2 * Copyright 2008,2010-2011 Red Hat Inc., Durham, North Carolina.
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Steve Grubb <sgrubb@redhat.com>
35 #include "prelude-config.h"
37 /* Local prototypes */
48 int (*parser)(struct nv_pair *, int, prelude_conf_t *);
58 static char *get_line(FILE *f, char *buf);
59 static int nv_split(char *buf, struct nv_pair *nv);
60 static const struct kw_pair *kw_lookup(const char *val);
61 static int profile_parser(struct nv_pair *nv, int line,
62 prelude_conf_t *config);
63 static int avc_parser(struct nv_pair *nv, int line,
64 prelude_conf_t *config);
65 static int avc_act_parser(struct nv_pair *nv, int line,
66 prelude_conf_t *config);
67 static int login_parser(struct nv_pair *nv, int line,
68 prelude_conf_t *config);
69 static int login_act_parser(struct nv_pair *nv, int line,
70 prelude_conf_t *config);
71 static int login_failure_parser(struct nv_pair *nv, int line,
72 prelude_conf_t *config);
73 static int login_failure_act_parser(struct nv_pair *nv, int line,
74 prelude_conf_t *config);
75 static int login_session_parser(struct nv_pair *nv, int line,
76 prelude_conf_t *config);
77 static int login_session_act_parser(struct nv_pair *nv, int line,
78 prelude_conf_t *config);
79 static int login_location_parser(struct nv_pair *nv, int line,
80 prelude_conf_t *config);
81 static int login_location_act_parser(struct nv_pair *nv, int line,
82 prelude_conf_t *config);
83 static int login_time_parser(struct nv_pair *nv, int line,
84 prelude_conf_t *config);
85 static int login_time_act_parser(struct nv_pair *nv, int line,
86 prelude_conf_t *config);
87 static int abends_parser(struct nv_pair *nv, int line,
88 prelude_conf_t *config);
89 static int abends_act_parser(struct nv_pair *nv, int line,
90 prelude_conf_t *config);
91 static int promiscuous_parser(struct nv_pair *nv, int line,
92 prelude_conf_t *config);
93 static int promiscuous_act_parser(struct nv_pair *nv, int line,
94 prelude_conf_t *config);
95 static int mac_status_parser(struct nv_pair *nv, int line,
96 prelude_conf_t *config);
97 static int mac_status_act_parser(struct nv_pair *nv, int line,
98 prelude_conf_t *config);
99 static int group_auth_parser(struct nv_pair *nv, int line,
100 prelude_conf_t *config);
101 static int group_auth_act_parser(struct nv_pair *nv, int line,
102 prelude_conf_t *config);
103 static int watched_acct_parser(struct nv_pair *nv, int line,
104 prelude_conf_t *config);
105 static int watched_acct_act_parser(struct nv_pair *nv, int line,
106 prelude_conf_t *config);
107 static int watched_accounts_parser(struct nv_pair *nv, int line,
108 prelude_conf_t *config);
109 static int watched_syscall_parser(struct nv_pair *nv, int line,
110 prelude_conf_t *config);
111 static int watched_syscall_act_parser(struct nv_pair *nv, int line,
112 prelude_conf_t *config);
113 static int watched_file_parser(struct nv_pair *nv, int line,
114 prelude_conf_t *config);
115 static int watched_file_act_parser(struct nv_pair *nv, int line,
116 prelude_conf_t *config);
117 static int watched_exec_parser(struct nv_pair *nv, int line,
118 prelude_conf_t *config);
119 static int watched_exec_act_parser(struct nv_pair *nv, int line,
120 prelude_conf_t *config);
121 static int watched_mk_exe_parser(struct nv_pair *nv, int line,
122 prelude_conf_t *config);
123 static int watched_mk_exe_act_parser(struct nv_pair *nv, int line,
124 prelude_conf_t *config);
