rpms / audit

Clone
Source Code
GIT

Files

  1.   f10f4f759b33545e91056cc8a18fb9d38bafbadb
  2.   SOURCES
  3.   audit-3.0-user_avc.patch
Blob Blame History Raw 
diff -ur audit-3.0.orig/src/aureport-options.c audit-3.0/src/aureport-options.c
--- audit-3.0.orig/src/aureport-options.c	2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/aureport-options.c	2018-12-06 19:31:26.945634371 -0500
@@ -85,7 +85,8 @@
 	R_AVCS, R_SYSCALLS, R_PIDS, R_EVENTS, R_ACCT_MODS,  
 	R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO,
 	R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS,
-	R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE };
+	R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE,
+	R_DEBUG };
 
 static struct nv_pair optiontab[] = {
 	{ R_AUTH, "-au" },
@@ -98,6 +99,7 @@
 	{ R_CONFIGS, "--config" },
 	{ R_CRYPTO, "-cr" },
 	{ R_CRYPTO, "--crypto" },
+	{ R_DEBUG, "--debug" },
 	{ R_DEL, "--delete" },
 	{ R_EVENTS, "-e" },
 	{ R_EVENTS, "--event" },
@@ -731,6 +733,9 @@
 		case R_DEL:
 			event_conf_act = C_DEL;
 			break;
+		case R_DEBUG:
+			event_debug = 1;
+			break;
 		case R_IN_LOGS:
 			force_logs = 1;
 			break;
diff -ur audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
--- audit-3.0.orig/src/ausearch-parse.c	2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/ausearch-parse.c	2018-12-06 19:31:26.945634371 -0500
@@ -102,7 +102,8 @@
 				ret = parse_path(n, s);
 				break;
 			case AUDIT_USER:
-			case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
+			case AUDIT_FIRST_USER_MSG...AUDIT_USER_END:
+			case AUDIT_USER_CHAUTHTOK...AUDIT_LAST_USER_MSG:
 			case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
 				ret = parse_user(n, s);
 				break;
@@ -136,6 +137,7 @@
 				avc_parse_path(n, s);
 				break;
 			case AUDIT_AVC:
+			case AUDIT_USER_AVC:
 				ret = parse_avc(n, s);
 				break;
 			case AUDIT_NETFILTER_PKT:
@@ -1867,6 +1869,20 @@
 		*term = ' ';
 	}
 
+	// User AVC's are not formatted like a kernel AVC
+	if (n->type == AUDIT_USER_AVC) {
+		rc = parse_user(n, s);
+		if (rc > 20)
+			rc = 0;
+		if (audit_avc_init(s) == 0) {
+			alist_append(s->avc, &an);
+		} else {
+			rc = 10;
+			goto err;
+		}
+		return rc;
+	}
+
 	// get pid
 	if (event_pid != -1) {
 		str = strstr(term, "pid=");
diff -urp audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
--- audit-3.0.orig/src/ausearch-parse.c	2018-10-03 19:46:52.000000000 -0400
+++ audit-3.0/src/ausearch-parse.c	2018-12-08 15:48:54.350009208 -0500
@@ -1839,8 +1839,10 @@ static int parse_avc(const lnode *n, sea
 	if (str) {
 		str += 5;
 		term = strchr(str, '{');
-		if (term == NULL)
-			return 1;
+		if (term == NULL) {
+			term = n->message;
+			goto other_avc;
+		}
 		if (event_success != S_UNSET) {
 			*term = 0;
 			// FIXME. Do not override syscall success if already
@@ -1869,6 +1871,7 @@ static int parse_avc(const lnode *n, sea
 		*term = ' ';
 	}
 
+other_avc:
 	// User AVC's are not formatted like a kernel AVC
 	if (n->type == AUDIT_USER_AVC) {
 		rc = parse_user(n, s);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation