1 | /* SAMHAIN file system integrity testing */
|
---|
2 | /* Copyright (C) 2010 Rainer Wichmann */
|
---|
3 | /* */
|
---|
4 | /* This program is free software; you can redistribute it */
|
---|
5 | /* and/or modify */
|
---|
6 | /* it under the terms of the GNU General Public License as */
|
---|
7 | /* published by */
|
---|
8 | /* the Free Software Foundation; either version 2 of the License, or */
|
---|
9 | /* (at your option) any later version. */
|
---|
10 | /* */
|
---|
11 | /* This program is distributed in the hope that it will be useful, */
|
---|
12 | /* but WITHOUT ANY WARRANTY; without even the implied warranty of */
|
---|
13 | /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
|
---|
14 | /* GNU General Public License for more details. */
|
---|
15 | /* */
|
---|
16 | /* You should have received a copy of the GNU General Public License */
|
---|
17 | /* along with this program; if not, write to the Free Software */
|
---|
18 | /* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
|
---|
19 |
|
---|
20 | #include "config_xor.h"
|
---|
21 |
|
---|
22 | #if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
|
---|
23 |
|
---|
24 |
|
---|
25 | #include <stdio.h>
|
---|
26 | #include <stdlib.h>
|
---|
27 | #include <string.h>
|
---|
28 | #include <errno.h>
|
---|
29 | #include <unistd.h>
|
---|
30 | #include <fcntl.h>
|
---|
31 | #include <sys/stat.h>
|
---|
32 |
|
---|
33 | #include "samhain.h"
|
---|
34 | #include "sh_error.h"
|
---|
35 |
|
---|
36 | #undef FIL__
|
---|
37 | #define FIL__ _("sh_audit.c")
|
---|
38 |
|
---|
39 | #if !defined(SH_COMPILE_STATIC) && defined(__linux__) && defined(HAVE_AUPARSE_H) && defined(HAVE_AUPARSE_LIB)
|
---|
40 | #include <auparse.h>
|
---|
41 |
|
---|
42 | #include "sh_extern.h"
|
---|
43 | #include "sh_utils.h"
|
---|
44 |
|
---|
45 |
|
---|
46 | #define REC_SIZE_SYSCALL 32
|
---|
47 | #define REC_SIZE_EXE 64
|
---|
48 | #define REC_SIZE_SUCCESS 32
|
---|
49 |
|
---|
50 | struct recordState {
|
---|
51 | char syscall[REC_SIZE_SYSCALL];
|
---|
52 | char exe[REC_SIZE_EXE];
|
---|
53 | char success[REC_SIZE_SUCCESS];
|
---|
54 | unsigned int auid;
|
---|
55 | unsigned int uid;
|
---|
56 | unsigned int gid;
|
---|
57 | unsigned int euid;
|
---|
58 | unsigned int egid;
|
---|
59 | unsigned int fsuid;
|
---|
60 | unsigned int fsgid;
|
---|
61 | time_t time;
|
---|
62 | unsigned int milli;
|
---|
63 | };
|
---|
64 |
|
---|
65 | static int listRecords (auparse_state_t * au, struct recordState * state)
|
---|
66 | {
|
---|
67 | if (auparse_first_record(au) != 1)
|
---|
68 | return -1;
|
---|
69 |
|
---|
70 | state->time = auparse_get_time(au);
|
---|
71 | state->milli = auparse_get_milli(au);
|
---|
72 |
|
---|
73 | if (auparse_find_field(au, _("syscall")))
|
---|
74 | sl_strlcpy(state->syscall, auparse_interpret_field(au), REC_SIZE_SYSCALL);
|
---|
75 |
|
---|
