Skip to content

Commit

Permalink
Fix audit rule removal upon osquery exit
Browse files Browse the repository at this point in the history 
The audit rules were not getting removed when osquery exits as part of
the cleanup process. This was due to not adding the audit rule to the
cleanup list unless osquery was run with --audit_force_unconfigure. The
force unconfigure option is to remove the rules irrespective of the their
install exit code which was not followed in the #7063.

The current fix is going to install the rule for cleanup either the error
code is non-negative or osquery is asked to force reconfigure. This would
also fix the double adding of the audit rules as mentioned in #7205.
  • Loading branch information
@prateeknischal
prateeknischal committed Aug 3, 2021
1 parent 5b5942f commit 24fcf05
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions osquery/events/linux/auditdnetlink.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -417,11 +417,14 @@ bool AuditdNetlinkReader::configureAuditService() noexcept {
LOG(ERROR) << "Failed to install the audit rule due to one or more "
<< "syscalls with error " << audit_errno_to_name(rule_add_error)
<< ", Audit-based tables may not function as expected";

} else if (FLAGS_audit_debug) {
VLOG(1) << "Audit rule installed for all queued syscalls";
}

if (FLAGS_audit_force_unconfigure) {
if (FLAGS_audit_force_unconfigure || rule_add_error >= 0) {
// keep a track of the rule even if installing it failed when asked to
// forcefully unconfigure.
installed_rule_list_.push_back(rule);
}

Expand Down Expand Up @@ -578,8 +581,12 @@ void AuditdNetlinkReader::restoreAuditServiceConfiguration() noexcept {
VLOG(1) << "Uninstalling the audit rules we have installed";

for (auto& rule : installed_rule_list_) {
audit_delete_rule_data(
int rule_delete_error = audit_delete_rule_data(
audit_netlink_handle_, &rule, AUDIT_FILTER_EXIT, AUDIT_ALWAYS);
if (FLAGS_audit_debug && rule_delete_error < 0) {
VLOG(1) << "Error code returned by delete rule "
<< audit_errno_to_name(rule_delete_error);
}
}

installed_rule_list_.clear();
Expand Down

0 comments on commit 24fcf05

Please sign in to comment.