← Back to branch summary

~ubuntu-branches/ubuntu/maverick/audit/maverick

« back to all changes in this revision

Viewing changes to src/auditctl.c

  • Committer: Bazaar Package Importer
  • Author(s): Mathias Gug
  • Date: 2007-06-29 13:05:14 UTC
  • mfrom: (1.1.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20070629130514-z798cz4lebiahj5w
Tags: 1.5.4-0ubuntu1
* New upstream version.
* debian/patches/audit-1.5.1-dist.patch:
  * update so that it applies for 1.5.4.
* debian/control:
  * update Maintainer and XSBC-Original-Maintainer fields.
* debian/rules:
  * enable apparmor support: add --with-apparmor to configure options.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/auditctl.c
1
1
/* auditctl.c -- 
2
 
 * Copyright 2004-2006 Red Hat Inc., Durham, North Carolina.
 
2
 * Copyright 2004-2007 Red Hat Inc., Durham, North Carolina.
3
3
 * All Rights Reserved.
4
4
 *
5
5
 * This program is free software; you can redistribute it and/or modify
125
125
{
126
126
    printf(
127
127
    "usage: auditctl [options]\n"
128
 
     "    -a <l,a>     Append rule to end of <l>ist with <a>ction\n"
129
 
     "    -A <l,a>     Add rule at beginning of <l>ist with <a>ction\n"
130
 
     "    -b <backlog> Set max number of outstanding audit buffers allowed\n"
131
 
     "                 Default=64\n"
132
 
     "    -d <l,a>     Delete rule from <l>ist with <a>ction\n"
133
 
     "                 l=task,entry,exit,user,watch,exclude a=never,possible,always\n"
134
 
     "    -D           Delete all rules and watches\n"
135
 
     "    -e [0..2]    Set enabled flag\n"
136
 
     "    -f [0..2]    Set failure flag\n"
137
 
     "                 0=silent 1=printk 2=panic\n"
138
 
     "    -F f=v       Build rule: field name, operator(=,!=,<,>,<=,>=,^,&),\n"
139
 
     "                 value\n"
140
 
     "    -h           Help\n"
141
 
     "    -i           Ignore errors when reading rules from file\n"
142
 
     "    -k <key>     Set filter key on audit rule\n"
143
 
     "    -l           List rules\n"
144
 
     "    -m text      Send a user-space message\n"
145
 
     "    -p [r|w|x|a] Set permissions filter on watch\n"
146
 
     "                 r=read, w=write, x=execute, a=attribute\n"
147
 
     "    -r <rate>    Set limit in messages/sec (0=none)\n"
148
 
     "    -R <file>    read rules from file\n"
149
 
     "    -s           Report status\n"
150
 
     "    -S syscall   Build rule: syscall name or number\n"
151
 
     "    -v           Version\n"
152
 
     "    -w <path>    Insert watch at <path>\n"
153
 
     "    -W <path>    Remove watch at <path>\n"
 
128
     "    -a <l,a>            Append rule to end of <l>ist with <a>ction\n"
 
129
     "    -A <l,a>            Add rule at beginning of <l>ist with <a>ction\n"
 
130
     "    -b <backlog>        Set max number of outstanding audit buffers\n"
 
131
     "                        allowed Default=64\n"
 
132
     "    -d <l,a>            Delete rule from <l>ist with <a>ction\n"
 
133
     "                        l=task,entry,exit,user,watch,exclude\n"
 
134
     "                        a=never,possible,always\n"
 
135
     "    -D                  Delete all rules and watches\n"
 
136
     "    -e [0..2]           Set enabled flag\n"
 
137
     "    -f [0..2]           Set failure flag\n"
 
138
     "                        0=silent 1=printk 2=panic\n"
 
139
     "    -F f=v              Build rule: field name, operator(=,!=,<,>,<=,\n"
 
140
     "                        >=,^,&) value\n"
 
141
     "    -h                  Help\n"
 
142
     "    -i                  Ignore errors when reading rules from file\n"
 
143
     "    -k <key>            Set filter key on audit rule\n"
 
144
     "    -l                  List rules\n"
 