76 | if (auparse_find_field(au, _("success")))
|
---|
77 | strncpy(state->success, auparse_interpret_field(au), REC_SIZE_SUCCESS);
|
---|
78 |
|
---|
79 | if (auparse_find_field(au, "uid"))
|
---|
80 | state->uid = auparse_get_field_int(au);
|
---|
81 | if (auparse_find_field(au, "gid"))
|
---|
82 | state->gid = auparse_get_field_int(au);
|
---|
83 |
|
---|
84 | if (auparse_find_field(au, _("euid")))
|
---|
85 | state->euid = auparse_get_field_int(au);
|
---|
86 | if (auparse_find_field(au, _("fsuid")))
|
---|
87 | state->fsuid = auparse_get_field_int(au);
|
---|
88 |
|
---|
89 | auparse_first_field(au);
|
---|
90 |
|
---|
91 | if (auparse_find_field(au, _("auid")))
|
---|
92 | state->auid = auparse_get_field_int(au);
|
---|
93 |
|
---|
94 | auparse_first_field(au);
|
---|
95 |
|
---|
96 | if (auparse_find_field(au, _("egid")))
|
---|
97 | state->egid = auparse_get_field_int(au);
|
---|
98 | if (auparse_find_field(au, _("fsgid")))
|
---|
99 | state->fsgid = auparse_get_field_int(au);
|
---|
100 |
|
---|
101 | auparse_first_field(au);
|
---|
102 |
|
---|
103 | if (auparse_find_field(au, "exe"))
|
---|
104 | sl_strlcpy(state->exe, auparse_interpret_field(au), REC_SIZE_EXE);
|
---|
105 |
|
---|
106 | return 0;
|
---|
107 | }
|
---|
108 |
|
---|
109 | static char * doAuparse (const char * file, time_t time, int tol, char * result, size_t rsize, int redo_flag)
|
---|
110 | {
|
---|
111 | struct recordState state;
|
---|
112 | struct recordState stateFetched;
|
---|
113 | unsigned int found_flag = 0;
|
---|
114 |
|
---|
115 | auparse_state_t * au = auparse_init(AUSOURCE_LOGS, NULL);
|
---|
116 |
|
---|
117 | if (!au)
|
---|
118 | {
|
---|
119 | char ebuf[SH_ERRBUF_SIZE];
|
---|
120 | int errnum = errno;
|
---|
121 |
|
---|
122 | sl_snprintf(ebuf, sizeof(ebuf), _("Error in auparse_init() - %s\n"),
|
---|
123 | strerror(errnum));
|
---|
124 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__, errnum, MSG_E_SUBGEN,
|
---|
125 | ebuf,
|
---|
126 | _("doAuparse") );
|
---|
127 | return NULL;
|
---|
128 | }
|
---|
129 |
|
---|
130 | if (ausearch_add_interpreted_item(au, _("name"), "=", file,
|
---|
131 | AUSEARCH_RULE_CLEAR) != 0)
|
---|
132 | {
|
---|
133 | goto err;
|
---|
134 | }
|
---|
135 |
|
---|
136 | if (time != 0)
|
---|
137 | {
|
---|
138 | ausearch_add_timestamp_item(au, ">=", time-tol, 0, AUSEARCH_RULE_AND);
|
---|
139 | ausearch_add_timestamp_item(au, "<=", time+tol, 0, AUSEARCH_RULE_AND);
|
---|
140 | }
|
---|
141 |
|
---|
142 | if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD) != 0)
|
---|
143 | {
|
---|
144 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__, 0, MSG_E_SUBGEN,
|
---|
145 | _("Error in ausearch_set_stop\n"),
|
---|
146 | _("doAuparse") );
|
---|
147 | goto err;
|
---|
148 | }
|
---|
149 |
|
---|
150 | memset(&state, '\0', sizeof(state));
|
---|
151 |
|
---|
