In ausearch add new --extra-obj2 option for CSV output

caidongyun · Sep 19, 2017 · ae263d9 · ae263d9
1 parent 1d99c3a
commit ae263d9
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 5 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,8 @@
 - Add support for ambient capability fields (Richard Guy Briggs)
 - Update auparse-normalizer to support TTY events
 - Add auparse_normalize_object_primary2 API
+- In ausearch text format, add 'to xxx' for mount operations
+- In ausearch add new --extra-obj2 option for CSV output
 
 2.7.8
 - Add config option to auditd to not verify email addr domain (#1406887)

diff --git a/TODO b/TODO
@@ -3,7 +3,6 @@ Things that need to be done:
 2.8
 * Support FANOTIFY record
 * ausearch text format, add 'to xxx' for file perm/owner, & uid/gid changes
-* ausearch text format, add 'to xxx' for mount operations
 * There are 3 kinds of mount: failed, fuser success, kernel success
 * Check calls to simple_file_attr() are getting right record
 * In normalizer, check number of first_field calls

diff --git a/auparse/normalize.c b/auparse/normalize.c
@@ -167,6 +167,23 @@ static unsigned int set_prime_object(auparse_state_t *au, const char *str,
 	return 1;
 }
 
+static unsigned int set_prime_object2(auparse_state_t *au, const char *str,
+	unsigned int adjust)
+{
+	unsigned int rnum = 2 + adjust;
+
+	auparse_goto_record_num(au, rnum);
+	auparse_first_field(au);
+
+	if (auparse_find_field(au, str)) {
+		D.thing.two = set_record(0, rnum);
+		D.thing.two = set_field(D.thing.two,
+			auparse_get_field_num(au));
+		return 0;
+	}
+	return 1;
+}
+
 static unsigned int add_obj_attr(auparse_state_t *au, const char *str,
 	unsigned int rnum)
 {
@@ -501,6 +518,7 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall, int type)
 			act = "mounted";
 			// this gets overridden
 			D.thing.what = NORM_WHAT_FILESYSTEM;
+			set_prime_object2(au, "name", 0);
 			set_file_object(au, 1); // The device is one after
 			// We call this directly to make sure the right
 			// PATH record is used. (There can be 4.)

diff --git a/docs/ausearch.8 b/docs/ausearch.8
@@ -61,6 +61,9 @@ When the \fIformat\fP mode is \fIcsv\fP, this option will add a final column wit
 .BR \-\-extra-labels \ 
 When the \fIformat\fP mode is \fIcsv\fP, this option will add columns of information about subject and object labels when they exist.
 .TP
+.BR \-\-extra-obj2 \ 
+When the \fIformat\fP mode is \fIcsv\fP, this option will add columns of information about a second object when it exists. It's rare that a second object is part of a record. Some examples are when a file is renamed from one name to another or when a device is mounted to a path.
+.TP
 .BR \-\-extra-time \ 
 When the \fIformat\fP mode is \fIcsv\fP, this option will add columns of information about broken down time to make subsetting easier.
 .TP

diff --git a/src/ausearch-options.c b/src/ausearch-options.c
@@ -65,7 +65,7 @@ int event_exit_is_set = 0;
 int line_buffered = 0;
 int event_debug = 0;
 int checkpt_timeonly = 0;
-int extra_keys = 0, extra_labels = 0, extra_time = 0;
+int extra_keys = 0, extra_labels = 0, extra_obj2 = 0, extra_time = 0;
 const char *event_key = NULL;
 const char *event_filename = NULL;
 const char *event_exe = NULL;
@@ -92,7 +92,7 @@ S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
 S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
 S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH, S_FORMAT,
-S_EXTRA_TIME, S_EXTRA_LABELS, S_EXTRA_KEYS, S_ESCAPE };
+S_EXTRA_TIME, S_EXTRA_LABELS, S_EXTRA_KEYS, S_EXTRA_OBJ2, S_ESCAPE };
 