145
     "    -m text             Send a user-space message\n"
 
146
     "    -p [r|w|x|a]        Set permissions filter on watch\n"
 
147
     "                        r=read, w=write, x=execute, a=attribute\n"
 
148
     "    -q <mount,subtree>  make subtree part of mount point's dir watches\n"
 
149
     "    -r <rate>           Set limit in messages/sec (0=none)\n"
 
150
     "    -R <file>           read rules from file\n"
 
151
     "    -s                  Report status\n"
 
152
     "    -S syscall          Build rule: syscall name or number\n"
 
153
     "    -t                  Trim directory watches\n"
 
154
     "    -v                  Version\n"
 
155
     "    -w <path>           Insert watch at <path>\n"
 
156
     "    -W <path>           Remove watch at <path>\n"
154
157
     );
155
158
}
156
159
 
226
229
 */
227
230
static int audit_setup_watch_name(struct audit_rule_data **rulep, char *path)
228
231
{
 
232
        int type = AUDIT_WATCH;
229
233
        size_t len;
 
234
        struct stat buf;
230
235
 
231
236
        if (check_path(path))
232
237
                return -1;
239
244
                        len--;
240
245
                }
241
246
        }
242
 
 
 
247
        if (stat(path, &buf) == 0) {
 
248
                if (S_ISDIR(buf.st_mode))
 
249
                        type = AUDIT_DIR;
 
250
        }
243
251
        /* FIXME: might want to check to see that rule is empty */
244
 
        if (audit_add_watch(rulep, path)) 
 
252
        if (audit_add_watch_dir(type, rulep, path)) 
245
253
                return -1;
246
254
 
247
255
        return 1;
286
294
        return -1;
287
295
}
288
296
 
 
297
static int equiv_parse(char *optarg, char **mp, char **sub)
 
298
{
 
299
        char *ptr = strchr(optarg, ',');
 
300
        if (ptr == NULL)
 
301
                return -1;      // no comma
 
302
        *ptr = 0;
 
303
        ptr++;
 
304
        if (*ptr == 0)
 
305
                return -1;      // ends with comma
 
306
        *mp = optarg;
 
307
        *sub = ptr;
 
308
        if (strchr(*sub, ','))
 
309
                return -1;      // too many commas
 
310
        return 0;
 
311
}
289
312
 
290
313
void audit_request_rule_list(int fd)
291
314
{
315
338
    optind = 0;
316
339
    opterr = 0;
317
340
    while ((retval >= 0) && (c = getopt(count, vars,
318
 
                        "hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:")) != EOF) {
 
341
                        "hislDvte:f:r:b:a:A:d:S:F:m:R:w:W:k:p:q:")) != EOF) {
319
342
        int flags = AUDIT_FILTER_UNSET;
320
343
        rc = 10;        // Init to something impossible to see if unused.
321
344
        switch (c) {
746
769
                                retval = audit_setup_perms(rule_new, optarg);
747
770
                }
748
771
                break;
 
772
        case 'q':
 
773
                if (audit_syscalladded) {
 
774
                        fprintf(stderr, 
 
775
                           "Syscall auditing requested for make equivalent\n");
 
776
                        retval = -1;
 
777
                } else {
 
778
                        char *mp, *sub;
 
779
                        retval = equiv_parse(optarg, &mp, &sub);
 
780
                        if (retval < 0) {
 
781
                                fprintf(stderr, 
 
782
                           "Error parsing equivalent parts\n");
 
783
                                retval = -1;
 
784
                        } else {
 
785
                                retval = audit_make_equivalent(fd, mp, sub);
 
786
                                if (retval <= 0) {
 
787
                                        retval = -1;
 
788
                                } else
 
789
                                        return -2; // success - no reply needed
 
790
                        }
 
791
                }
 
792
                break;
 
793
        case 't':
 
794
                retval = audit_trim_subtrees(fd);
 
795
                if (retval <= 0)
 
796
                        retval = -1;
 
797
                else
 
798
                        return -2;  // success - no reply for this
 
799
                break;
749
800
        case 'v':
750
801
                printf("auditctl version %s\n", VERSION);
751
802
                retval = -2;