152 | while (ausearch_next_event(au) == 1)
|
---|
153 | {
|
---|
154 | memset(&stateFetched, '\0', sizeof(state));
|
---|
155 | listRecords(au, &stateFetched);
|
---|
156 | if (0 == strcmp(stateFetched.success, "yes"))
|
---|
157 | {
|
---|
158 | memcpy(&state, &stateFetched, sizeof(state));
|
---|
159 | ++found_flag;
|
---|
160 | }
|
---|
161 | auparse_next_event(au);
|
---|
162 | }
|
---|
163 |
|
---|
164 | if (found_flag == 0 && redo_flag == S_FALSE)
|
---|
165 | {
|
---|
166 | size_t len = strlen(file);
|
---|
167 | char * path = SH_ALLOC(len + 2);
|
---|
168 | char * altres;
|
---|
169 |
|
---|
170 | sl_strlcpy(path, file, len+2);
|
---|
171 | path[len] = '/'; path[len+1] = '\0';
|
---|
172 | auparse_destroy(au);
|
---|
173 |
|
---|
174 | altres = doAuparse(path, time, tol, result, rsize, S_TRUE);
|
---|
175 |
|
---|
176 | SH_FREE(path);
|
---|
177 | return altres;
|
---|
178 | }
|
---|
179 |
|
---|
180 | if (0 == strcmp(state.success, "yes"))
|
---|
181 | {
|
---|
182 | char time_str[81];
|
---|
183 | char * tmp_exe = sh_util_safe_name(state.exe);
|
---|
184 |
|
---|
185 | (void) sh_unix_gmttime (state.time, time_str, sizeof(time_str));
|
---|
186 | sl_snprintf(result, rsize,
|
---|
187 | _("time=%lu.%u, timestamp=%s, syscall=%s, auid=%u, uid=%u, gid=%u, euid=%u, egid=%u, fsuid=%u, fsgid=%u, exe=%s"),
|
---|
188 | (unsigned long) state.time, state.milli, time_str,
|
---|
189 | state.syscall,
|
---|
190 | state.auid, state.uid, state.gid, state.euid, state.egid,
|
---|
191 | state.fsuid, state.fsgid, tmp_exe);
|
---|
192 | SH_FREE(tmp_exe);
|
---|
193 | auparse_destroy(au);
|
---|
194 | return result;
|
---|
195 | }
|
---|
196 |
|
---|
197 | err:
|
---|
198 | auparse_destroy(au);
|
---|
199 | return NULL;
|
---|
200 | }
|
---|
201 |
|
---|
202 | #define SH_AUDIT_DEF "wa"
|
---|
203 | static char sh_audit_flags[32] = SH_AUDIT_DEF;
|
---|
204 |
|
---|
205 | int sh_audit_set_flags(const char * str)
|
---|
206 | {
|
---|
207 | if (!str || strlen(str) >= sizeof(sh_audit_flags))
|
---|
208 | return -1;
|
---|
209 | sl_strlcpy(sh_audit_flags, str, sizeof(sh_audit_flags));
|
---|
210 | return 0;
|
---|
211 | }
|
---|
212 | static void reset_audit_flags()
|
---|
213 | {
|
---|
214 | sl_strlcpy(sh_audit_flags, SH_AUDIT_DEF, sizeof(sh_audit_flags));
|
---|
215 | return;
|
---|
216 | }
|
---|
217 |
|
---|
218 |
|
---|
219 | static int sh_audit_checkdaemon();
|
---|
220 | static int actl_pnum = -1;
|
---|
221 | static char * actl_paths[4] =
|
---|
222 | {
|
---|
223 | N_("/sbin/auditctl"),
|
---|
224 | N_("/usr/sbin/auditctl"),
|
---|
225 | N_("/bin/auditctl"),
|
---|
226 | N_("/usr/bin/auditctl")
|
---|
227 | };
|
---|
228 |
|
---|
229 | static char * getflags (char * file);
|
---|
230 |
|
---|
231 | /* Public function to fetch an audit record for path 'file', time 'time'
|
---|
232 | * The 'result' array should be sized ~256 char.
