98 lines
2.8 KiB
Diff
98 lines
2.8 KiB
Diff
diff -ur audit-3.0.orig/src/aureport-options.c audit-3.0/src/aureport-options.c
|
|
--- audit-3.0.orig/src/aureport-options.c 2018-08-31 17:05:48.000000000 -0400
|
|
+++ audit-3.0/src/aureport-options.c 2018-12-06 19:31:26.945634371 -0500
|
|
@@ -85,7 +85,8 @@
|
|
R_AVCS, R_SYSCALLS, R_PIDS, R_EVENTS, R_ACCT_MODS,
|
|
R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO,
|
|
R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS,
|
|
- R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE };
|
|
+ R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE,
|
|
+ R_DEBUG };
|
|
|
|
static struct nv_pair optiontab[] = {
|
|
{ R_AUTH, "-au" },
|
|
@@ -98,6 +99,7 @@
|
|
{ R_CONFIGS, "--config" },
|
|
{ R_CRYPTO, "-cr" },
|
|
{ R_CRYPTO, "--crypto" },
|
|
+ { R_DEBUG, "--debug" },
|
|
{ R_DEL, "--delete" },
|
|
{ R_EVENTS, "-e" },
|
|
{ R_EVENTS, "--event" },
|
|
@@ -731,6 +733,9 @@
|
|
case R_DEL:
|
|
event_conf_act = C_DEL;
|
|
break;
|
|
+ case R_DEBUG:
|
|
+ event_debug = 1;
|
|
+ break;
|
|
case R_IN_LOGS:
|
|
force_logs = 1;
|
|
break;
|
|
diff -ur audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
|
|
--- audit-3.0.orig/src/ausearch-parse.c 2018-08-31 17:05:48.000000000 -0400
|
|
+++ audit-3.0/src/ausearch-parse.c 2018-12-06 19:31:26.945634371 -0500
|
|
@@ -102,7 +102,8 @@
|
|
ret = parse_path(n, s);
|
|
break;
|
|
case AUDIT_USER:
|
|
- case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
|
|
+ case AUDIT_FIRST_USER_MSG...AUDIT_USER_END:
|
|
+ case AUDIT_USER_CHAUTHTOK...AUDIT_LAST_USER_MSG:
|
|
case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
|
|
ret = parse_user(n, s);
|
|
break;
|
|
@@ -136,6 +137,7 @@
|
|
avc_parse_path(n, s);
|
|
break;
|
|
case AUDIT_AVC:
|
|
+ case AUDIT_USER_AVC:
|
|
ret = parse_avc(n, s);
|
|
break;
|
|
case AUDIT_NETFILTER_PKT:
|
|
@@ -1867,6 +1869,20 @@
|
|
*term = ' ';
|
|
}
|
|
|
|
+ // User AVC's are not formatted like a kernel AVC
|
|
+ if (n->type == AUDIT_USER_AVC) {
|
|
+ rc = parse_user(n, s);
|
|
+ if (rc > 20)
|
|
+ rc = 0;
|
|
+ if (audit_avc_init(s) == 0) {
|
|
+ alist_append(s->avc, &an);
|
|
+ } else {
|
|
+ rc = 10;
|
|
+ goto err;
|
|
+ }
|
|
+ return rc;
|
|
+ }
|
|
+
|
|
// get pid
|
|
if (event_pid != -1) {
|
|
str = strstr(term, "pid=");
|
|
diff -urp audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
|
|
--- audit-3.0.orig/src/ausearch-parse.c 2018-10-03 19:46:52.000000000 -0400
|
|
+++ audit-3.0/src/ausearch-parse.c 2018-12-08 15:48:54.350009208 -0500
|
|
@@ -1839,8 +1839,10 @@ static int parse_avc(const lnode *n, sea
|
|
if (str) {
|
|
str += 5;
|
|
term = strchr(str, '{');
|
|
- if (term == NULL)
|
|
- return 1;
|
|
+ if (term == NULL) {
|
|
+ term = n->message;
|
|
+ goto other_avc;
|
|
+ }
|
|
if (event_success != S_UNSET) {
|
|
*term = 0;
|
|
// FIXME. Do not override syscall success if already
|
|
@@ -1869,6 +1871,7 @@ static int parse_avc(const lnode *n, sea
|
|
*term = ' ';
|
|
}
|
|
|
|
+other_avc:
|
|
// User AVC's are not formatted like a kernel AVC
|
|
if (n->type == AUDIT_USER_AVC) {
|
|
rc = parse_user(n, s);
|