidfd_open") _S(435, "clone3") +_S(436, "close_range") +_S(437, "openat2") +_S(438, "pidfd_getfd") +_S(439, "faccessat2") +_S(440, "process_madvise") +_S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(448, "process_mrelease") +_S(449, "futex_waitv") + diff -Nru audit-3.0/lib/s390x_table.h audit-3.0.7/lib/s390x_table.h --- audit-3.0/lib/s390x_table.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/s390x_table.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ -/* s390x_table.h -- - * Copyright 2005-06,2008-20 Red Hat Inc. +/* s390x_table.h -- 64 bit + * Copyright 2005-06,2008-21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -359,3 +359,17 @@ _S(433, "fspick") _S(434, "pidfd_open") _S(435, "clone3") +_S(436, "close_range") +_S(437, "openat2") +_S(438, "pidfd_getfd") +_S(439, "faccessat2") +_S(440, "process_madvise") +_S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(448, "process_mrelease") +_S(449, "futex_waitv") + diff -Nru audit-3.0/lib/syscall-update.txt audit-3.0.7/lib/syscall-update.txt --- audit-3.0/lib/syscall-update.txt 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/syscall-update.txt 2022-01-23 19:36:56.000000000 +0000 @@ -2,11 +2,11 @@ arch/arm/tools/syscall.tbl arch/arm/include/uapi/asm/unistd.h -arch/powerpc/include/uapi/asm/unistd.h +include/uapi/asm-generic/unistd.h (aarch64) +arch/powerpc/kernel/syscalls/syscall.tbl arch/s390/kernel/syscalls/syscall.tbl arch/x86/entry/syscalls/syscall_32.tbl arch/x86/entry/syscalls/syscall_64.tbl -include/uapi/asm-generic/unistd.h (aarch64) For src/ausearch-lookup.c: Inspect include/linux/net.h for socketcall updates diff -Nru audit-3.0/lib/test/Makefile.in audit-3.0.7/lib/test/Makefile.in --- audit-3.0/lib/test/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/lib/test/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -540,6 +540,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/lib/x86_64_table.h audit-3.0.7/lib/x86_64_table.h --- audit-3.0/lib/x86_64_table.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/lib/x86_64_table.h 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* x86_64_table.h -- - * Copyright 2005-20 Red Hat Inc. + * Copyright 2005-21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -367,3 +367,18 @@ _S(433, "fspick") _S(434, "pidfd_open") _S(435, "clone3") +_S(436, "close_range") +_S(437, "openat2") +_S(438, "pidfd_getfd") +_S(439, "faccessat2") +_S(440, "process_madvise") +_S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(447, "memfd_secret") +_S(448, "process_mrelease") +_S(449, "futex_waitv") + diff -Nru audit-3.0/m4/Makefile.am audit-3.0.7/m4/Makefile.am --- audit-3.0/m4/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/m4/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb diff -Nru audit-3.0/m4/Makefile.in audit-3.0.7/m4/Makefile.in --- audit-3.0/m4/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/m4/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -317,6 +318,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -Nru audit-3.0/rules/22-ignore-chrony.rules audit-3.0.7/rules/22-ignore-chrony.rules --- audit-3.0/rules/22-ignore-chrony.rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/22-ignore-chrony.rules 2022-01-23 19:36:56.000000000 +0000 @@ -1,3 +1,3 @@ ## This rule suppresses the time-change event when chrony does time updates --a never,exit -F arch=b64 -S adjtimex -F auid=unset -Fuid=chrony -F subj_type=chronyd_t --a never,exit -F arch=b32 -S adjtimex -F auid=unset -Fuid=chrony -F subj_type=chronyd_t +-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t +-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t diff -Nru audit-3.0/rules/23-ignore-filesystems.rules audit-3.0.7/rules/23-ignore-filesystems.rules --- audit-3.0/rules/23-ignore-filesystems.rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/23-ignore-filesystems.rules 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -# This rule supresses events that originate on the below file systems. +# This rule suppresses events that originate on the below file systems. # Typically you would use this in conjunction with rules to monitor # kernel modules. The filesystem listed are known to cause hundreds of # path records during kernel module load. As an aside, if you do see the diff -Nru audit-3.0/rules/30-nispom.rules audit-3.0.7/rules/30-nispom.rules --- audit-3.0/rules/30-nispom.rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/30-nispom.rules 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ -## This file contains the a sample audit configuration intended to +## This file contains a sample audit configuration intended to ## meet the NISPOM Chapter 8 rules. This rule depends on having ## 10-base-config.rules & 99-finalize.rules installed. @@ -47,10 +47,10 @@ -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation ## unsuccessful open --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F key=open +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F key=open +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F key=open +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F key=open ## unsuccessful close -a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close diff -Nru audit-3.0/rules/30-ospp-v42-3-access-failed.rules audit-3.0.7/rules/30-ospp-v42-3-access-failed.rules --- audit-3.0/rules/30-ospp-v42-3-access-failed.rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/30-ospp-v42-3-access-failed.rules 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ ## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access diff -Nru audit-3.0/rules/30-ospp-v42-3-access-success.rules audit-3.0.7/rules/30-ospp-v42-3-access-success.rules --- audit-3.0/rules/30-ospp-v42-3-access-success.rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/30-ospp-v42-3-access-success.rules 2022-01-23 19:36:56.000000000 +0000 @@ -1,4 +1,4 @@ ## Successful file access (any other opens) This has to go last. ## These next two are likely to result in a whole lot of events --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access diff -Nru audit-3.0/rules/30-ospp-v42.rules audit-3.0.7/rules/30-ospp-v42.rules --- audit-3.0/rules/30-ospp-v42.rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/30-ospp-v42.rules 2022-01-23 19:36:56.000000000 +0000 @@ -57,6 +57,10 @@ ## Privilege escalation via su or sudo. This is entirely handled by pam. +## Watch for configuration changes to privilege escalation. +-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes +-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes + ## Audit log access -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail ## Attempts to Alter Process and Session Initiation Information diff -Nru audit-3.0/rules/30-pci-dss-v31.rules audit-3.0.7/rules/30-pci-dss-v31.rules --- audit-3.0/rules/30-pci-dss-v31.rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/30-pci-dss-v31.rules 2022-01-23 19:36:56.000000000 +0000 @@ -8,7 +8,7 @@ ## 3) It is also assumed that 1000 represents the first usable user account. To ## be sure, look at UID_MIN in /etc/login.defs. ## 4) If these rules generate too much spurious data for your tastes, limit the -## the syscall file rules with a directory, like -F dir=/etc +## syscall file rules with a directory, like -F dir=/etc ## 5) You can search for the results on the key fields in the rules ## @@ -25,6 +25,10 @@ ## logging. The pam config below should be placed into su and sudo pam stacks. ## session required pam_tty_audit.so disable=* enable=root +## Watch for configuration changes to privilege escalation. +-a always,exit -F path=/etc/sudoers -F perm=wa -F key=10.2.2-priv-config-changes +-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=10.2.2-priv-config-changes + ## 10.2.3 Access to all audit trails. -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=10.2.3-access-audit-trail -a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=10.2.3-access-audit-trail @@ -88,7 +92,7 @@ ## logs off the system to assure that there is an unaltered copy. ## 10.5.1 Limit viewing of audit trails to those with a job-related need. -## The audit daemon by default limits viewing of the auit trail to root. +## The audit daemon by default limits viewing of the audit trail to root. ## If someone that is not an admin has a job related need to see logs, then ## create a unique group for people with this need and set the log_group ## configuration item in auditd.conf diff -Nru audit-3.0/rules/30-stig.rules audit-3.0.7/rules/30-stig.rules --- audit-3.0/rules/30-stig.rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/30-stig.rules 2022-01-23 19:36:56.000000000 +0000 @@ -8,7 +8,7 @@ ## 3) It is also assumed that 1000 represents the first usable user account. To ## be sure, look at UID_MIN in /etc/login.defs. ## 4) If these rules generate too much spurious data for your tastes, limit the -## the syscall file rules with a directory, like -F dir=/etc +## syscall file rules with a directory, like -F dir=/etc ## 5) You can search for the results on the key fields in the rules ## ## @@ -100,10 +100,10 @@ -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod ##- Unauthorized access attempts to files (unsuccessful) --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ##- Use of print command (unsuccessful and successful) diff -Nru audit-3.0/rules/44-installers.rules audit-3.0.7/rules/44-installers.rules --- audit-3.0/rules/44-installers.rules 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.0.7/rules/44-installers.rules 2022-01-23 19:36:56.000000000 +0000 @@ -0,0 +1,9 @@ +# These rules watch for invocation of things known to install software + +-a always,exit -F perm=x -F path=/usr/bin/dnf-3 -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/yum -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/pip -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/npm -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/cpan -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/gem -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/luarocks -F key=software-installer diff -Nru audit-3.0/rules/71-networking.rules audit-3.0.7/rules/71-networking.rules --- audit-3.0/rules/71-networking.rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/71-networking.rules 2022-01-23 19:36:56.000000000 +0000 @@ -1,3 +1,3 @@ -## This is to check if the system is making or recieving connections +## This is to check if the system is making or receiving connections ## externally -a always,exit -F arch=b64 -S accept,connect -F key=external-access diff -Nru audit-3.0/rules/Makefile.am audit-3.0.7/rules/Makefile.am --- audit-3.0/rules/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -37,6 +38,7 @@ 30-ospp-v42-6-owner-change-success.rules \ 31-privileged.rules 32-power-abuse.rules \ 40-local.rules 41-containers.rules 42-injection.rules 43-module-load.rules \ +44-installers.rules \ 70-einval.rules 71-networking.rules \ 99-finalize.rules README-rules diff -Nru audit-3.0/rules/Makefile.in audit-3.0.7/rules/Makefile.in --- audit-3.0/rules/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/rules/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -317,6 +318,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -346,6 +348,7 @@ 30-ospp-v42-6-owner-change-success.rules \ 31-privileged.rules 32-power-abuse.rules \ 40-local.rules 41-containers.rules 42-injection.rules 43-module-load.rules \ +44-installers.rules \ 70-einval.rules 71-networking.rules \ 99-finalize.rules README-rules diff -Nru audit-3.0/rules/README-rules audit-3.0.7/rules/README-rules --- audit-3.0/rules/README-rules 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/rules/README-rules 2022-01-23 19:36:56.000000000 +0000 @@ -20,7 +20,10 @@ that should be thought out and individual files copied to /etc/audit/rules.d/ For example, if you wanted to set a system up in the STIG configuration, copy rules 10-base-config, 30-stig, 31-privileged, and 99-finalize. You can add -more if you like. +more if you like. Also, not all arches have the same syscalls. It is expected +that the rules be fine tuned for the arch they are deployed on. For example, +aarch64 does not have the open syscall. It should just be deleted from the +rules. Once you have the rules in the rules.d directory, you can load them by running augenrules --load diff -Nru audit-3.0/src/Makefile.am audit-3.0.7/src/Makefile.am --- audit-3.0/src/Makefile.am 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/Makefile.am 2022-01-23 19:36:56.000000000 +0000 @@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -33,22 +34,21 @@ endif auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread -Wno-pointer-sign auditd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -auditd_DEPENDENCIES = libev/libev.a ${top_builddir}/audisp/libdisp.a -auditd_LDADD = @LIBWRAP_LIBS@ -Llibev -lev -L${top_builddir}/audisp -ldisp -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -lpthread -lrt -lm $(gss_libs) -L${top_builddir}/common -laucommon +auditd_LDADD = @LIBWRAP_LIBS@ ${top_builddir}/src/libev/libev.la ${top_builddir}/audisp/libdisp.la ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la -lpthread -lm $(gss_libs) ${top_builddir}/common/libaucommon.la auditctl_SOURCES = auditctl.c auditctl-llist.c delete_all.c auditctl-listing.c auditctl_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE auditctl_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -auditctl_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +auditctl_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la aureport_SOURCES = aureport.c auditd-config.c ausearch-llist.c aureport-options.c ausearch-string.c ausearch-parse.c aureport-scan.c aureport-output.c ausearch-lookup.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-avc.c ausearch-lol.c -aureport_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +aureport_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la ausearch_SOURCES = ausearch.c auditd-config.c ausearch-llist.c ausearch-options.c ausearch-report.c ausearch-match.c ausearch-string.c ausearch-parse.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-lookup.c ausearch-avc.c ausearch-lol.c ausearch-checkpt.c -ausearch_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +ausearch_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la autrace_SOURCES = autrace.c delete_all.c auditctl-llist.c -autrace_LDADD = -L${top_builddir}/lib -laudit +autrace_LDADD = ${top_builddir}/lib/libaudit.la libev/libev.a: make -C libev diff -Nru audit-3.0/src/Makefile.in audit-3.0.7/src/Makefile.in --- audit-3.0/src/Makefile.in 2020-12-16 20:44:40.000000000 +0000 +++ audit-3.0.7/src/Makefile.in 2022-01-23 19:37:00.000000000 +0000 @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb @@ -136,7 +137,9 @@ auditctl-delete_all.$(OBJEXT) \ auditctl-auditctl-listing.$(OBJEXT) auditctl_OBJECTS = $(am_auditctl_OBJECTS) -auditctl_DEPENDENCIES = +auditctl_DEPENDENCIES = ${top_builddir}/lib/libaudit.la \ + ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/common/libaucommon.la AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -155,6 +158,11 @@ auditd-auditd-dispatch.$(OBJEXT) $(am__objects_1) auditd_OBJECTS = $(am_auditd_OBJECTS) am__DEPENDENCIES_1 = +auditd_DEPENDENCIES = ${top_builddir}/src/libev/libev.la \ + ${top_builddir}/audisp/libdisp.la \ + ${top_builddir}/lib/libaudit.la \ + ${top_builddir}/auparse/libauparse.la $(am__DEPENDENCIES_1) \ + ${top_builddir}/common/libaucommon.la auditd_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(auditd_CFLAGS) $(CFLAGS) \ $(auditd_LDFLAGS) $(LDFLAGS) -o $@ @@ -166,7 +174,9 @@ ausearch-time.$(OBJEXT) ausearch-nvpair.$(OBJEXT) \ ausearch-avc.$(OBJEXT) ausearch-lol.$(OBJEXT) aureport_OBJECTS = $(am_aureport_OBJECTS) -aureport_DEPENDENCIES = +aureport_DEPENDENCIES = ${top_builddir}/lib/libaudit.la \ + ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/common/libaucommon.la am_ausearch_OBJECTS = ausearch.$(OBJEXT) auditd-config.$(OBJEXT) \ ausearch-llist.$(OBJEXT) ausearch-options.$(OBJEXT) \ ausearch-report.$(OBJEXT) ausearch-match.$(OBJEXT) \ @@ -176,11 +186,13 @@ ausearch-avc.$(OBJEXT) ausearch-lol.$(OBJEXT) \ ausearch-checkpt.$(OBJEXT) ausearch_OBJECTS = $(am_ausearch_OBJECTS) -ausearch_DEPENDENCIES = +ausearch_DEPENDENCIES = ${top_builddir}/lib/libaudit.la \ + ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/common/libaucommon.la am_autrace_OBJECTS = autrace.$(OBJEXT) delete_all.$(OBJEXT) \ auditctl-llist.$(OBJEXT) autrace_OBJECTS = $(am_autrace_OBJECTS) -autrace_DEPENDENCIES = +autrace_DEPENDENCIES = ${top_builddir}/lib/libaudit.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -451,6 +463,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -474,18 +487,17 @@ $(am__append_1) auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread -Wno-pointer-sign auditd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -auditd_DEPENDENCIES = libev/libev.a ${top_builddir}/audisp/libdisp.a -auditd_LDADD = @LIBWRAP_LIBS@ -Llibev -lev -L${top_builddir}/audisp -ldisp -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -lpthread -lrt -lm $(gss_libs) -L${top_builddir}/common -laucommon +auditd_LDADD = @LIBWRAP_LIBS@ ${top_builddir}/src/libev/libev.la ${top_builddir}/audisp/libdisp.la ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la -lpthread -lm $(gss_libs) ${top_builddir}/common/libaucommon.la auditctl_SOURCES = auditctl.c auditctl-llist.c delete_all.c auditctl-listing.c auditctl_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE auditctl_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -auditctl_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +auditctl_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la aureport_SOURCES = aureport.c auditd-config.c ausearch-llist.c aureport-options.c ausearch-string.c ausearch-parse.c aureport-scan.c aureport-output.c ausearch-lookup.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-avc.c ausearch-lol.c -aureport_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +aureport_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la ausearch_SOURCES = ausearch.c auditd-config.c ausearch-llist.c ausearch-options.c ausearch-report.c ausearch-match.c ausearch-string.c ausearch-parse.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-lookup.c ausearch-avc.c ausearch-lol.c ausearch-checkpt.c -ausearch_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +ausearch_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la autrace_SOURCES = autrace.c delete_all.c auditctl-llist.c -autrace_LDADD = -L${top_builddir}/lib -laudit +autrace_LDADD = ${top_builddir}/lib/libaudit.la all: all-recursive .SUFFIXES: diff -Nru audit-3.0/src/auditctl-listing.c audit-3.0.7/src/auditctl-listing.c --- audit-3.0/src/auditctl-listing.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/auditctl-listing.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,20 +1,20 @@ -/* auditctl-listing.c -- - * Copyright 2014,16 Red Hat Inc., Durham, North Carolina. +/* auditctl-listing.c -- + * Copyright 2014,16,2021 Red Hat Inc. * All Rights Reserved. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. * - * This program is distributed in the hope that it will be useful, + * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, write to the Free Software + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor * Boston, MA 02110-1335, USA. * * Authors: @@ -122,7 +122,7 @@ else printf(" -F arch%sb32", audit_operator_to_symbol(op)); - } else { + } else { const char *ptr = audit_machine_to_name(machine); printf(" -F arch%s%s", audit_operator_to_symbol(op), ptr); @@ -398,7 +398,7 @@ printf(" -F perm=%s", perms); } else if (field == AUDIT_INODE) { // This is unsigned - printf(" -F %s%s%u", name, + printf(" -F %s%s%u", name, audit_operator_to_symbol(op), r->values[i]); } else if (field == AUDIT_FIELD_COMPARE) { @@ -411,7 +411,7 @@ // Show these as hex if (count > 1 || interpret == 0) - printf(" -F %s%s0x%X", name, + printf(" -F %s%s0x%X", name, audit_operator_to_symbol(op), r->values[i]); else { // Use ignore to mean interpret @@ -460,14 +460,23 @@ audit_operator_to_symbol(op), audit_fstype_to_name( r->values[i])); + } else if (field == AUDIT_LOGINUID || + field == AUDIT_SESSIONID) { + if (r->values[i] == -1 && interpret) + printf(" -F %s%sunset", name, + audit_operator_to_symbol(op)); + else + printf(" -F %s%s%d", name, + audit_operator_to_symbol(op), + r->values[i]); } else { // The default is signed decimal - printf(" -F %s%s%d", name, + printf(" -F %s%s%d", name, audit_operator_to_symbol(op), r->values[i]); } } else { - // The field name is unknown + // The field name is unknown printf(" f%d%s%d", r->fields[i], audit_operator_to_symbol(op), r->values[i]); @@ -576,8 +585,7 @@ #endif printed = 1; break; -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ - defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 case AUDIT_GET_FEATURE: { uint32_t mask = AUDIT_FEATURE_TO_MASK( @@ -600,7 +608,7 @@ printed = 1; return 1; default: - printf("Unknown: type=%d, len=%d\n", rep->type, + printf("Unknown: type=%d, len=%d\n", rep->type, rep->nlh->nlmsg_len); printed = 1; break; diff -Nru audit-3.0/src/auditctl.c audit-3.0.7/src/auditctl.c --- audit-3.0/src/auditctl.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/auditctl.c 2022-01-23 19:36:56.000000000 +0000 @@ -110,7 +110,7 @@ " -C f=f Compare collected fields if available:\n" " Field name, operator(=,!=), field name\n" " -d Delete rule from ist with ction\n" - " l=task,exit,user,exclude\n" + " l=task,exit,user,exclude,filesystem\n" " a=never,always\n" " -D Delete all rules and watches\n" " -e [0..2] Set enabled flag\n" @@ -130,13 +130,12 @@ " -R read rules from file\n" " -s Report status\n" " -S syscall Build rule: syscall name or number\n" - " --signal Send the specified signal to the daemon" + " --signal Send the specified signal to the daemon\n" " -t Trim directory watches\n" " -v Version\n" " -w Insert watch at \n" " -W Remove watch at \n" -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ - defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 " --loginuid-immutable Make loginuids unchangeable once set\n" #endif #if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \ @@ -154,30 +153,30 @@ static int lookup_filter(const char *str, int *filter) { - if (strcmp(str, "task") == 0) - *filter = AUDIT_FILTER_TASK; - else if (strcmp(str, "exit") == 0) + if (strcmp(str, "exit") == 0) *filter = AUDIT_FILTER_EXIT; + else if (strcmp(str, "task") == 0) + *filter = AUDIT_FILTER_TASK; else if (strcmp(str, "user") == 0) *filter = AUDIT_FILTER_USER; - else if (strcmp(str, "filesystem") == 0) - *filter = AUDIT_FILTER_FS; else if (strcmp(str, "exclude") == 0) { *filter = AUDIT_FILTER_EXCLUDE; exclude = 1; - } else + } else if (strcmp(str, "filesystem") == 0) + *filter = AUDIT_FILTER_FS; + else return 2; return 0; } static int lookup_action(const char *str, int *act) { - if (strcmp(str, "never") == 0) + if (strcmp(str, "always") == 0) + *act = AUDIT_ALWAYS; + else if (strcmp(str, "never") == 0) *act = AUDIT_NEVER; else if (strcmp(str, "possible") == 0) return 1; - else if (strcmp(str, "always") == 0) - *act = AUDIT_ALWAYS; else return 2; return 0; @@ -201,8 +200,8 @@ *p = 0; /* Try opt both ways */ - if (lookup_filter(opt, filter) == 2) { - rc = lookup_action(opt, act); + if (lookup_action(opt, act) == 2) { + rc = lookup_filter(opt, filter); if (rc != 0) { *p = ','; return rc; @@ -369,7 +368,7 @@ return 0; } -static void check_rule_mismatch(int lineno, const char *option) +static int check_rule_mismatch(int lineno, const char *option) { struct audit_rule_data tmprule; unsigned int old_audit_elf = _audit_elf; @@ -387,17 +386,28 @@ _audit_elf = AUDIT_ARCH_S390; break; } + + char *ptr, *saved, *tmp = strdup(option); + if (tmp == NULL) + return -1; + ptr = strtok_r(tmp, ",", &saved); memset(&tmprule, 0, sizeof(struct audit_rule_data)); - audit_rule_syscallbyname_data(&tmprule, option); + while (ptr) { + audit_rule_syscallbyname_data(&tmprule, ptr); + ptr = strtok_r(NULL, ",", &saved); + } if (memcmp(tmprule.mask, rule_new->mask, AUDIT_BITMASK_SIZE)) rc = 1; + free(tmp); + _audit_elf = old_audit_elf; - if (rc) { + if (rc) { if (lineno) audit_msg(LOG_WARNING, "WARNING - 32/64 bit syscall mismatch in line %d, you should specify an arch", lineno); else audit_msg(LOG_WARNING, "WARNING - 32/64 bit syscall mismatch, you should specify an arch"); } + return 0; } @@ -533,8 +543,7 @@ static struct option long_opts[] = { -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \ - defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 {"loginuid-immutable", 0, NULL, 1}, #endif #if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \ @@ -826,7 +835,8 @@ case 0: _audit_syscalladded = 1; if (unknown_arch && add != AUDIT_FILTER_UNSET) - check_rule_mismatch(lineno, optarg); + if (check_rule_mismatch(lineno, optarg) == -1) + retval = -1; break; case -1: audit_msg(LOG_ERR, "Syscall name unknown: %s", @@ -1010,7 +1020,7 @@ } break; case 'p': - if (!add && !del) { + if (add == AUDIT_FILTER_UNSET && del == AUDIT_FILTER_UNSET) { audit_msg(LOG_ERR, "permission option needs a watch given prior to it"); retval = -1; diff -Nru audit-3.0/src/auditd-config.c audit-3.0.7/src/auditd-config.c --- audit-3.0/src/auditd-config.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/auditd-config.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* auditd-config.c -- - * Copyright 2004-2011,2013-14,2016,2018 Red Hat Inc., Durham, North Carolina. + * Copyright 2004-2011,2013-14,2016,2018,2020-21 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -18,7 +18,7 @@ * * Authors: * Steve Grubb - * + * */ #include "config.h" @@ -144,6 +144,8 @@ struct daemon_conf *config); static int plugin_dir_parser(struct nv_pair *nv, int line, struct daemon_conf *config); +static int eoe_timeout_parser(struct nv_pair *nv, int line, + struct daemon_conf *config); static int sanity_check(struct daemon_conf *config); static const struct kw_pair keywords[] = @@ -186,6 +188,7 @@ {"overflow_action", overflow_action_parser, 0 }, {"max_restarts", max_restarts_parser, 0 }, {"plugin_dir", plugin_dir_parser, 0 }, + {"end_of_event_timeout", eoe_timeout_parser, 0 }, { NULL, NULL, 0 } }; @@ -344,11 +347,12 @@ config->krb5_principal = NULL; config->krb5_key_file = NULL; config->distribute_network_events = 0; - config->q_depth = 400; + config->q_depth = 1200; config->overflow_action = O_SYSLOG; config->max_restarts = 10; config->plugin_dir = strdup("/etc/audit/plugins.d"); config->config_dir = NULL; + config->end_of_event_timeout = EOE_TIMEOUT; } static log_test_t log_test = TEST_AUDITD; @@ -1764,7 +1768,9 @@ if (i > 99999) { audit_msg(LOG_ERR, "q_depth must be 99999 or less"); return 1; - } + } else if (i < 512) + audit_msg(LOG_WARNING, + "q_depth should be larger than 512 for safety margin"); config->q_depth = i; return 0; } @@ -1846,6 +1852,37 @@ return 0; } +static int eoe_timeout_parser(struct nv_pair *nv, int line, + struct daemon_conf *config) +{ + const char *ptr = nv->value; + unsigned long i; + + audit_msg(LOG_DEBUG, "eoe_timeout_parser called with: %s", nv->value); + + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { + if (!isdigit(ptr[i])) { + audit_msg(LOG_ERR, + "Value %s should only be numbers - line %d", + nv->value, line); + return 1; + } + } + + /* convert to unsigned long */ + errno = 0; + i = strtoul(nv->value, NULL, 10); + if (errno) { + audit_msg(LOG_ERR, + "Error converting string to a number (%s) - line %d", + strerror(errno), line); + return 1; + } + config->end_of_event_timeout = i; + return 0; +} + /* * Query file system and calculate in MB the given percentage is. * Returns 0 on error and a number otherwise. @@ -1961,7 +1998,8 @@ free((void *)config->krb5_key_file); free((void *)config->plugin_dir); free((void *)config_dir); - free(config_file); + free(config_file); + config_file = NULL; config->config_dir = NULL; } @@ -1980,8 +2018,13 @@ audit_msg(LOG_ERR, "Unable to get machine name"); rc = -1; - } else + } else { + // Remove any spaces + char *p; + while ((p = strchr(tmp_name, ' '))) + *p = '_'; config->node_name = strdup(tmp_name); + } break; case N_USER: if (config->node_name == NULL) { diff -Nru audit-3.0/src/auditd-config.h audit-3.0.7/src/auditd-config.h --- audit-3.0/src/auditd-config.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/auditd-config.h 2022-01-23 19:36:56.000000000 +0000 @@ -29,6 +29,9 @@ #define CONFIG_FILE "/etc/audit/auditd.conf" #define MEGABYTE 1048576UL +// Define user space end of event timeout default (in seconds) +#define EOE_TIMEOUT 2L + typedef enum { D_FOREGROUND, D_BACKGROUND } daemon_t; typedef enum { LF_RAW, LF_NOLOG, LF_ENRICHED } logging_formats; typedef enum { FT_NONE, FT_INCREMENTAL, FT_INCREMENTAL_ASYNC, FT_DATA, FT_SYNC } flush_technique; @@ -92,6 +95,8 @@ unsigned int max_restarts; char *plugin_dir; const char *config_dir; + // Userspace configuration items + unsigned long end_of_event_timeout; }; void set_allow_links(int allow); diff -Nru audit-3.0/src/auditd-event.c audit-3.0.7/src/auditd-event.c --- audit-3.0/src/auditd-event.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/auditd-event.