|
---|
233 | */
|
---|
234 | char * sh_audit_fetch (char * file, time_t mtime, time_t ctime, time_t atime, char * result, size_t rsize)
|
---|
235 | {
|
---|
236 | char * res = NULL;
|
---|
237 | char * flags = getflags(file);
|
---|
238 |
|
---|
239 | if (sh_audit_checkdaemon() >= 0)
|
---|
240 | {
|
---|
241 | time_t new;
|
---|
242 |
|
---|
243 | if (flags && (strchr(flags, 'r') || strchr(flags, 'x')) && atime >= ctime && atime >= mtime) { new = atime; }
|
---|
244 | else if (mtime >= ctime) { new = mtime; }
|
---|
245 | else { new = ctime; }
|
---|
246 |
|
---|
247 | res = doAuparse (file, new, 1, result, rsize, S_FALSE);
|
---|
248 |
|
---|
249 | if (!res)
|
---|
250 | {
|
---|
251 | res = doAuparse (file, new, 3, result, rsize, S_FALSE);
|
---|
252 | }
|
---|
253 |
|
---|
254 | }
|
---|
255 | return res;
|
---|
256 | }
|
---|
257 |
|
---|
258 | void sh_audit_delete_all ()
|
---|
259 | {
|
---|
260 | int p = sh_audit_checkdaemon();
|
---|
261 |
|
---|
262 | if (p >= 0)
|
---|
263 | {
|
---|
264 | char ctl[64];
|
---|
265 |
|
---|
266 | sl_snprintf(ctl, sizeof(ctl), _("%s -D -k samhain"),
|
---|
267 | _(actl_paths[p]));
|
---|
268 | sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
|
---|
269 | 0, MSG_E_SUBGEN,
|
---|
270 | _("Deleting audit daemon rules with key samhain"),
|
---|
271 | _("sh_audit_delete_all") );
|
---|
272 |
|
---|
273 | sl_strlcpy(ctl, _(actl_paths[p]), sizeof(ctl));
|
---|
274 | sh_ext_system(ctl, ctl, "-D", "-k", _("samhain"), NULL);
|
---|
275 | }
|
---|
276 | reset_audit_flags();
|
---|
277 | return;
|
---|
278 | }
|
---|
279 |
|
---|
280 | static int sh_audit_isdir(const char * file)
|
---|
281 | {
|
---|
282 | struct stat buf;
|
---|
283 |
|
---|
284 | if ( (0 == lstat (file, &buf)) && S_ISDIR(buf.st_mode))
|
---|
285 | return S_TRUE;
|
---|
286 | return S_FALSE;
|
---|
287 | }
|
---|
288 |
|
---|
289 | static void sh_audit_mark_int (const char * file, const char * flags)
|
---|
290 | {
|
---|
291 | static int flushRules = 0;
|
---|
292 |
|
---|
293 | int p = sh_audit_checkdaemon();
|
---|
294 |
|
---|
295 | /* Flush all rules at startup.
|
---|
296 | */
|
---|
297 | if (flushRules == 0)
|
---|
298 | {
|
---|
299 | sh_audit_delete_all ();
|
---|
300 | flushRules = 1;
|
---|
301 | }
|
---|
302 |
|
---|
303 | if (p >= 0)
|
---|
304 | {
|
---|
305 | size_t len = strlen(file) + 64;
|
---|
306 | char * command = SH_ALLOC(len);
|
---|
307 | char * safe;
|
---|
308 | char ctl[64];
|
---|
309 | char a1[32];
|
---|
310 | char a2[32];
|
---|
311 | char a3[32];
|
---|
312 | char a4[32];
|
---|
313 |
|
---|
314 | sl_snprintf(command, len, _("%s -w %s -p %s -k samhain"),
|
---|
315 | _(actl_paths[p]), file, flags);
|
---|
316 |
|
---|
317 | safe = sh_util_safe_name_keepspace(command);
|
---|
318 | sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
|
---|
319 | 0, MSG_E_SUBGEN,
|
---|
320 | safe,
|
---|
321 | _("sh_audit_mark") );
|
---|
322 |
|
---|
323 | SH_FREE(safe);
|
---|
324 |
|
---|
325 | sl_strlcpy(ctl, _(actl_paths[p]), sizeof(ctl));
|
---|
326 | sl_strlcpy(command, file, len);
|
---|
327 |
|
---|
328 | sl_strlcpy(a3, _("samhain"), sizeof(a3));
|
---|
329 | sl_strlcpy(a4, flags, sizeof(a4));
|
---|
330 | sh_ext_system(ctl, ctl, "-w", command, "-p", a4, "-k", a3, NULL);
|
---|
331 |
|
---|
332 | /* Placing a watch on a directory will not place a watch on the
|
---|
333 | * directory inode, so we do this explicitely.
