- Fix overflow in audit_log_user_command, better (#438840)
- ausearch was not matching path in avc records - audisp-prelude attempt to reposition index after examining each type - correct building of mls policy - Fix auparse iterating in auparse_find_field and next_field - Don't alert on USER_AVC's - they are not quite right
This commit is contained in:
Steve Grubb
parent
26677d9499
commit
f2add7b4d6
@ -1,6 +1,6 @@
|
||||
diff -urp audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c
|
||||
--- audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c 2008-04-07 16:57:12.000000000 -0400
|
||||
+++ audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c 2008-04-17 16:27:51.000000000 -0400
|
||||
+++ audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c 2008-04-18 14:23:06.000000000 -0400
|
||||
@@ -228,7 +228,8 @@ int main(int argc, char *argv[])
|
||||
return -1;
|
||||
}
|
||||
@ -23,11 +23,92 @@ diff -urp audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c audit-1.7.2/a
|
||||
|
||||
/* Cleanup subsystems */
|
||||
if (client)
|
||||
@@ -1938,6 +1940,7 @@ static void handle_event(auparse_state_t
|
||||
break;
|
||||
case AUDIT_SYSCALL:
|
||||
handle_watched_syscalls(au, &idmef, &alert);
|
||||
+ goto_record_type(au, AUDIT_SYSCALL);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
@@ -609,7 +611,7 @@ static int get_login_exe_info(auparse_st
|
||||
base = basename(exe);
|
||||
ret = prelude_string_new(&name_str);
|
||||
PRELUDE_FAIL_CHECK;
|
||||
- ret = prelude_string_set_ref(name_str, base);
|
||||
+ ret = prelude_string_set_dup(name_str, base);
|
||||
PRELUDE_FAIL_CHECK;
|
||||
idmef_process_set_name(process, name_str);
|
||||
}
|
||||
@@ -708,7 +710,7 @@ static int get_comm_info(auparse_state_t
|
||||
char *base = basename(exe);
|
||||
ret = prelude_string_new(&name_str);
|
||||
PRELUDE_FAIL_CHECK;
|
||||
- ret = prelude_string_set_ref(name_str, base);
|
||||
+ ret = prelude_string_set_dup(name_str, base);
|
||||
idmef_process_set_name(process, name_str);
|
||||
}
|
||||
}
|
||||
@@ -760,7 +762,7 @@ static int get_file_info(auparse_state_t
|
||||
ret = prelude_string_new(&str);
|
||||
PRELUDE_FAIL_CHECK;
|
||||
|
||||
- ret = prelude_string_set_ref(str, path);
|
||||
+ ret = prelude_string_set_dup(str, path);
|
||||
PRELUDE_FAIL_CHECK;
|
||||
if (path[0] == '/') {
|
||||
char *base;
|
||||
@@ -772,7 +774,7 @@ static int get_file_info(auparse_state_t
|
||||
base = "/";
|
||||
ret = prelude_string_new(&name_str);
|
||||
PRELUDE_FAIL_CHECK;
|
||||
- ret = prelude_string_set_ref(name_str, base);
|
||||
+ ret = prelude_string_set_dup(name_str, base);
|
||||
PRELUDE_FAIL_CHECK;
|
||||
idmef_file_set_name(file, name_str);
|
||||
} else
|
||||
@@ -1811,7 +1813,7 @@ static void handle_event(auparse_state_t
|
||||
rc = 0;
|
||||
switch (type) {
|
||||
case AUDIT_AVC:
|
||||
- case AUDIT_USER_AVC:
|
||||
+// case AUDIT_USER_AVC:
|
||||
if (config.avcs == E_NO)
|
||||
break;
|
||||
if (config.avcs_act != A_IDMEF)
|
||||
diff -urp audit-1.7.2.orig/auparse/auparse.c audit-1.7.2/auparse/auparse.c
|
||||
--- audit-1.7.2.orig/auparse/auparse.c 2008-04-08 12:37:09.000000000 -0400
|
||||
+++ audit-1.7.2/auparse/auparse.c 2008-04-18 14:10:36.000000000 -0400
|
||||
@@ -1130,6 +1130,7 @@ int auparse_first_record(auparse_state_t
|
||||
return rc;
|
||||
}
|
||||
aup_list_first(&au->le);
|
||||
+ aup_list_first_field(&au->le);
|
||||
|
||||
return 1;
|
||||
}
|
||||
@@ -1236,7 +1237,22 @@ const char *auparse_find_field(auparse_s
|
||||
{
|
||||
free(au->find_field);
|
||||
au->find_field = strdup(name);
|
||||
- return auparse_find_field_next(au);
|
||||
+
|
||||
+ if (au->le.e.sec) {
|
||||
+ const char *cur_name;
|
||||
+ rnode *r;
|
||||
+
|
||||
+ // look at current record before moving
|
||||
+ r = aup_list_get_cur(&au->le);
|
||||
+ if (r == NULL)
|
||||
+ return NULL;
|
||||
+ cur_name = nvlist_get_cur_name(&r->nv);
|
||||
+ if (cur_name && strcmp(cur_name, name) == 0)
|
||||
+ return nvlist_get_cur_val(&r->nv);
|
||||
+
|
||||
+ return auparse_find_field_next(au);
|
||||
+ }
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
/* Increment 1 location and then scan for next field */
|
||||
@@ -1258,6 +1274,8 @@ const char *auparse_find_field_next(aupa
|
||||
if (nvlist_find_name(&r->nv, au->find_field))
|
||||
return nvlist_get_cur_val(&r->nv);
|
||||
r = aup_list_next(&au->le);
|
||||
+ if (r)
|
||||
+ aup_list_first_field(&au->le);
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
|
||||
@ -269,6 +269,7 @@ fi
|
||||
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
|
||||
%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
|
||||
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
|
||||
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
|
||||
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
|
||||
%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz
|
||||
%attr(750,root,root) /sbin/auditctl
|
||||
@ -277,7 +278,8 @@ fi
|
||||
%attr(755,root,root) /sbin/aureport
|
||||
%attr(750,root,root) /sbin/autrace
|
||||
%attr(750,root,root) /sbin/audispd
|
||||
%attr(750,root,root) /sbin/aulastlog
|
||||
%attr(750,root,root) %{_bindir}/aulastlog
|
||||
%attr(755,root,root) %{_bindir}/ausyscall
|
||||
%attr(755,root,root) /etc/rc.d/init.d/auditd
|
||||
%attr(750,root,root) %{_var}/log/audit
|
||||
%attr(750,root,root) %dir /etc/audit
|
||||
|
||||
Loading…
Reference in New Issue
Block a user