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ -/* auditd-event.c -- - * Copyright 2004-08,2011,2013,2015-16,2018 Red Hat Inc.,Durham, North Carolina. +/* auditd-event.c -- + * Copyright 2004-08,2011,2013,2015-16,2018,2021 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -42,6 +42,7 @@ #include "libaudit.h" #include "private.h" #include "auparse.h" +#include "auparse-idata.h" /* This is defined in auditd.c */ extern volatile int stop; @@ -56,7 +57,7 @@ static void do_disk_full_action(void); static void do_disk_error_action(const char *func, int err); static void fix_disk_permissions(void); -static void check_excess_logs(void); +static void check_excess_logs(void); static void rotate_logs_now(void); static void rotate_logs(unsigned int num_logs, unsigned int keep_logs); static void shift_logs(void); @@ -70,7 +71,7 @@ /* Local Data */ static struct daemon_conf *config; static volatile int log_fd; -static FILE *log_file; +static FILE *log_file = NULL; static unsigned int disk_err_warning = 0; static int fs_space_warning = 0; static int fs_admin_space_warning = 0; @@ -85,6 +86,7 @@ static pthread_mutex_t flush_lock; static pthread_cond_t do_flush; static volatile int flush; +static auparse_state_t *au = NULL; /* Local definitions */ #define FORMAT_BUF_LEN (MAX_AUDIT_MESSAGE_LENGTH + _POSIX_HOST_NAME_MAX) @@ -116,7 +118,7 @@ config->space_left); fprintf(f, "admin_space_left setting %lu MB\n", config->admin_space_left); - } + } fprintf(f, "logging suspended = %s\n", logging_suspended ? "yes" : "no"); fprintf(f, "file system space action performed = %s\n", @@ -130,17 +132,14 @@ void shutdown_events(void) { - /* Give it 5 seconds to clear the queue */ - alarm(5); - - // Nudge the flush thread - pthread_cond_signal(&do_flush); - pthread_join(flush_thread, NULL); - + // We are no longer processing events, sync the disk and close up. + pthread_cancel(flush_thread); free((void *)format_buf); + auparse_destroy_ext(au, AUPARSE_DESTROY_ALL); + if (log_fd >= 0) + fsync(log_fd); if (log_file) fclose(log_file); - auparse_destroy_ext(NULL, AUPARSE_DESTROY_ALL); } int init_event(struct daemon_conf *conf) @@ -159,8 +158,8 @@ log_fd = 1; // stdout log_file = fdopen(log_fd, "a"); if (log_file == NULL) { - audit_msg(LOG_ERR, - "Error setting up stdout descriptor (%s)", + audit_msg(LOG_ERR, + "Error setting up stdout descriptor (%s)", strerror(errno)); return 1; } @@ -176,7 +175,8 @@ format_buf = (char *)malloc(FORMAT_BUF_LEN); if (format_buf == NULL) { audit_msg(LOG_ERR, "No memory for formatting, exiting"); - fclose(log_file); + if (log_file) + fclose(log_file); log_file = NULL; return 1; } @@ -192,11 +192,12 @@ /* This is a worker thread. Don't handle signals. */ sigemptyset(&sigs); - sigaddset(&sigs, SIGALRM); sigaddset(&sigs, SIGTERM); sigaddset(&sigs, SIGHUP); sigaddset(&sigs, SIGUSR1); sigaddset(&sigs, SIGUSR2); + sigaddset(&sigs, SIGCHLD); + sigaddset(&sigs, SIGCONT); pthread_sigmask(SIG_SETMASK, &sigs, NULL); while (!stop) { @@ -213,7 +214,8 @@ flush = 0; pthread_mutex_unlock(&flush_lock); - fsync(log_fd); + if (log_fd >= 0) + fsync(log_fd); } return NULL; } @@ -226,6 +228,7 @@ pthread_cond_init(&do_flush, NULL); flush = 0; pthread_create(&flush_thread, NULL, flush_thread_main, NULL); + pthread_detach(flush_thread); } static void replace_event_msg(struct auditd_event *e, const char *buf) @@ -237,7 +240,8 @@ e->reply.message = strdup(buf); else { // If too big, we must truncate the event due to API - e->reply.message = strndup(buf, MAX_AUDIT_MESSAGE_LENGTH-1); + e->reply.message = strndup(buf, + MAX_AUDIT_MESSAGE_LENGTH-1); len = MAX_AUDIT_MESSAGE_LENGTH; } // For network originating events, len should be used @@ -262,7 +266,7 @@ "node=%s type=DAEMON_ERR op=format-raw msg=NULL res=failed", config->node_name); else - snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, + snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, "type=DAEMON_ERR op=format-raw msg=NULL res=failed"); } else { int len, nlen; @@ -270,7 +274,7 @@ char unknown[32]; type = audit_msg_type_to_name(rep->type); if (type == NULL) { - snprintf(unknown, sizeof(unknown), + snprintf(unknown, sizeof(unknown), "UNKNOWN[%d]", rep->type); type = unknown; } @@ -282,7 +286,7 @@ len = rep->len; } - // Note: This can truncate messages if + // Note: This can truncate messages if // MAX_AUDIT_MESSAGE_LENGTH is too small if (config->node_name_format != N_NONE) nlen = snprintf(format_buf, FORMAT_BUF_LEN - 32, @@ -294,9 +298,9 @@ "type=%s msg=%.*s", type, len, message); /* Replace \n with space so it looks nicer. */ - ptr = format_buf; + ptr = format_buf; while ((ptr = strchr(ptr, 0x0A)) != NULL) - *ptr = ' '; + *ptr = ' '; /* Trim trailing space off since it wastes space */ if (format_buf[nlen-1] == ' ') @@ -338,7 +342,7 @@ } field_name[i] = 0; nlen = i; - + // get the translated value value = auparse_interpret_field(au); if (value == NULL) @@ -392,12 +396,11 @@ "node=%s type=DAEMON_ERR op=format-enriched msg=NULL res=failed", config->node_name); else - snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, + snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, "type=DAEMON_ERR op=format-enriched msg=NULL res=failed"); } else { - int rc; + int rc, rtype; size_t mlen, len; - auparse_state_t *au; char *message; // Do raw format to get event started format_raw(rep); @@ -415,16 +418,31 @@ format_buf[mlen] = 0; // init auparse - au = auparse_init(AUSOURCE_BUFFER, message); if (au == NULL) { - free(message); - return format_buf; - } - auparse_set_escape_mode(au, AUPARSE_ESC_RAW); + au = auparse_init(AUSOURCE_BUFFER, message); + if (au == NULL) { + free(message); + return format_buf; + } + auparse_set_escape_mode(au, AUPARSE_ESC_RAW); + auparse_set_eoe_timeout(config->end_of_event_timeout); + } else + auparse_new_buffer(au, message, mlen+1); sep_done = 0; // Loop over all fields while possible to add field rc = auparse_first_record(au); + rtype = auparse_get_type(au); + switch (rtype) + { // Flush before adding to pickup new associations + case AUDIT_ADD_USER: + case AUDIT_ADD_GROUP: + _auparse_flush_caches(); + break; + default: + break; + } + while (rc > 0 && len > MIN_SPACE_LEFT) { // See what kind of field we have size_t vlen; @@ -452,7 +470,17 @@ rc = auparse_next_field(au); } - auparse_destroy_ext(au, AUPARSE_DESTROY_COMMON); + switch(rtype) + { // Flush after modification to remove stale entries + case AUDIT_USER_MGMT: + case AUDIT_DEL_USER: + case AUDIT_DEL_GROUP: + case AUDIT_GRP_MGMT: + _auparse_flush_caches(); + break; + default: + break; + } free(message); } return format_buf; @@ -552,20 +580,21 @@ rc = fflush_unlocked(log_file); } while (rc < 0 && errno == EINTR); if (errno) { - if (errno == ENOSPC && + if (errno == ENOSPC && fs_space_left == 1) { fs_space_left = 0; do_disk_full_action(); - } else + } else //EIO is only likely failure mode - do_disk_error_action("flush", + do_disk_error_action("flush", errno); } if (config->daemonize == D_BACKGROUND) { if (config->flush == FT_INCREMENTAL) { /* EIO is only likely failure */ - if (fsync(log_fd) != 0) { + if (log_fd >= 0 && + fsync(log_fd) != 0) { do_disk_error_action( "fsync", errno); @@ -574,7 +603,8 @@ pthread_mutex_lock(&flush_lock); flush = 1; pthread_cond_signal(&do_flush); - pthread_mutex_unlock(&flush_lock); + pthread_mutex_unlock( + &flush_lock); } } } @@ -601,7 +631,7 @@ void resume_logging(void) { audit_msg(LOG_NOTICE, "Audit daemon is attempting to resume logging."); - logging_suspended = 0; + logging_suspended = 0; fs_space_left = 1; // User space action scripts cause fd to close @@ -611,7 +641,7 @@ fix_disk_permissions(); if (open_audit_log()) { int saved_errno = errno; - audit_msg(LOG_WARNING, + audit_msg(LOG_WARNING, "Could not reopen a log after resume logging"); logging_suspended = 1; do_disk_error_action("resume", saved_errno); @@ -662,7 +692,7 @@ log_size += rc; check_log_file_size(); // Keep loose tabs on the free space - if ((log_size % 3) < 2) + if ((log_size % 8) < 3) check_space_left(); } @@ -693,6 +723,14 @@ case SZ_SUSPEND: audit_msg(LOG_ERR, "Audit daemon is suspending logging due to logfile size."); + // We need to close the file so that manual + // intervention can move or delete the file. + // We don't want to keep logging to a deleted + // file. + if (log_file) + fclose(log_file); + log_file = NULL; + log_fd = -1; logging_suspended = 1; break; case SZ_ROTATE: @@ -708,7 +746,7 @@ shift_logs(); break; default: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "Audit daemon log file is larger than max size and unknown action requested"); break; } @@ -720,6 +758,9 @@ int rc; struct statfs buf; + if (log_fd < 0) + return; + rc = fstatfs(log_fd, &buf); if (rc == 0) { if (buf.f_bavail < 5) { @@ -730,7 +771,7 @@ unsigned long blocks; unsigned long block_size = buf.f_bsize; blocks = config->space_left * (MEGABYTE/block_size); - if (buf.f_bavail < blocks) { + if (buf.f_bavail < blocks) { if (fs_space_warning == 0) { do_space_left_action(0); // Allow unlimited rotation @@ -744,7 +785,7 @@ fs_space_warning = 0; } blocks=config->admin_space_left * (MEGABYTE/block_size); - if (buf.f_bavail < blocks) { + if (buf.f_bavail < blocks) { if (fs_admin_space_warning == 0) { do_space_left_action(1); // Allow unlimited rotation @@ -759,11 +800,11 @@ } } } - else audit_msg(LOG_DEBUG, "fstatfs returned:%d, %s", rc, + else audit_msg(LOG_DEBUG, "fstatfs returned:%d, %s", rc, strerror(errno)); } -extern int sendmail(const char *subject, const char *content, +extern int sendmail(const char *subject, const char *content, const char *mail_acct); static void do_space_left_action(int admin) { @@ -779,7 +820,7 @@ case FA_IGNORE: break; case FA_SYSLOG: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "Audit daemon is low on disk space for logging"); break; case FA_ROTATE: @@ -791,23 +832,24 @@ break; case FA_EMAIL: if (admin == 0) { - sendmail("Audit Disk Space Alert", + sendmail("Audit Disk Space Alert", "The audit daemon is low on disk space for logging! Please take action\nto ensure no loss of service.", config->action_mail_acct); - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "Audit daemon is low on disk space for logging"); } else { - sendmail("Audit Admin Space Alert", + sendmail("Audit Admin Space Alert", "The audit daemon is very low on disk space for logging! Immediate action\nis required to ensure no loss of service.", config->action_mail_acct); - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "Audit daemon is very low on disk space for logging"); } break; case FA_EXEC: // Close the logging file in case the script zips or // moves the file. We'll reopen in sigusr2 handler - fclose(log_file); + if (log_file) + fclose(log_file); log_file = NULL; log_fd = -1; logging_suspended = 1; @@ -819,20 +861,27 @@ case FA_SUSPEND: audit_msg(LOG_ALERT, "Audit daemon is suspending logging due to low disk space."); + // We need to close the file so that