233 lines
6.8 KiB
Diff
233 lines
6.8 KiB
Diff
diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c
|
|
--- audit-3.0.orig/src/auditd.c 2018-12-06 20:01:06.923443360 -0500
|
|
+++ audit-3.0/src/auditd.c 2018-12-06 20:17:19.030339043 -0500
|
|
@@ -214,24 +214,35 @@ static void cont_handler(struct ev_loop
|
|
|
|
static int extract_type(const char *str)
|
|
{
|
|
- const char *tptr, *ptr2, *ptr = str;
|
|
+ char tmp, *ptr2, *ptr = str;
|
|
+ int type;
|
|
if (*str == 'n') {
|
|
ptr = strchr(str+1, ' ');
|
|
if (ptr == NULL)
|
|
return -1; // Malformed - bomb out
|
|
ptr++;
|
|
}
|
|
+
|
|
// ptr should be at 't'
|
|
ptr2 = strchr(ptr, ' ');
|
|
- // get type=xxx in a buffer
|
|
- tptr = strndupa(ptr, ptr2 - ptr);
|
|
+
|
|
// find =
|
|
- str = strchr(tptr, '=');
|
|
- if (str == NULL)
|
|
+ str = strchr(ptr, '=');
|
|
+ if (str == NULL || str >= ptr2)
|
|
return -1; // Malformed - bomb out
|
|
+
|
|
// name is 1 past
|
|
str++;
|
|
- return audit_name_to_msg_type(str);
|
|
+
|
|
+ // Save character & terminate string
|
|
+ tmp = *ptr2;
|
|
+ *ptr2 = 0;
|
|
+
|
|
+ type = audit_name_to_msg_type(str);
|
|
+
|
|
+ *ptr2 = tmp; // Restore character
|
|
+
|
|
+ return type;
|
|
}
|
|
|
|
void distribute_event(struct auditd_event *e)
|
|
@@ -250,18 +261,22 @@ void distribute_event(struct auditd_even
|
|
route = 0;
|
|
else { // We only need the original type if its being routed
|
|
e->reply.type = extract_type(e->reply.message);
|
|
- char *p = strchr(e->reply.message,
|
|
- AUDIT_INTERP_SEPARATOR);
|
|
- if (p)
|
|
- proto = AUDISP_PROTOCOL_VER2;
|
|
- else
|
|
- proto = AUDISP_PROTOCOL_VER;
|
|
|
|
+ // Treat everything from the network as VER2
|
|
+ // because they are already formatted. This is
|
|
+ // important when it gets to the dispatcher which
|
|
+ // can strip node= when its VER1.
|
|
+ proto = AUDISP_PROTOCOL_VER2;
|
|
}
|
|
- } else if (e->reply.type != AUDIT_DAEMON_RECONFIG)
|
|
- // All other events need formatting
|
|
+ } else if (e->reply.type != AUDIT_DAEMON_RECONFIG) {
|
|
+ // All other local events need formatting
|
|
format_event(e);
|
|
- else
|
|
+
|
|
+ // If the event has been formatted with node, upgrade
|
|
+ // to VER2 so that the dispatcher honors the formatting
|
|
+ if (config.node_name_format != N_NONE)
|
|
+ proto = AUDISP_PROTOCOL_VER2;
|
|
+ } else
|
|
route = 0; // Don't DAEMON_RECONFIG events until after enqueue
|
|
|
|
/* End of Event is for realtime interface - skip local logging of it */
|
|
@@ -748,6 +763,17 @@ int main(int argc, char *argv[])
|
|
return 1;
|
|
}
|
|
|
|
+ /* Startup libev and dispatcher */
|
|
+ loop = ev_default_loop(EVFLAG_NOENV);
|
|
+ if (init_dispatcher(&config)) {
|
|
+ if (pidfile)
|
|
+ unlink(pidfile);
|
|
+ tell_parent(FAILURE);
|
|
+ free_config(&config);
|
|
+ ev_default_destroy();
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
/* Get machine name ready for use */
|
|
if (resolve_node(&config)) {
|
|
if (pidfile)
|
|
@@ -755,6 +781,7 @@ int main(int argc, char *argv[])
|
|
shutdown_dispatcher();
|
|
tell_parent(FAILURE);
|
|
free_config(&config);
|
|
+ ev_default_destroy();
|
|
return 1;
|
|
}
|
|
|
|
@@ -766,6 +793,7 @@ int main(int argc, char *argv[])
|
|
shutdown_dispatcher();
|
|
tell_parent(FAILURE);
|
|
free_config(&config);
|
|
+ ev_default_destroy();
|
|
return 1;
|
|
}
|
|
fcntl(pipefds[0], F_SETFD, FD_CLOEXEC);
|
|
@@ -785,6 +813,7 @@ int main(int argc, char *argv[])
|
|
tell_parent(FAILURE);
|
|
close_pipes();
|
|
free_config(&config);
|
|
+ ev_default_destroy();
|
|
return 1;
|
|
}
|
|
if (getsubj(subj))
|
|
@@ -811,6 +840,7 @@ int main(int argc, char *argv[])
|
|
tell_parent(FAILURE);
|
|
close_pipes();
|
|
free_config(&config);
|
|
+ ev_default_destroy();
|
|
return 1;
|
|
}
|
|
}
|
|
@@ -821,6 +851,7 @@ int main(int argc, char *argv[])