 static struct nv_pair optiontab[] = {
 	{ S_EVENT, "-a" },
@@ -107,6 +107,7 @@ static struct nv_pair optiontab[] = {
 	{ S_EXIT, "--exit" },
 	{ S_EXTRA_KEYS, "--extra-keys" },
 	{ S_EXTRA_LABELS, "--extra-labels" },
+	{ S_EXTRA_OBJ2, "--extra-obj2" },
 	{ S_EXTRA_TIME, "--extra-time" },
 	{ S_FILENAME, "-f" },
 	{ S_FILENAME, "--file" },
@@ -359,6 +360,15 @@ int check_params(int count, char *vars[])
         	                retval = -1;
 			}
 			break;
+		case S_EXTRA_OBJ2:
+			extra_obj2 = 1;
+			if (optarg) {
+				fprintf(stderr, 
+					"Argument is NOT required for %s\n",
+					vars[c]);
+        	                retval = -1;
+			}
+			break;
 		case S_EXTRA_TIME:
 			extra_time = 1;
 			if (optarg) {

diff --git a/src/ausearch-report.c b/src/ausearch-report.c
@@ -404,7 +404,7 @@ static void interpret(char *name, char *val, int comma, int rtype)
 /* This function will output a normalized line of audit
  * fields one line per event in csv format */
 static int csv_header_done = 0;
-extern int extra_keys, extra_labels, extra_time;
+extern int extra_keys, extra_labels, extra_obj2, extra_time;
 static void csv_event(auparse_state_t *au,
 		auparse_cb_event_t cb_event_type, void *user_data)
 {
@@ -415,9 +415,10 @@ static void csv_event(auparse_state_t *au,
 		csv_header_done = 1;
 		printf( "NODE,EVENT,DATE,TIME,%sSERIAL_NUM,EVENT_KIND,"
 			"SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,%sACTION,"
-			"RESULT,OBJ_PRIME,OBJ_SEC,%sOBJ_KIND,HOW%s\n",
+			"RESULT,OBJ_PRIME,OBJ_SEC,%s%sOBJ_KIND,HOW%s\n",
 		    extra_time ? "YEAR,MONTH,DAY,WEEKDAY,HOUR,GMT_OFFSET," : "",
 			extra_labels ? "SUBJ_LABEL," : "",
+			extra_obj2 ? "OBJ2," : "",
 			extra_labels ? "OBJ_LABEL," : "",
 			extra_keys ? ",KEY" : "");
 	}
@@ -604,6 +605,22 @@ static void csv_event(auparse_state_t *au,
 		printf("%s", auparse_interpret_field(au));
 	putchar(',');
 
+	// OBJECT 2
+	if (extra_obj2) {
+		rc = auparse_normalize_object_primary2(au);
+		if (rc == 1) {
+			const char *val;
+
+			if (auparse_get_field_type(au) ==
+						AUPARSE_TYPE_ESCAPED_FILE)
+				val = auparse_interpret_realpath(au);
+			else
+				val = auparse_interpret_field(au);
+			printf("%s", val);
+		}
+		putchar(',');
+	}
+
 	// OBJ_LABEL
 	if (extra_labels) {
 		rc = auparse_normalize_object_first_attribute(au);
@@ -720,6 +737,17 @@ static void text_event(auparse_state_t *au,
 		printf("%s ", val);
 	}
 
+	rc = auparse_normalize_object_primary2(au);
+	if (rc == 1) {
+		const char *val;
+
+		if (auparse_get_field_type(au) == AUPARSE_TYPE_ESCAPED_FILE)
+			val = auparse_interpret_realpath(au);
+		else
+			val = auparse_interpret_field(au);
+		printf("to %s ", val);
+	}
+
 	if (    type == AUDIT_VIRT_RESOURCE ||
 		type == AUDIT_VIRT_CONTROL) {
 		rc = auparse_normalize_object_secondary(au);