manual + // intervention can move or delete the file. We + // don't want to keep logging to a deleted file. + if (log_file) + fclose(log_file); + log_file = NULL; + log_fd = -1; logging_suspended = 1; break; case FA_SINGLE: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "The audit daemon is now changing the system to single user mode"); change_runlevel(SINGLE); break; case FA_HALT: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "The audit daemon is now halting the system"); change_runlevel(HALT); break; default: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "Audit daemon is low on disk space for logging and unknown action requested"); break; } @@ -857,7 +906,8 @@ case FA_EXEC: // Close the logging file in case the script zips or // moves the file. We'll reopen in sigusr2 handler - fclose(log_file); + if (log_file) + fclose(log_file); log_file = NULL; log_fd = -1; logging_suspended = 1; @@ -866,22 +916,29 @@ case FA_SUSPEND: audit_msg(LOG_ALERT, "Audit daemon is suspending logging due to no space left on logging partition."); + // We need to close the file so that manual + // intervention can move or delete the file. We + // don't want to keep logging to a deleted file. + if (log_file) + fclose(log_file); + log_file = NULL; + log_fd = -1; logging_suspended = 1; break; case FA_SINGLE: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "The audit daemon is now changing the system to single user mode due to no space left on logging partition"); change_runlevel(SINGLE); break; case FA_HALT: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "The audit daemon is now halting the system due to no space left on logging partition"); change_runlevel(HALT); break; default: audit_msg(LOG_ALERT, "Unknown disk full action requested"); break; - } + } } static void do_disk_error_action(const char *func, int err) @@ -894,7 +951,7 @@ break; case FA_SYSLOG: if (disk_err_warning < 5) { - snprintf(text, sizeof(text), + snprintf(text, sizeof(text), "%s: Audit daemon detected an error writing an event to disk (%s)", func, strerror(err)); audit_msg(LOG_ALERT, "%s", text); @@ -904,7 +961,8 @@ case FA_EXEC: // Close the logging file in case the script zips or // moves the file. We'll reopen in sigusr2 handler - fclose(log_file); + if (log_file) + fclose(log_file); log_file = NULL; log_fd = -1; logging_suspended = 1; @@ -913,28 +971,35 @@ case FA_SUSPEND: audit_msg(LOG_ALERT, "Audit daemon is suspending logging due to previously mentioned write error"); + // We need to close the file so that manual + // intervention can move or delete the file. We + // don't want to keep logging to a deleted file. + if (log_file) + fclose(log_file); + log_file = NULL; + log_fd = -1; logging_suspended = 1; break; case FA_SINGLE: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "The audit daemon is now changing the system to single user mode due to previously mentioned write error"); change_runlevel(SINGLE); break; case FA_HALT: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "The audit daemon is now halting the system due to previously mentioned write error."); change_runlevel(HALT); break; default: - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "Unknown disk error action requested"); break; - } + } } static void rotate_logs_now(void) { - if (config->max_log_size_action == SZ_KEEP_LOGS) + if (config->max_log_size_action == SZ_KEEP_LOGS) shift_logs(); else rotate_logs(0, 0); @@ -952,7 +1017,7 @@ if (config->max_log_size_action != SZ_ROTATE || config->num_logs < 2) return; - + len = strlen(config->log_file) + 16; name = (char *)malloc(len); if (name == NULL) { /* Not fatal - just messy */ @@ -960,7 +1025,7 @@ return; } - // We want 1 beyond the normal logs + // We want 1 beyond the normal logs i = config->num_logs; rc = 0; while (rc == 0) { @@ -1009,7 +1074,7 @@ free(path); } - + static void rotate_logs(unsigned int num_logs, unsigned int keep_logs) { int rc, i; @@ -1029,17 +1094,21 @@ /* Close audit file. fchmod and fchown errors are not fatal because we * already adjusted log file permissions and ownership when opening the * log file. */ - if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR) < 0){ - audit_msg(LOG_WARNING, "Couldn't change permissions while " + if (log_fd >= 0) { + if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : + S_IRUSR) < 0){ + audit_msg(LOG_WARNING, "Couldn't change permissions while " "rotating log file (%s)", strerror(errno)); - } - if (fchown(log_fd, 0, config->log_group) < 0) { - audit_msg(LOG_WARNING, "Couldn't change ownership while " + } + if (fchown(log_fd, 0, config->log_group) < 0) { + audit_msg(LOG_WARNING, "Couldn't change ownership while " "rotating log file (%s)", strerror(errno)); + } } - fclose(log_file); + if (log_file) + fclose(log_file); log_file = NULL; - + /* Rotate */ len = strlen(config->log_file) + 16; oldname = (char *)malloc(len); @@ -1061,7 +1130,7 @@ num_logs = config->num_logs; /* Handle this case first since it will not enter the for loop */ - if (num_logs == 2) + if (num_logs == 2) snprintf(oldname, len, "%s.1", config->log_file); known_logs = 0; @@ -1073,7 +1142,7 @@ if (rc == -1 && errno != ENOENT) { // Likely errors: ENOSPC, ENOMEM, EBUSY int saved_errno = errno; - audit_msg(LOG_ERR, + audit_msg(LOG_ERR, "Error rotating logs from %s to %s (%s)", oldname, newname, strerror(errno)); if (saved_errno == ENOSPC && fs_space_left == 1) { @@ -1103,7 +1172,7 @@ /* At this point, we've failed to rotate the original log. * So, let's make the old log writable and try again next * time */ - chmod(config->log_file, + chmod(config->log_file, config->log_group ? S_IWUSR|S_IRUSR|S_IRGRP : S_IWUSR|S_IRUSR); } @@ -1112,7 +1181,7 @@ /* open new audit file */ if (open_audit_log()) { int saved_errno = errno; - audit_msg(LOG_CRIT, + audit_msg(LOG_CRIT, "Could not reopen a log after rotating."); logging_suspended = 1; do_disk_error_action("reopen", saved_errno); @@ -1138,7 +1207,7 @@ // Find last log num_logs = last_log; while (num_logs) { - snprintf(name, len, "%s.%u", config->log_file, + snprintf(name, len, "%s.%u", config->log_file, num_logs); if (access(name, R_OK) != 0) break; @@ -1151,7 +1220,7 @@ audit_msg(LOG_WARNING, "Last known log disappeared (%s)", name); num_logs = last_log = 1; while (num_logs) { - snprintf(name, len, "%s.%u", config->log_file, + snprintf(name, len, "%s.%u", config->log_file, num_logs); if (access(name, R_OK) != 0) break; @@ -1176,7 +1245,7 @@ if (config->write_logs == 0) return 0; - flags = O_WRONLY|O_APPEND|O_NOFOLLOW; + flags = O_WRONLY|O_APPEND|O_NOFOLLOW|O_CLOEXEC; if (config->flush == FT_DATA) flags |= O_DSYNC; else if (config->flush == FT_SYNC) @@ -1221,12 +1290,6 @@ } } - if (fcntl(lfd, F_SETFD, FD_CLOEXEC) == -1) { - audit_msg(LOG_ERR, "Error setting log file CLOEXEC flag (%s)", - strerror(errno)); - close(lfd); - return 1; - } if (fchmod(lfd, config->log_group ? S_IRUSR|S_IWUSR|S_IRGRP : S_IRUSR|S_IWUSR) < 0) { audit_msg(LOG_ERR, @@ -1265,7 +1328,7 @@ pid = fork(); if (pid < 0) { - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "Audit daemon failed to fork switching runlevels"); return; } @@ -1297,7 +1360,7 @@ pid = fork(); if (pid < 0) { - audit_msg(LOG_ALERT, + audit_msg(LOG_ALERT, "Audit daemon failed to fork doing safe_exec"); return; } @@ -1355,7 +1418,7 @@ oconf->priority_boost = nconf->priority_boost; errno = 0; rc = nice(-oconf->priority_boost); - if (rc == -1 && errno) + if (rc == -1 && errno) audit_msg(LOG_WARNING, "Cannot change priority in " "reconfigure (%s)", strerror(errno)); } @@ -1365,7 +1428,7 @@ // Only update this if we are in background mode since // foreground mode writes to stderr. - if ((oconf->write_logs != nconf->write_logs) && + if ((oconf->write_logs != nconf->write_logs) && (oconf->daemonize == D_BACKGROUND)) { oconf->write_logs = nconf->write_logs; need_reopen = 1; @@ -1385,8 +1448,8 @@ free((void *)nconf->action_mail_acct); // node_name - if (oconf->node_name_format != nconf->node_name_format || - (oconf->node_name && nconf->node_name && + if (oconf->node_name_format != nconf->node_name_format || + (oconf->node_name && nconf->node_name && strcmp(oconf->node_name, nconf->node_name) != 0)) { oconf->node_name_format = nconf->node_name_format; free((char *)oconf->node_name); @@ -1396,7 +1459,7 @@ // network listener auditd_tcp_listen_reconfigure(nconf, oconf); - // distribute network events + // distribute network events oconf->distribute_network_events = nconf->distribute_network_events; // Dispatcher items @@ -1410,7 +1473,7 @@ oconf->plugin_dir = nconf->plugin_dir; } - /* At this point we will work on the items that are related to + /* At this point we will work on the items that are related to * a single log file. */ // max logfile action @@ -1446,12 +1509,13 @@ free((void *)nconf->log_file); if (need_reopen) { - fclose(log_file); + if (log_file) + fclose(log_file); log_file = NULL; fix_disk_permissions(); if (open_audit_log()) { int saved_errno = errno; - audit_msg(LOG_ERR, + audit_msg(LOG_ERR, "Could not reopen a log after reconfigure"); logging_suspended = 1; // Likely errors: ENOMEM, ENOSPC @@ -1462,7 +1526,7 @@ } } - /* At this point we will start working on items that are + /* At this point we will start working on items that are * related to the amount of space on the partition. */ // space left @@ -1577,7 +1641,7 @@ } e->reply.type = AUDIT_DAEMON_CONFIG; - e->reply.len = snprintf(e->reply.msg.data, MAX_AUDIT_MESSAGE_LENGTH-2, + e->reply.len = snprintf(e->reply.msg.data, MAX_AUDIT_MESSAGE_LENGTH-2, "%s: op=reconfigure state=changed auid=%u pid=%d subj=%s res=success", date, uid, pid, ctx ); e->reply.message = e->reply.msg.data; diff -Nru audit-3.0/src/auditd-listen.c audit-3.0.7/src/auditd-listen.c --- audit-3.0/src/auditd-listen.