Fix audit rule removal upon osquery exit #7221
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
prateeknischal
force-pushed
the
fix_audit_rule_uninstall
branch
from
22a85ad to
4cf4dcc
Compare
Smjert
previously requested changes
Aug 3, 2021
There was a problem hiding this comment.
@prateeknischal thanks for looking into this!
There's only one correction to be done and then it's good to go!
| } else if (FLAGS_audit_debug) { | ||
| VLOG(1) << "Audit rule installed for all queued syscalls"; | ||
| } | ||
|
|
||
| if (FLAGS_audit_force_unconfigure) { | ||
| if (FLAGS_audit_force_reconfigure || rule_add_error >= 0) { |
There was a problem hiding this comment.
FLAGS_audit_force_reconfigure should be FLAGS_audit_force_unconfigure.
Reconfigure is a "stronger" operation than unconfigure and it lists all the rules currently active on it's own and removes them (among other things).
Unconfigure is meant to remove all rules that osquery has ever added, even if they have not been added in the current run. But rules that have been added by an administrator should not be touched.
There was a problem hiding this comment.
Aah, the autocomplete, I had intended to write unconfigure, I would have accepted this suggestion from the autocomplete. I should have been more careful. Thank you for the review. I have updated the pull request.
The audit rules were not getting removed when osquery exits as part of the cleanup process. This was due to not adding the audit rule to the cleanup list unless osquery was run with --audit_force_unconfigure. The force unconfigure option is to remove the rules irrespective of the their install exit code which was not followed in the osquery#7063. The current fix is going to install the rule for cleanup either the error code is non-negative or osquery is asked to force reconfigure. This would also fix the double adding of the audit rules as mentioned in osquery#7205.
prateeknischal
force-pushed
the
fix_audit_rule_uninstall
branch
from
4cf4dcc to
24fcf05
Compare
theopolis
approved these changes
Aug 15, 2021
aikuchin
pushed a commit
to aikuchin/osquery
that referenced
this pull request
Jul 11, 2023
…1 to master * commit 'f72b7c5510b8cd78c9d0450cbd1f31903681caa5': (53 commits) Add `TimeoutStopSec` to systemd unit files (osquery#7190) Prevent osquery from killing itself when the --force flag is used (osquery#7295) Linux: Support AF_PACKET sockets. (osquery#7282) libs: update openssl to 1.1.1l (osquery#7293) Correct macOS installed app bundle path in osqueryctl and doc (osquery#7289) macos path fix in launchd plist (osquery#7288) Update osquery installed artifacts default paths in code (osquery#7285) Update osquery installed artifacts paths in the documentation (osquery#7286) Update packaging SHA (osquery#7279) Change to the `disk_encryption` table to support QueryContext (osquery#7209) Add feature to skip denylist for event-based queries (osquery#7158) Support pid_with_namespace in more tables (osquery#7132) audit: socket_events improvements (osquery#7269) [linux][packaging] Update packaging paths (osquery#7271) Change logger_mode flag to be actually interpreted as an octal (osquery#7273) Update `uptime` table descrption (osquery#7270) [macOS][packaging] Create an app bundle along with other package_data (osquery#7263) Add case sensitive pragma to the pragma/actions authorizer allow list (osquery#7267) Fix audit rule removal upon osquery exit (osquery#7221) Fix osquery_info build_platform column value on Linux (osquery#7254) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The audit rules were not getting removed when osquery exits as part of
the cleanup process. This was due to not adding the audit rule to the
cleanup list unless osquery was run with
--audit_force_unconfigure. Theforce unconfigure option is to remove the rules irrespective of the their
install exit code which was not followed in the #7063.
The current fix is going to install the rule for cleanup either the error
code is non-negative or osquery is asked to force reconfigure. This would
also fix the double adding of the audit rules as mentioned in #7205.