|
---|
334 | */
|
---|
335 | if (S_TRUE == sh_audit_isdir(file))
|
---|
336 | {
|
---|
337 | safe = sh_util_safe_name(file);
|
---|
338 | sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
|
---|
339 | 0, MSG_E_SUBGPATH,
|
---|
340 | _("Add path watch for directory"),
|
---|
341 | _("sh_audit_mark_int"), safe );
|
---|
342 | SH_FREE(safe);
|
---|
343 | sl_strlcpy(command, _("path="), len);
|
---|
344 | sl_strlcat(command, file, len);
|
---|
345 | sl_strlcpy(a1, _("always,exit"), sizeof(a1));
|
---|
346 | sl_strlcpy(a2, _("perm="), sizeof(a2));
|
---|
347 | sl_strlcat(a2, flags, sizeof(a2));
|
---|
348 | sh_ext_system(ctl, ctl, "-a", a1, "-F", command, "-F", a2, "-k", a3, NULL);
|
---|
349 | }
|
---|
350 | SH_FREE(command);
|
---|
351 | }
|
---|
352 | return;
|
---|
353 | }
|
---|
354 |
|
---|
355 | #define SH_AU_FLAGS_SIZ 32
|
---|
356 | struct aud_list {
|
---|
357 | char * file;
|
---|
358 | char flags[SH_AU_FLAGS_SIZ];
|
---|
359 | struct aud_list * next;
|
---|
360 | };
|
---|
361 |
|
---|
362 | struct aud_list * mark_these = NULL;
|
---|
363 | static int marked_committed = 0;
|
---|
364 |
|
---|
365 | static void delete_listofmarked()
|
---|
366 | {
|
---|
367 | struct aud_list * tmp;
|
---|
368 | struct aud_list * this = mark_these;
|
---|
369 |
|
---|
370 | mark_these = NULL;
|
---|
371 |
|
---|
372 | while (this)
|
---|
373 | {
|
---|
374 | tmp = this;
|
---|
375 | this = this->next;
|
---|
376 |
|
---|
377 | SH_FREE(tmp->file);
|
---|
378 | SH_FREE(tmp);
|
---|
379 | }
|
---|
380 | marked_committed = 0;
|
---|
381 | }
|
---|
382 |
|
---|
383 | static char * getflags (char * file)
|
---|
384 | {
|
---|
385 | struct aud_list * this = mark_these;
|
---|
386 |
|
---|
387 | while (this)
|
---|
388 | {
|
---|
389 | if (0 == strcmp(file, this->file))
|
---|
390 | return this->flags;
|
---|
391 | this = this->next;
|
---|
392 | }
|
---|
393 | /* no explicit rule for this file */
|
---|
394 | return NULL;
|
---|
395 | }
|
---|
396 |
|
---|
397 | static void add_this (char * file)
|
---|
398 | {
|
---|
399 | struct aud_list * this = SH_ALLOC(sizeof(struct aud_list));
|
---|
400 | size_t len = strlen(file);
|
---|
401 |
|
---|
402 | this->file = sh_util_strdup(file);
|
---|
403 |
|
---|
404 | /* strip trailing '/' */
|
---|
405 | if ((len > 1) && (file[len-1] == '/'))
|
---|
406 | this->file[len-1] = '\0';
|
---|
407 |
|
---|
408 | sl_strlcpy(this->flags, sh_audit_flags, SH_AU_FLAGS_SIZ);
|
---|
409 |
|
---|
410 | this->next = mark_these;
|
---|
411 | mark_these = this;
|
---|
412 | return;
|
---|
413 | }
|
---|
414 |
|
---|
415 | /* Check whether it is already covered by a higher directory
|
---|
416 | */
|
---|
417 | static int test_exchange (struct aud_list * this, char * file)
|
---|
418 | {
|
---|
419 | size_t len0 = sl_strlen(this->file);
|
---|
420 | size_t len1 = sl_strlen(file);
|
---|
421 | int ret = -1;
|
---|
422 |
|
---|
423 | if (len0 == len1)
|
---|
424 | {
|
---|
425 | return strcmp(this->file, file);
|
---|
426 | }
|
---|
427 | else
|
---|
428 | {
|
---|
429 | if (0 == strcmp(this->flags, sh_audit_flags))
|
---|
430 | {
|
---|
431 | char * s0 = SH_ALLOC(len0 + 2);