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/auditd-listen.c 2022-01-23 19:36:56.000000000 +0000 @@ -119,9 +119,9 @@ static char *sockaddr_to_addr(struct sockaddr_storage *addr) { - static char buf[40]; + static char buf[64]; - snprintf(buf, sizeof(buf), "%s:%u", + snprintf(buf, sizeof(buf), "%52s:%u", sockaddr_to_string(addr), sockaddr_to_port(addr)); return buf; @@ -875,7 +875,7 @@ /* Make the client data structure */ client = (struct ev_tcp *)malloc (sizeof (struct ev_tcp)); if (client == NULL) { - audit_msg(LOG_CRIT, "Unable to allocate TCP client data"); + audit_msg(LOG_CRIT, "Unable to allocate TCP client data"); snprintf(emsg, sizeof(emsg), "op=alloc addr=%s port=%u res=no", sockaddr_to_string(&aaddr), @@ -961,15 +961,8 @@ int one = 1, rc; int prefer_ipv6 = 0; - transport = config->transport; - ev_periodic_init(&periodic_watcher, periodic_handler, - 0, config->tcp_client_max_idle, NULL); - periodic_watcher.data = config; - if (config->tcp_client_max_idle) - ev_periodic_start(loop, &periodic_watcher); - /* If the port is not set, that means we aren't going to - listen for connections. */ + listen for connections. */ if (config->tcp_listen_port == 0) return 0; @@ -977,11 +970,11 @@ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; hints.ai_socktype = SOCK_STREAM; hints.ai_family = AF_UNSPEC; - snprintf(local, sizeof(local), "%lu", config->tcp_listen_port); + snprintf(local, sizeof(local), "%u", (unsigned)config->tcp_listen_port); rc = getaddrinfo(NULL, local, &hints, &ai); if (rc) { - audit_msg(LOG_ERR, "Cannot lookup addresses"); + audit_msg(LOG_ERR, "Cannot lookup addresses"); return 1; } @@ -1010,11 +1003,11 @@ // we only need one. if (runp->ai_family == AF_INET && prefer_ipv6) goto next_try; - + listen_socket[nlsocks] = socket(runp->ai_family, runp->ai_socktype, runp->ai_protocol); if (listen_socket[nlsocks] < 0) { - audit_msg(LOG_ERR, "Cannot create %s listener socket", + audit_msg(LOG_ERR, "Cannot create %s listener socket", runp->ai_family == AF_INET ? "IPv4" : "IPv6"); goto next_try; } @@ -1034,7 +1027,7 @@ if (bind(listen_socket[nlsocks], runp->ai_addr, runp->ai_addrlen)) { if (errno != EADDRINUSE) - audit_msg(LOG_ERR, + audit_msg(LOG_ERR, "Cannot bind listener socket to port %ld (%s)", config->tcp_listen_port, strerror(errno)); close(listen_socket[nlsocks]); @@ -1043,7 +1036,7 @@ } if (listen(listen_socket[nlsocks], config->tcp_listen_queue)) { - audit_msg(LOG_ERR, "Unable to listen on %ld (%s)", + audit_msg(LOG_ERR, "Unable to listen on %ld (%s)", config->tcp_listen_port, strerror(errno)); close(listen_socket[nlsocks]); @@ -1071,6 +1064,14 @@ if (nlsocks == 0) return -1; + // Now that we have sockets, start the periodic timers + transport = config->transport; + ev_periodic_init(&periodic_watcher, periodic_handler, + 0, config->tcp_client_max_idle, NULL); + periodic_watcher.data = config; + if (config->tcp_client_max_idle) + ev_periodic_start(loop, &periodic_watcher); + use_libwrap = config->use_libwrap; auditd_set_ports(config->tcp_client_min_port, config->tcp_client_max_port, @@ -1123,6 +1124,10 @@ #ifdef USE_GSSAPI OM_uint32 status; #endif + /* If the port isn't set, we didn't listen for connections. */ + if (config->tcp_listen_port == 0) + return; + ev_io_stop(loop, &tcp_listen_watcher); while (nlsocks > 0) { @@ -1155,7 +1160,7 @@ static void periodic_reconfigure(struct daemon_conf *config) { struct ev_loop *loop = ev_default_loop(EVFLAG_AUTO); - if (config->tcp_client_max_idle) { + if (config->tcp_listen_port && config->tcp_client_max_idle) { ev_periodic_set(&periodic_watcher, ev_now(loop), config->tcp_client_max_idle, NULL); ev_periodic_start(loop, &periodic_watcher); diff -Nru audit-3.0/src/auditd-reconfig.c audit-3.0.7/src/auditd-reconfig.c --- audit-3.0/src/auditd-reconfig.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/auditd-reconfig.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* auditd-reconfig.c -- - * Copyright 2005 Red Hat Inc., Durham, North Carolina. + * Copyright 2005,2021 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -50,7 +50,7 @@ int start_config_manager(struct auditd_event *e) { int retval, rc = 0; - + retval = pthread_mutex_trylock(&config_lock); if (retval == 0) { pthread_attr_t detached; @@ -60,19 +60,19 @@ PTHREAD_CREATE_DETACHED); if (pthread_create(&config_thread, &detached, - config_thread_main, e) < 0) { - audit_msg(LOG_ERR, + config_thread_main, e) < 0) { + audit_msg(LOG_ERR, "Couldn't create config thread, no config changes"); free(e); pthread_mutex_unlock(&config_lock); - rc = 1; + rc = 1; } pthread_attr_destroy(&detached); } else { - audit_msg(LOG_ERR, + audit_msg(LOG_ERR, "Config thread already running, no config changes"); free(e); - rc = 1; + rc = 1; } return rc; } @@ -91,11 +91,11 @@ /* This is a worker thread. Don't handle signals. */ sigemptyset(&sigs); - sigaddset(&sigs, SIGALRM); sigaddset(&sigs, SIGTERM); sigaddset(&sigs, SIGHUP); sigaddset(&sigs, SIGUSR1); sigaddset(&sigs, SIGUSR2); + sigaddset(&sigs, SIGCHLD); sigaddset(&sigs, SIGCONT); pthread_sigmask(SIG_SETMASK, &sigs, NULL); @@ -104,10 +104,10 @@ new_config.sender_uid = e->reply.signal_info->uid; new_config.sender_pid = e->reply.signal_info->pid; if (e->reply.len > 24) - new_config.sender_ctx = + new_config.sender_ctx = strdup(e->reply.signal_info->ctx); else - new_config.sender_ctx = strdup("?"); + new_config.sender_ctx = strdup("?"); memcpy(e->reply.msg.data, &new_config, sizeof(new_config)); e->reply.conf = (struct daemon_conf *)e->reply.msg.data; e->reply.type = AUDIT_DAEMON_RECONFIG; @@ -125,6 +125,6 @@ } pthread_mutex_unlock(&config_lock); - return NULL; + return NULL; } diff -Nru audit-3.0/src/auditd.c audit-3.0.7/src/auditd.c --- audit-3.0/src/auditd.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/auditd.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,5 +1,5 @@ /* auditd.c -- - * Copyright 2004-09,2011,2013,2016-18 Red Hat Inc., Durham, North Carolina. + * Copyright 2004-09,2011,2013,2016-18,2021 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -79,7 +79,6 @@ /* Local function prototypes */ int send_audit_event(int type, const char *str); -static void close_down(void); static void clean_exit(void); static int get_reply(int fd, struct audit_reply *rep, int seq); static char *getsubj(char *subj); @@ -113,16 +112,9 @@ EV_STOP (); } -/* - * Used with sigalrm to force exit - */ -static void thread_killer( int sig ) -{ - exit(0); -} /* - * Used with sigalrm to force exit + * Used to reconfigure the daemon */ static void hup_handler( struct ev_loop *loop, struct ev_signal *sig, int revents ) { @@ -200,6 +192,7 @@ if (f == NULL) return; + fprintf(f, "audit version = %s\n", VERSION); time_t now = time(0); strftime(buf, sizeof(buf), "%x %X", localtime(&now)); fprintf(f, "current time = %s\n", buf); @@ -311,8 +304,9 @@ e->reply.type = type; if (seq_num == 0) { - srand(time(NULL)); - seq_num = rand()%10000; + // seq_num does not have to cryptographically secure + srandom(time(NULL)); + seq_num = random()%10000; } else seq_num++; // Write event into netlink area like normal events @@ -456,8 +450,10 @@ return -1; /* Success - die a happy death */ - if (status == SUCCESS) + if (status == SUCCESS) { + free_config(&config); _exit(0); + } return -1; } @@ -478,88 +474,97 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io, int revents) { - if (cur_event == NULL) { - if ((cur_event = malloc(sizeof(*cur_event))) == NULL) { - char emsg[DEFAULT_BUF_SZ]; - if (*subj) - snprintf(emsg, sizeof(emsg), + int rc = 1, cnt = 0; + + // Try to get all the events that are waiting but yield after 5 to + // let other handlers run. Five should cover PATH events. + // FIXME: backing down to 3 until IPC is faster + while (rc > 0 && cnt < 3) { + if (cur_event == NULL) { + if ((cur_event = malloc(sizeof(*cur_event))) == NULL) { + char emsg[DEFAULT_BUF_SZ]; + if (*subj) + snprintf(emsg, sizeof(emsg), "op=error-halt auid=%u pid=%d subj=%s res=failed", - audit_getloginuid(), getpid(), subj); - else - snprintf(emsg, sizeof(emsg), + audit_getloginuid(), + getpid(), subj); + else + snprintf(emsg, sizeof(emsg), "op=error-halt auid=%u pid=%d res=failed", - audit_getloginuid(), getpid()); - EV_STOP (); - send_audit_event(AUDIT_DAEMON_ABORT, emsg); - audit_msg(LOG_ERR, + audit_getloginuid(), + getpid()); + EV_STOP (); + send_audit_event(AUDIT_DAEMON_ABORT, emsg); + audit_msg(LOG_ERR, "Cannot allocate audit reply, exiting"); - close_down(); - if (pidfile) - unlink(pidfile); - shutdown_dispatcher(); - return; + shutdown_events(); + if (pidfile) + unlink(pidfile); + shutdown_dispatcher(); + return; + } + cur_event->ack_func = NULL; } - cur_event->ack_func = NULL; - } - if (audit_get_reply(fd, &cur_event->reply, - GET_REPLY_NONBLOCKING, 0) > 0) { - switch (cur_event->reply.type) - { /* Don't process these */ - case NLMSG_NOOP: - case NLMSG_DONE: - case NLMSG_ERROR: - case AUDIT_GET: /* Or these */ - case AUDIT_WATCH_INS...AUDIT_WATCH_LIST: - case AUDIT_ADD_RULE...AUDIT_GET_FEATURE: - case AUDIT_FIRST_DAEMON...AUDIT_LAST_DAEMON: - case AUDIT_REPLACE: - break; - case AUDIT_SIGNAL_INFO: - if (hup_info_requested) { - char hup[MAX_AUDIT_MESSAGE_LENGTH]; - audit_msg(LOG_DEBUG, + + rc = audit_get_reply(fd, &cur_event->reply, + GET_REPLY_NONBLOCKING, 0); + if (rc > 0) { + switch (cur_event->reply.type) + { /* Don't process these */ + case NLMSG_NOOP: + case NLMSG_DONE: + case NLMSG_ERROR: + case AUDIT_GET: /* Or these */ + case AUDIT_WATCH_INS...AUDIT_WATCH_LIST: + case AUDIT_ADD_RULE...AUDIT_GET_FEATURE: + case AUDIT_FIRST_DAEMON...AUDIT_LAST_DAEMON: + case AUDIT_REPLACE: + break; + case AUDIT_SIGNAL_INFO: + if (hup_info_requested) { + char hup[MAX_AUDIT_MESSAGE_LENGTH]; + audit_msg(LOG_DEBUG, "HUP detected, starting config manager"); - reconfig_ev = cur_event; - if (start_config_manager(cur_event)) { - audit_format_signal_info(hup, + reconfig_ev = cur_event; + if (start_config_manager(cur_event)) { + audit_format_signal_info(hup, sizeof(hup), "reconfigure state=no-change", &cur_event->reply, "failed"); send_audit_event(AUDIT_DAEMON_CONFIG, hup); - } - cur_event = NULL; - hup_info_requested = 0; - } else if (usr1_info_requested) { - char usr1[MAX_AUDIT_MESSAGE_LENGTH]; + } + cur_event = NULL; + hup_info_requested = 0; + } else if (usr1_info_requested) { + char