|
|
/* let config manager init */
|
|
init_config_manager();
|
|
|
|
+ /* Depending on value of opt_startup (-s) set initial audit state */
|
|
if (opt_startup != startup_nochange && !opt_aggregate_only &&
|
|
(audit_is_enabled(fd) < 2) &&
|
|
audit_set_enabled(fd, (int)opt_startup) < 0) {
|
|
@@ -849,6 +880,7 @@ int main(int argc, char *argv[])
|
|
tell_parent(FAILURE);
|
|
close_pipes();
|
|
free_config(&config);
|
|
+ ev_default_destroy();
|
|
return 1;
|
|
}
|
|
|
|
@@ -877,20 +909,11 @@ int main(int argc, char *argv[])
|
|
tell_parent(FAILURE);
|
|
close_pipes();
|
|
free_config(&config);
|
|
+ ev_default_destroy();
|
|
return 1;
|
|
}
|
|
|
|
- /* Depending on value of opt_startup (-s) set initial audit state */
|
|
- loop = ev_default_loop (EVFLAG_NOENV);
|
|
-
|
|
- if (init_dispatcher(&config)) {
|
|
- if (pidfile)
|
|
- unlink(pidfile);
|
|
- tell_parent(FAILURE);
|
|
- free_config(&config);
|
|
- return 1;
|
|
- }
|
|
-
|
|
+ /* Start up all the handlers */
|
|
if (!opt_aggregate_only) {
|
|
ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ);
|
|
ev_io_start (loop, &netlink_watcher);
|
|
diff -urp audit-3.0.orig/src/auditd-dispatch.c audit-3.0/src/auditd-dispatch.c
|
|
--- audit-3.0.orig/src/auditd-dispatch.c 2018-08-31 17:05:48.000000000 -0400
|
|
+++ audit-3.0/src/auditd-dispatch.c 2018-12-06 20:17:09.769340037 -0500
|
|
@@ -70,6 +70,7 @@ int dispatch_event(const struct audit_re
|
|
if (!libdisp_active())
|
|
return 0;
|
|
|
|
+ // Translate event into dispatcher format
|
|
e = malloc(sizeof(event_t));
|
|
if (e == NULL)
|
|
return -1;
|
|
@@ -78,6 +79,7 @@ int dispatch_event(const struct audit_re
|
|
e->hdr.hlen = sizeof(struct audit_dispatcher_header);
|
|
e->hdr.type = rep->type;
|
|
|
|
+ // Network originating events have data at rep->message
|
|
if (protocol_ver == AUDISP_PROTOCOL_VER) {
|
|
e->hdr.size = rep->msg.nlh.nlmsg_len;
|
|
memcpy(e->data, (void*)rep->msg.data, e->hdr.size);
|
|
diff -urp audit-3.0.orig/src/auditd-event.c audit-3.0/src/auditd-event.c
|
|
--- audit-3.0.orig/src/auditd-event.c 2018-08-31 17:05:48.000000000 -0400
|
|
+++ audit-3.0/src/auditd-event.c 2018-12-06 20:17:09.769340037 -0500
|
|
@@ -225,8 +225,10 @@ static void replace_event_msg(struct aud
|
|
e->reply.message = strndup(buf, MAX_AUDIT_MESSAGE_LENGTH-1);
|
|
len = MAX_AUDIT_MESSAGE_LENGTH;
|
|
}
|
|
- e->reply.msg.nlh.nlmsg_len = e->reply.len;
|
|
- e->reply.len = len;
|
|
+ // For network originating events, len should be used
|
|
+ if (!from_network(e)) // V1 protocol msg size
|
|
+ e->reply.msg.nlh.nlmsg_len = e->reply.len;
|
|
+ e->reply.len = len; // V2 protocol msg size
|
|
}
|
|
}
|
|
|
|
@@ -500,7 +502,7 @@ struct auditd_event *create_event(char *
|
|
e->sequence_id = sequence_id;
|
|
|
|
/* Network originating events need things adjusted to mimic netlink. */
|
|
- if (e->ack_func)
|
|
+ if (from_network(e))
|
|
replace_event_msg(e, msg);
|
|
|
|
return e;
|
|
@@ -570,7 +572,7 @@ void handle_event(struct auditd_event *e
|
|
static void send_ack(const struct auditd_event *e, int ack_type,
|
|
const char *msg)
|
|
{
|
|
- if (e->ack_func) {
|
|
+ if (from_network(e)) {
|
|
unsigned char header[AUDIT_RMW_HEADER_SIZE];
|
|
|
|
AUDIT_RMW_PACK_HEADER(header, 0, ack_type, strlen(msg),
|
|
diff -urp audit-3.0.orig/src/auditd-event.h audit-3.0/src/auditd-event.h
|
|
--- audit-3.0.orig/src/auditd-event.h 2018-08-31 17:05:48.000000000 -0400
|
|
+++ audit-3.0/src/auditd-event.h 2018-12-06 20:17:09.769340037 -0500
|
|
@@ -36,6 +36,9 @@ struct auditd_event {
|
|
unsigned long sequence_id;
|
|
};
|
|
|
|
+static inline int from_network(const struct auditd_event *e)
|
|
+{ if (e && e->ack_func) return 1; return 0; };
|
|
+
|
|
#include "auditd-config.h"
|
|
|
|
int dispatch_network_events(void);
|