|
---|
432 | char * s1 = SH_ALLOC(len1 + 2);
|
---|
433 |
|
---|
434 | sl_strlcpy(s0, this->file, len0 + 2);
|
---|
435 | sl_strlcpy(s1, file, len1 + 2);
|
---|
436 |
|
---|
437 | if (s0 < s1)
|
---|
438 | {
|
---|
439 | sl_strlcat(s0, "/", len0 + 2);
|
---|
440 | ret = strncmp(s0, s1, len0 + 1);
|
---|
441 | }
|
---|
442 | else
|
---|
443 | {
|
---|
444 | sl_strlcat(s1, "/", len1 + 2);
|
---|
445 | if (0 == strncmp(s0, s1, len1 + 1))
|
---|
446 | {
|
---|
447 | size_t len = strlen(file);
|
---|
448 | SH_FREE(this->file);
|
---|
449 | this->file = sh_util_strdup(file);
|
---|
450 | if ((len > 1) && (file[len-1] == '/'))
|
---|
451 | this->file[len-1] = '\0';
|
---|
452 | ret = 0;
|
---|
453 | }
|
---|
454 | }
|
---|
455 | SH_FREE(s0);
|
---|
456 | SH_FREE(s1);
|
---|
457 | }
|
---|
458 | }
|
---|
459 |
|
---|
460 | return ret;
|
---|
461 | }
|
---|
462 |
|
---|
463 | /* Place a path on the list of of paths to be watched
|
---|
464 | */
|
---|
465 | void sh_audit_mark (char * file)
|
---|
466 | {
|
---|
467 | struct aud_list * this;
|
---|
468 |
|
---|
469 | if (marked_committed != 0)
|
---|
470 | delete_listofmarked();
|
---|
471 |
|
---|
472 | if (!mark_these) {
|
---|
473 | add_this (file);
|
---|
474 | return;
|
---|
475 | }
|
---|
476 |
|
---|
477 | this = mark_these;
|
---|
478 |
|
---|
479 | while (this)
|
---|
480 | {
|
---|
481 | /* Check whether it is already covered by a higher
|
---|
482 | * directory
|
---|
483 | */
|
---|
484 | if (0 == test_exchange(this, file))
|
---|
485 | return;
|
---|
486 |
|
---|
487 | this = this->next;
|
---|
488 | }
|
---|
489 |
|
---|
490 | add_this (file);
|
---|
491 | return;
|
---|
492 | }
|
---|
493 |
|
---|
494 | void sh_audit_commit ()
|
---|
495 | {
|
---|
496 | struct aud_list * this = mark_these;
|
---|
497 |
|
---|
498 | while (this)
|
---|
499 | {
|
---|
500 | sh_audit_mark_int (this->file, this->flags);
|
---|
501 | this = this->next;
|
---|
502 | }
|
---|
503 | marked_committed = 1;
|
---|
504 | }
|
---|
505 |
|
---|
506 | static int sh_audit_checkdaemon()
|
---|
507 | {
|
---|
508 | int i;
|
---|
509 | static int flag = 0;
|
---|
510 | char command[64];
|
---|
511 | char * p;
|
---|
512 |
|
---|
513 | if (flag != 0)
|
---|
514 | return -1;
|
---|
515 |
|
---|
516 | if (actl_pnum >= 0)
|
---|
517 | return actl_pnum;
|
---|
518 |
|
---|
519 | for (i = 0; i < 4; ++i)
|
---|
520 | {
|
---|
521 | if (0 == access(_(actl_paths[i]), F_OK))/* flawfinder: ignore */
|
---|
522 | {
|
---|
523 | if (0 == access(_(actl_paths[i]), X_OK))/* flawfinder: ignore */
|
---|
524 | {
|
---|
525 | actl_pnum = i;
|
---|
526 | break;
|
---|
527 | }
|
---|
528 | else
|
---|
529 | {
|
---|
530 | char ebuf[SH_ERRBUF_SIZE];
|
---|
531 | int errnum = errno;
|
---|
532 |
|
---|
533 | sl_snprintf(ebuf, sizeof(ebuf),
|
---|
534 | _("Cannot execute auditctl - %s\n"),
|
---|
535 | strerror(errnum));
|
---|
536 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
|
---|
537 | errnum, MSG_E_SUBGEN,
|
---|
538 | ebuf,
|
---|
539 | _("sh_audit_checkdaemon") );
|
---|
540 | flag = 1;
|
---|
541 | actl_pnum = -1;
|
---|
542 | return -1;
|
---|