usr1[MAX_AUDIT_MESSAGE_LENGTH]; audit_format_signal_info(usr1, sizeof(usr1), "rotate-logs", &cur_event->reply, "success"); send_audit_event(AUDIT_DAEMON_ROTATE, usr1); - usr1_info_requested = 0; - } else if (usr2_info_requested) { - char usr2[MAX_AUDIT_MESSAGE_LENGTH]; + usr1_info_requested = 0; + } else if (usr2_info_requested) { + char usr2[MAX_AUDIT_MESSAGE_LENGTH]; audit_format_signal_info(usr2, sizeof(usr2), "resume-logging", &cur_event->reply, "success"); - resume_logging(); - libdisp_resume(); - send_audit_event(AUDIT_DAEMON_RESUME, usr2); - usr2_info_requested = 0; + resume_logging(); + libdisp_resume(); + send_audit_event(AUDIT_DAEMON_RESUME, + usr2); + usr2_info_requested = 0; + } + break; + default: + distribute_event(cur_event); + cur_event = NULL; + break; } - break; - default: - distribute_event(cur_event); - cur_event = NULL; - break; - } - } else { - if (errno == EFBIG) { - // FIXME do err action } + cnt++; } } @@ -756,8 +761,17 @@ return 1; } - /* Startup libev and dispatcher */ - loop = ev_default_loop(EVFLAG_NOENV); + /* Startup libev. If we are not aggregating events, use the select + * backend which is faster for small numbers of descriptors. This + * will fallback to the epoll backend otherwise. */ + { + int flags = EVFLAG_NOENV; + if (config.tcp_listen_port == 0) + flags |= EVBACKEND_SELECT; + loop = ev_default_loop(flags); + } + + /* Startup dispatcher */ if (init_dispatcher(&config)) { if (pidfile) unlink(pidfile); @@ -866,7 +880,7 @@ audit_msg(LOG_ERR, "Unable to set initial audit startup state to '%s', exiting", startup_states[opt_startup]); - close_down(); + shutdown_events(); if (pidfile) unlink(pidfile); shutdown_dispatcher(); @@ -895,7 +909,7 @@ stop = 1; send_audit_event(AUDIT_DAEMON_ABORT, emsg); audit_msg(LOG_ERR, "Unable to set audit pid, exiting"); - close_down(); + shutdown_events(); if (pidfile) unlink(pidfile); shutdown_dispatcher(); @@ -1009,26 +1023,13 @@ // Tear down IO watchers Part 3 ev_signal_stop(loop, &sigchld_watcher); - close_down(); + shutdown_events(); free_config(&config); ev_default_destroy(); return 0; } -static void close_down(void) -{ - struct sigaction sa; - - /* We are going down. Give the event thread a chance to shutdown. - Just in case it hangs, set a timer to get us out of trouble. */ - sa.sa_flags = 0 ; - sigemptyset( &sa.sa_mask ) ; - sa.sa_handler = thread_killer; - sigaction( SIGALRM, &sa, NULL ); - shutdown_events(); -} - /* * A clean exit means : diff -Nru audit-3.0/src/aureport-options.c audit-3.0.7/src/aureport-options.c --- audit-3.0/src/aureport-options.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/aureport-options.c 2022-01-23 19:36:56.000000000 +0000 @@ -63,6 +63,7 @@ int event_exit_is_set = 0; int event_ppid = -1, event_session_id = -2; int event_debug = 0, event_machine = -1; +time_t arg_eoe_timeout = (time_t)0; /* These are used by aureport */ const char *dummy = "dummy"; @@ -86,7 +87,7 @@ R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO, R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS, R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE, - R_DEBUG }; + R_DEBUG, R_EOE_TMO }; static struct nv_pair optiontab[] = { { R_AUTH, "-au" }, @@ -104,6 +105,7 @@ { R_EVENTS, "-e" }, { R_EVENTS, "--event" }, { R_ESCAPE, "--escape" }, + { R_EOE_TMO, "--eoe-timeout" }, { R_FILES, "-f" }, { R_FILES, "--file" }, { R_FAILED, "--failed" }, @@ -175,7 +177,10 @@ "\t--comm\t\t\t\tCommands run report\n" "\t-c,--config\t\t\tConfig change report\n" "\t-cr,--crypto\t\t\tCrypto report\n" + "\t--debug\t\t\t\tWrite malformed events that are skipped to stderr\n" + "\t--eoe-timeout secs\t\tEnd of Event Timeout\n" "\t-e,--event\t\t\tEvent report\n" + "\t--escape option\t\t\tEscape output\n" "\t-f,--file\t\t\tFile name report\n" "\t--failed\t\t\tonly failed events in report\n" "\t-h,--host\t\t\tRemote Host name report\n" @@ -184,8 +189,8 @@ "\t-if,--input \tuse this file as input\n" "\t--input-logs\t\t\tUse the logs even if stdin is a pipe\n" "\t--integrity\t\t\tIntegrity event report\n" - "\t-l,--login\t\t\tLogin report\n" "\t-k,--key\t\t\tKey report\n" + "\t-l,--login\t\t\tLogin report\n" "\t-m,--mods\t\t\tModification to accounts report\n" "\t-ma,--mac\t\t\tMandatory Access Control (MAC) report\n" "\t-n,--anomaly\t\t\taNomaly report\n" @@ -261,8 +266,8 @@ vars[c]); retval = -1; } else { - if (strlen(optarg) >= PATH_MAX) { - fprintf(stderr, + if (strlen(optarg) >= PATH_MAX-32) { + fprintf(stderr, "File name is too long %s\n", optarg); retval = -1; @@ -750,9 +755,31 @@ usage(); exit(0); break; + case R_EOE_TMO: + if (!optarg) { + fprintf(stderr, + "Argument is required for %s\n", + vars[c]); + retval = -1; + break; + } + if (isdigit(optarg[0])) { + errno = 0; + arg_eoe_timeout = (time_t)strtoul(optarg, NULL, 10); + if (errno || arg_eoe_timeout == 0) { + fprintf(stderr, + "Illegal value for End of Event Timeout, was %s\n", optarg); + retval = -1; + } + c++; + } else { + fprintf(stderr, + "End of Event Timeout must be a numeric value, was %s\n", optarg); + retval = -1; + } + break; default: - fprintf(stderr, "%s is an unsupported option\n", - vars[c]); + fprintf(stderr, "%s is an unsupported option\n", vars[c]); retval = -1; break; } diff -Nru audit-3.0/src/aureport.c audit-3.0.7/src/aureport.c --- audit-3.0/src/aureport.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/aureport.c 2022-01-23 19:36:56.000000000 +0000 @@ -52,6 +52,7 @@ static int found = 0; static int files_to_process = 0; // Logs left when processing multiple static int userfile_is_dir = 0; +static struct daemon_conf config; static int process_logs(void); static int process_log_fd(const char *filename); static int process_stdin(void); @@ -61,6 +62,11 @@ extern char *user_file; extern int force_logs; +/* + * User space configuration items + */ +extern time_t arg_eoe_timeout; + static int is_pipe(int fd) { @@ -94,7 +100,25 @@ very_first_event.sec = 0; reset_counters(); + /* Load config so we know where logs are and eoe_timeout */ + if (load_config(&config, TEST_SEARCH)) + fprintf(stderr, "NOTE - using built-in logs: %s\n", + config.log_file); + + /* Set timeout from the config file */ + lol_set_eoe_timeout((time_t)config.end_of_event_timeout); + + /* + * If an override was specified on the command line, override the config + */ + if (arg_eoe_timeout != 0) + lol_set_eoe_timeout((time_t)arg_eoe_timeout); + print_title(); + if (arg_eoe_timeout != 0) { + lol_set_eoe_timeout(arg_eoe_timeout); + } + lol_create(&lo); if (user_file) { struct stat sb; @@ -139,27 +163,21 @@ static int process_logs(void) { - struct daemon_conf config; char *filename; size_t len; int num = 0; if (user_file && userfile_is_dir) { - char dirname[MAXPATHLEN]; + char dirname[MAXPATHLEN+1]; clear_config (&config); - strcpy(dirname, user_file); + strncpy(dirname, user_file, MAXPATHLEN-32); if (dirname[strlen(dirname)-1] != '/') strcat(dirname, "/"); strcat (dirname, "audit.log"); free((void *)config.log_file); config.log_file=strdup(dirname); fprintf(stderr, "NOTE - using logs in %s\n", config.log_file); - } else { - /* Load config so we know where logs are */ - if (load_config(&config, TEST_SEARCH)) - fprintf(stderr, "NOTE - using built-in logs: %s\n", - config.log_file); } /* for each file */ diff -Nru audit-3.0/src/ausearch-llist.c audit-3.0.7/src/ausearch-llist.c --- audit-3.0/src/ausearch-llist.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/ausearch-llist.c 2022-01-23 19:36:56.000000000 +0000 @@ -136,11 +136,11 @@ int list_find_item(llist *l, unsigned int i) { register lnode* node; - + if (l->cur && (l->cur->item <= i)) node = l->cur; /* Try to use where we are */ else - node = l->head; /* Can't, start over */ + node = l->head; /* Can't, start over */ while (node) { if (node->item == i) { @@ -167,12 +167,12 @@ l->head = NULL; l->cur = NULL; l->cnt = 0; - l->e.milli = 0L; - l->e.sec = 0L; - l->e.serial = 0L; + l->e.milli = 0L; + l->e.sec = 0L; + l->e.serial = 0L; free((char *)l->e.node); l->e.node = NULL; - l->e.type = 0; + l->e.type = 0; l->s.gid = -1; l->s.egid = -1; l->s.ppid = -1; @@ -239,8 +239,8 @@ lnode *list_find_msg(llist *l, int i) { register lnode* node; - - node = l->head; /* start at the beginning */ + + node = l->head; /* start at the beginning */ while (node) { if (node->type == i) { l->cur = node; @@ -258,7 +258,7 @@ if (high <= low) return NULL; - node = l->head; /* Start at the beginning */ + node = l->head; /* Start at the beginning */ while (node) { if (node->type >= low && node->type <= high) { l->cur = node; diff -Nru audit-3.0/src/ausearch-llist.h audit-3.0.7/src/ausearch-llist.h --- audit-3.0/src/ausearch-llist.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/ausearch-llist.h 2022-01-23 19:36:56.000000000 +0000 @@ -69,9 +69,9 @@ char *acct; // account used when uid is invalid char *uuid; // virtual machine unique universal identifier char *vmname; // virtual machine name - const char *tuid; // interpretted uid - const char *teuid; // interpretted euid - const char *tauid; // interpretted auid + const char *tuid; // interpreted uid + const char *teuid; // interpreted euid + const char *tauid; // interpreted auid } search_items; /* This is the node of the linked list. Any data elements that are per diff -Nru audit-3.0/src/ausearch-lol.c audit-3.0.7/src/ausearch-lol.c --- audit-3.0/src/ausearch-lol.