Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow exclude and user filter by executable name #48

Merged
merged 2 commits into from
Jan 23, 2019
Merged

Allow exclude and user filter by executable name #48

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
774bc5c
Allow exclude and user filter by executable name
WOnder93 Apr 24, 2018
ab4b63b
Merge branch 'master' into exe-extend
stevegrubb Jan 23, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)

2.8.3
- Correct msg function name in LRU debug code
Expand Down
6 changes: 3 additions & 3 deletions docs/auditctl.8
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,10 +78,10 @@ Add a rule to the per task list. This rule list is used only at the time a task
Add a rule to the syscall exit list. This list is used upon exit from a system call to determine if an audit event should be created.
.TP
.B user
Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, msgtype, and executable name. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
.TP
.B exclude
Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, message type or subject context. The action is ignored and uses its default of "never".
Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, message type, subject context, or executable name. The action is ignored and uses its default of "never".
.RE

The following describes the valid \fIactions\fP for the rule:
Expand Down Expand Up @@ -145,7 +145,7 @@ Effective Group ID. May be numeric or the groups name.
Effective User ID. May be numeric or the user account name.
.TP
.B exe
Absolute path to application that while executing this rule will apply to. This can only be used on the exit list. It supports = and != operators. Note that you can only use this once for each rule.
Absolute path to application that while executing this rule will apply to. It supports = and != operators. Note that you can only use this once for each rule.
.TP
.B exit
Exit value from a syscall. If the exit code is an errno, you may use the text representation, too.
Expand Down
3 changes: 2 additions & 1 deletion lib/libaudit.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1448,7 +1448,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if ((field = audit_name_to_field(f)) < 0)
return -EAU_FIELDUNKNOWN;

/* Exclude filter can be used only with MSGTYPE and cred fields */
/* Exclude filter can be used only with MSGTYPE, cred and EXE fields */
if (flags == AUDIT_FILTER_EXCLUDE) {
uint32_t features = audit_get_features();
if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
Expand All @@ -1466,6 +1466,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
case AUDIT_EXE:
break;
default:
return -EAU_MSGTYPECREDEXCLUDE;
Expand Down