543 | }
|
---|
544 | }
|
---|
545 | }
|
---|
546 |
|
---|
547 | if (actl_pnum == -1 && flag == 0)
|
---|
548 | {
|
---|
549 | char ebuf[SH_ERRBUF_SIZE];
|
---|
550 | int errnum = errno;
|
---|
551 |
|
---|
552 | sl_snprintf(ebuf, sizeof(ebuf),
|
---|
553 | _("Cannot find auditctl - %s\n"),
|
---|
554 | strerror(errnum));
|
---|
555 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
|
---|
556 | errnum, MSG_E_SUBGEN,
|
---|
557 | ebuf,
|
---|
558 | _("sh_audit_checkdaemon") );
|
---|
559 | flag = 1;
|
---|
560 | actl_pnum = -1;
|
---|
561 | return -1;
|
---|
562 | }
|
---|
563 |
|
---|
564 | /* We found an executable auditctl */
|
---|
565 |
|
---|
566 | sl_snprintf(command, sizeof(command), _("%s -s"), _(actl_paths[actl_pnum]));
|
---|
567 | sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
|
---|
568 | 0, MSG_E_SUBGEN,
|
---|
569 | command,
|
---|
570 | _("sh_audit_checkdaemon") );
|
---|
571 | p = sh_ext_popen_str (command);
|
---|
572 |
|
---|
573 | if (p)
|
---|
574 | {
|
---|
575 | int retval = -1;
|
---|
576 | if (strstr(p, _(" pid=0 ")))
|
---|
577 | {
|
---|
578 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
|
---|
579 | 0, MSG_E_SUBGEN,
|
---|
580 | _("Audit daemon for Linux kernel audit system is not running"),
|
---|
581 | _("sh_audit_checkdaemon") );
|
---|
582 | flag = 1;
|
---|
583 | actl_pnum = -1;
|
---|
584 | }
|
---|
585 | else
|
---|
586 | {
|
---|
587 | retval = actl_pnum;
|
---|
588 | sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
|
---|
589 | retval, MSG_E_SUBGEN,
|
---|
590 | _("Audit daemon is running"),
|
---|
591 | _("sh_audit_checkdaemon") );
|
---|
592 | }
|
---|
593 | SH_FREE(p);
|
---|
594 | return retval;
|
---|
595 | }
|
---|
596 |
|
---|
597 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
|
---|
598 | errno, MSG_E_SUBGEN,
|
---|
599 | _("No output from auditctl -s"),
|
---|
600 | _("sh_audit_checkdaemon") );
|
---|
601 | flag = 1;
|
---|
602 | actl_pnum = -1;
|
---|
603 | return -1;
|
---|
604 | }
|
---|
605 |
|
---|
606 | /* HAVE_AUPARSE_H */
|
---|
607 | #else
|
---|
608 | char * sh_audit_fetch (char * file, time_t mtime, time_t ctime, time_t atime, char * result, size_t rsize)
|
---|
609 | {
|
---|
610 | (void) file;
|
---|
611 | (void) mtime;
|
---|
612 | (void) ctime;
|
---|
613 | (void) atime;
|
---|
614 | (void) result;
|
---|
615 | (void) rsize;
|
---|
616 |
|
---|
617 | return 0;
|
---|
618 | }
|
---|
619 | void sh_audit_mark (const char * file)
|
---|
620 | {
|
---|
621 | (void) file;
|
---|
622 | sh_error_handle(SH_ERR_WARN, FIL__, __LINE__, 0, MSG_E_SUBGEN,
|
---|
623 | _("Setting audit watch not supported"),
|
---|
624 | _("sh_audit_mark"));
|
---|
625 | return;
|
---|
626 | }
|
---|
627 | void sh_audit_delete_all ()
|
---|
628 | {
|
---|
629 | return;
|
---|
630 | }
|
---|
631 | void sh_audit_commit ()
|
---|
632 | {
|
---|
633 | return;
|
---|
634 | }
|
---|
635 | int sh_audit_set_flags(const char * str)
|
---|
636 | {
|
---|
637 | (void) str;
|
---|
638 | return -1;
|
---|
639 | }
|
---|
640 | #endif
|
---|
641 |
|
---|
642 | /* client || standalone */
|
---|
643 | #endif
|
---|
644 |
|
---|