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/ausearch-lol.c 2022-01-23 19:36:56.000000000 +0000 @@ -1,7 +1,7 @@ /* * ausearch-lol.c - linked list of linked lists library -* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. +* Copyright (c) 2008,2010,2014,2016,2019,2021 Red Hat Inc. +* All Rights Reserved. * * This software may be freely redistributed and/or modified under the * terms of the GNU General Public License as published by the Free @@ -15,7 +15,7 @@ * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the -* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor * Boston, MA 02110-1335, USA. * * Authors: @@ -27,6 +27,7 @@ #include #include #include +#include #include "ausearch-common.h" #include "auditd-config.h" #include "common.h" @@ -35,6 +36,10 @@ static int ready = 0; event very_first_event; +// End of Event timeout value (in seconds). This can be over-riden via configuration or command line argument. +static time_t eoe_timeout = EOE_TIMEOUT; + + void lol_create(lol *lo) { int size = ARRAY_LIMIT * sizeof(lolnode); @@ -95,13 +100,13 @@ errno = 0; e->sec = strtoul(s, NULL, 10); - if (errno) + if (errno || e->sec > (LONG_MAX - eoe_timeout -1)) return -1; ptr = strchr(s, '.'); if (ptr) { ptr++; e->milli = strtoul(ptr, NULL, 10); - if (errno) + if (errno || e->milli > 999) return -1; s = ptr; } else @@ -188,7 +193,8 @@ // Now should be pointing to msg= ptr = audit_strsplit(NULL); - if (ptr) { + // strlen is for fuzzers that make invalid lines + if (ptr && strnlen(ptr, 20) > 18) { if (*(ptr+9) == '(') ptr+=9; else @@ -242,8 +248,8 @@ for(i=0;i<=lo->maxi; i++) { lolnode *cur = &lo->array[i]; if (cur->status == L_BUILDING) { - // If 2 seconds have elapsed, we are done - if (cur->l->e.sec + 2 <= sec) { + // If eoe_timeout seconds have elapsed, we are done + if (cur->l->e.sec + eoe_timeout <= sec) { cur->status = L_COMPLETE; ready++; } else if (cur->l->e.type == AUDIT_PROCTITLE || @@ -398,3 +404,21 @@ return NULL; } +/* + * lol_set_eoe_timeout - set the end of event timeout to given value + * + * Args + * new_eoe_tmo - value + * Rtn + * void + */ +void lol_set_eoe_timeout(time_t new_eoe_tmo) +{ + eoe_timeout = new_eoe_tmo; +} + +time_t lol_get_eoe_timeout(void) +{ + return eoe_timeout; +} + diff -Nru audit-3.0/src/ausearch-lol.h audit-3.0.7/src/ausearch-lol.h --- audit-3.0/src/ausearch-lol.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/ausearch-lol.h 2022-01-23 19:36:56.000000000 +0000 @@ -51,5 +51,8 @@ void terminate_all_events(lol *lo); llist* get_ready_event(lol *lo); +void lol_set_eoe_timeout(time_t new_eoe_tmo); +void setup_userspace_configitems(); + #endif diff -Nru audit-3.0/src/ausearch-lookup.c audit-3.0.7/src/ausearch-lookup.c --- audit-3.0/src/ausearch-lookup.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/ausearch-lookup.c 2022-01-23 19:36:56.000000000 +0000 @@ -215,11 +215,11 @@ // Check the cache first if (uid_list_created == 0) { - nvlist_create(&uid_nvl); - nvlist_clear(&uid_nvl); + search_list_create(&uid_nvl); + search_list_clear(&uid_nvl); uid_list_created = 1; } - rc = nvlist_find_val(&uid_nvl, uid); + rc = search_list_find_val(&uid_nvl, uid); if (rc) { name = uid_nvl.cur->name; } else { @@ -231,7 +231,7 @@ nvnode nv; nv.name = strdup(pw->pw_name); nv.val = uid; - nvlist_append(&uid_nvl, &nv); + search_list_append(&uid_nvl, &nv); name = uid_nvl.cur->name; } } @@ -247,7 +247,7 @@ if (uid_list_created == 0) return; - nvlist_clear(&uid_nvl); + search_list_clear(&uid_nvl); uid_list_created = 0; } @@ -300,6 +300,9 @@ while (isxdigit(*ptr)) ptr++; } + if ((ptr - buf) == 0) + return NULL; + str = strndup(buf, ptr - buf); if (*buf == '(') diff -Nru audit-3.0/src/ausearch-match.c audit-3.0.7/src/ausearch-match.c --- audit-3.0/src/ausearch-match.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/ausearch-match.c 2022-01-23 19:36:56.000000000 +0000 @@ -79,7 +79,7 @@ slist *sptr = event_node_list; if (l->e.node == NULL) - return 0; + return 0; slist_first(sptr); sn=slist_get_cur(sptr); @@ -97,17 +97,17 @@ return 0; if (group_match(l) == 0) return 0; - if ((event_ppid != -1) && + if ((event_ppid != -1) && (event_ppid != l->s.ppid)) return 0; - if ((event_pid != -1) && + if ((event_pid != -1) && (event_pid != l->s.pid)) return 0; - if (event_machine != -1 && + if (event_machine != -1 && (event_machine != audit_elf_to_machine(l->s.arch))) return 0; - if ((event_syscall != -1) && + if ((event_syscall != -1) && (event_syscall != l->s.syscall)) return 0; if ((event_session_id != -2) && @@ -139,7 +139,7 @@ found = 1; break; } - } while((in = + } while((in = ilist_next(event_type))); if (found) break; @@ -148,7 +148,7 @@ return 0; } - // Done all the easy compares, now do the + // Done all the easy compares, now do the // string searches. if (event_filename) { int found = 0; @@ -184,31 +184,31 @@ if (event_hostname) { if (l->s.hostname == NULL) return 0; - if (strmatch(event_hostname, + if (strmatch(event_hostname, l->s.hostname) == 0) - return 0; + return 0; } if (event_terminal) { if (l->s.terminal == NULL) return 0; - if (strmatch(event_terminal, + if (strmatch(event_terminal, l->s.terminal) == 0) - return 0; + return 0; } if (event_exe) { if (l->s.exe == NULL) return 0; - if (strmatch(event_exe, + if (strmatch(event_exe, l->s.exe) == 0) - return 0; - } + return 0; + } if (event_comm) { if (l->s.comm == NULL) return 0; - if (strmatch(event_comm, + if (strmatch(event_comm, l->s.comm) == 0) - return 0; - } + return 0; + } if (event_key) { if (l->s.key == NULL) return 0; @@ -232,7 +232,7 @@ if (!found) return 0; } - } + } if (event_vmname) { if (l->s.vmname == NULL) return 0; @@ -258,23 +258,23 @@ /* * This function compares strings. It returns a 0 if no match and a 1 if - * there is a match + * there is a match */ static int strmatch(const char *needle, const char *haystack) { if (event_exact_match) { if (strcmp(haystack, needle) != 0) - return 0; + return 0; } else { if (strstr(haystack, needle) == NULL) - return 0; + return 0; } return 1; } /* * This function compares user id's. - * It returns a 0 if no match and a 1 if there is a match + * It returns a 0 if no match and a 1 if there is a match */ static int user_match(llist *l) { @@ -335,7 +335,7 @@ /* * This function compares group id's. It returns a 0 if no match and a 1 if - * there is a match + * there is a match */ static int group_match(llist *l) { @@ -358,7 +358,7 @@ /* * This function compares contexts. It returns a 0 if no match and a 1 if - * there is a match + * there is a match */ static int context_match(llist *l) { @@ -366,21 +366,21 @@ if (event_subject) { if (l->s.avc && alist_find_subj(l->s.avc)) { do { - if (strmatch(event_subject, + if (strmatch(event_subject, l->s.avc->cur->scontext)) return 1; } while(alist_next_subj(l->s.avc)); } - } + } if (event_object) { if (l->s.avc) { alist_first(l->s.avc); if (alist_find_obj(l->s.avc)) { do { - if (strmatch(event_object, + if (strmatch(event_object, l->s.avc->cur->tcontext)) return 1; - } while(alist_next_obj(l->s.avc)); + } while(alist_next_obj(l->s.avc)); } } } @@ -391,19 +391,19 @@ return 0; if (alist_find_subj(l->s.avc)) { do { - if (strmatch(event_subject, + if (strmatch(event_subject, l->s.avc->cur->scontext)) return 1; } while(alist_next_subj(l->s.avc)); } return 0; - } + } if (event_object) { if (l->s.avc == NULL) return 0; if (alist_find_obj(l->s.avc)) { do { - if (strmatch(event_object, + if (strmatch(event_object, l->s.avc->cur->tcontext)) return 1; } while(alist_next_obj(l->s.avc)); diff -Nru audit-3.0/src/ausearch-nvpair.c audit-3.0.7/src/ausearch-nvpair.c --- audit-3.0/src/ausearch-nvpair.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/ausearch-nvpair.c 2022-01-23 19:36:56.000000000 +0000 @@ -27,14 +27,14 @@ #include "ausearch-nvpair.h" -void nvlist_create(nvlist *l) +void search_list_create(nvlist *l) { l->head = NULL; l->cur = NULL; l->cnt = 0; } -nvnode *nvlist_next(nvlist *l) +nvnode *search_list_next(nvlist *l) { if (l->cur == NULL) return NULL; @@ -42,7 +42,7 @@ return l->cur; } -void nvlist_append(nvlist *l, nvnode *node) +void search_list_append(nvlist *l, nvnode *node) { nvnode* newnode = malloc(sizeof(nvnode)); @@ -64,7 +64,7 @@ l->cnt++; } -int nvlist_find_val(nvlist *l, long val) +int search_list_find_val(nvlist *l, long val) { register nvnode* node = l->head; @@ -79,7 +79,7 @@ return 0; } -void nvlist_clear(nvlist* l) +void search_list_clear(nvlist* l) { nvnode* nextnode; register nvnode* current; diff -Nru audit-3.0/src/ausearch-nvpair.h audit-3.0.7/src/ausearch-nvpair.h --- audit-3.0/src/ausearch-nvpair.h 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/ausearch-nvpair.h 2022-01-23 19:36:56.000000000 +0000 @@ -44,15 +44,15 @@ unsigned int cnt; // How many items in this list } nvlist; -void nvlist_create(nvlist *l); -static inline void nvlist_first(nvlist *l) { l->cur = l->head; } -nvnode *nvlist_next(nvlist *l); -static inline nvnode *nvlist_get_cur(nvlist *l) { return l->cur; } -void nvlist_append(nvlist *l, nvnode *node); -void nvlist_clear(nvlist* l); +void search_list_create(nvlist *l); +static inline void search_list_first(nvlist *l) { l->cur = l->head; } +nvnode *search_list_next(nvlist *l); +static inline nvnode *search_list_get_cur(nvlist *l) { return l->cur; } +void search_list_append(nvlist *l, nvnode *node); +void search_list_clear(nvlist* l); /* Given a numeric index, find that record. */ -int nvlist_find_val(nvlist *l, long val); +int search_list_find_val(nvlist *l, long val); #endif diff -Nru audit-3.0/src/ausearch-options.c audit-3.0.7/src/ausearch-options.c --- audit-3.0/src/ausearch-options.c 2020-12-16 20:44:34.000000000 +0000 +++ audit-3.0.7/src/ausearch-options.c 2022-01-23 19:36:56.000000000 +0000 @@ -77,6 +77,7 @@ const char *event_uuid = NULL; const char *event_vmname = NULL; ilist *event_type; +time_t arg_eoe_timeout = (time_t)0; slist *event_node_list = NULL; @@ -92,7 +93,7 @@ S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT, S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT, S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH, S_FORMAT, -S_EXTRA_TIME, S_EXTRA_LABELS, S_EXTRA_KEYS, S_EXTRA_OBJ2, S_ESCAPE }; +S_EXTRA_TIME, S_EXTRA_LABELS, S_EXTRA_KEYS, S_EXTRA_OBJ2, S_ESCAPE, S_EOE_TMO }; static struct nv_pair optiontab[] = { { S_EVENT, "-a" }, @@ -103,6 +104,7 @@ { S_CHECKPOINT, "--checkpoint" }, { S_DEBUG, "--debug" }, { S_EXIT, "-e" }, + { S_EOE_TMO, "--eoe-timeout" }, { S_ESCAPE, "--escape" }, { S_EXIT, "--exit" }, { S_EXTRA_KEYS, "--extra-keys" }, @@ -200,6 +202,12 @@ "\t--checkpoint \tsearch from last complete event\n" "\t--debug\t\t\tWrite malformed events that are skipped to stderr\n" "\t-e,--exit \tsearch based on syscall exit code\n" + "\t-escape