Fix audit rule removal upon osquery exit

The audit rules were not getting removed when osquery exits as part of the cleanup process. This was due to not adding the audit rule to the cleanup list unless osquery was run with --audit_force_unconfigure. The force unconfigure option is to remove the rules irrespective of the their install exit code which was not followed in the #7063. The current fix is going to install the rule for cleanup either the error code is non-negative or osquery is asked to force reconfigure. This would also fix the double adding of the audit rules as mentioned in #7205.
osquery · Aug 3, 2021 · 22a85ad · 22a85ad
1 parent 5b5942f
commit 22a85ad
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/osquery/events/linux/auditdnetlink.cpp b/osquery/events/linux/auditdnetlink.cpp
@@ -417,11 +417,14 @@ bool AuditdNetlinkReader::configureAuditService() noexcept {
     LOG(ERROR) << "Failed to install the audit rule due to one or more "
                << "syscalls with error " << audit_errno_to_name(rule_add_error)
                << ", Audit-based tables may not function as expected";
+
   } else if (FLAGS_audit_debug) {
     VLOG(1) << "Audit rule installed for all queued syscalls";
   }
 
-  if (FLAGS_audit_force_unconfigure) {
+  if (FLAGS_audit_force_reconfigure || rule_add_error >= 0) {
+    // keep a track of the rule even if installing it failed when asked to
+    // forcefully unconfigure.
     installed_rule_list_.push_back(rule);
   }
 
@@ -578,8 +581,12 @@ void AuditdNetlinkReader::restoreAuditServiceConfiguration() noexcept {
   VLOG(1) << "Uninstalling the audit rules we have installed";
 
   for (auto& rule : installed_rule_list_) {
-    audit_delete_rule_data(
+    int delete_rule_error = audit_delete_rule_data(
         audit_netlink_handle_, &rule, AUDIT_FILTER_EXIT, AUDIT_ALWAYS);
+    if (FLAGS_audit_debug && delete_rule_error < 0) {
+      VLOG(1) << "Error code returned by delete rule "
+              << audit_errno_to_name(delete_rule_error);
+    }
   }
 
   installed_rule_list_.clear();