125 static int tty_parser(struct nv_pair *nv, int line,
126 prelude_conf_t *config);
127 static int tty_act_parser(struct nv_pair *nv, int line,
128 prelude_conf_t *config);
129 static int sanity_check(prelude_conf_t *config, const char *file);
131 static const struct kw_pair keywords[] =
133 {"profile", profile_parser, 0 },
134 {"detect_avc", avc_parser, 0 },
135 {"avc_action", avc_act_parser, 0 },
136 {"detect_logins", login_parser, 0 },
137 {"login_action", login_act_parser, 0 },
138 {"detect_login_fail_max", login_failure_parser, 0 },
139 {"login_fail_max_action", login_failure_act_parser, 0 },
140 {"detect_login_session_max", login_session_parser, 0 },
141 {"login_session_max_action", login_session_act_parser, 0 },
142 {"detect_login_location", login_location_parser, 0 },
143 {"login_location_action", login_location_act_parser, 0 },
144 {"detect_login_time", login_time_parser, 0 },
145 {"login_time_action", login_time_act_parser, 0 },
146 {"detect_abend", abends_parser, 0 },
147 {"abend_action", abends_act_parser, 0 },
148 {"detect_promiscuous", promiscuous_parser, 0 },
149 {"promiscuous_action", promiscuous_act_parser, 0 },
150 {"detect_mac_status", mac_status_parser, 0 },
151 {"mac_status_action", mac_status_act_parser, 0 },
152 {"detect_group_auth", group_auth_parser, 0 },
153 {"group_auth_action", group_auth_act_parser, 0 },
154 {"detect_watched_acct", watched_acct_parser, 0 },
155 {"watched_acct_action", watched_acct_act_parser, 0 },
156 {"watched_accounts", watched_accounts_parser, 1 },
157 {"detect_watched_syscall", watched_syscall_parser, 0 },
158 {"watched_syscall_action", watched_syscall_act_parser, 0 },
159 {"detect_watched_file", watched_file_parser, 0 },
160 {"watched_file_action", watched_file_act_parser, 0 },
161 {"detect_watched_exec", watched_exec_parser, 0 },
162 {"watched_exec_action", watched_exec_act_parser, 0 },
163 {"detect_watched_mk_exe", watched_mk_exe_parser, 0 },
164 {"watched_mk_exe_action", watched_mk_exe_act_parser, 0 },
165 {"detect_tty", tty_parser, 0 },
166 {"tty_action", tty_act_parser, 0 },
170 static const struct nv_list enabler_words[] =
177 static const struct nv_list action_words[] =
179 {"ignore", A_IGNORE },
181 // {"kill", A_KILL },
182 // {"session", A_SESSION },
183 // {"single", A_SINGLE },
184 // {"halt", A_HALT },
189 * Set everything to its default value
191 void clear_config(prelude_conf_t *config)
193 config->profile = strdup("auditd");
194 config->avcs = E_YES;
195 config->avcs_act = A_IDMEF;
196 config->logins = E_YES;
197 config->logins_act = A_IDMEF;
198 config->login_failure_max = E_YES;
199 config->login_failure_max_act = A_IDMEF;
200 config->login_session_max = E_YES;
201 config->login_session_max_act = A_IDMEF;
202 config->login_location = E_YES;
203 config->login_location_act = A_IDMEF;
204 config->login_time = E_YES;
205 config->login_time_act = A_IDMEF;
206 config->abends = E_YES;
207 config->abends_act = A_IDMEF;
208 config->promiscuous = E_YES;
209 config->promiscuous_act = A_IDMEF;
210 config->mac_status = E_YES;
211 config->mac_status_act = A_IDMEF;
212 config->group_auth = E_YES;
213 config->group_auth_act = A_IDMEF;
214 config->watched_acct = E_YES;
215 config->watched_acct_act = A_IDMEF;
216 config->watched_syscall = E_YES;
217 config->watched_syscall_act = A_IDMEF;
218 config->watched_file = E_YES;
219 config->watched_file_act = A_IDMEF;
220 config->watched_exec = E_YES;
221 config->watched_exec_act = A_IDMEF;
222 config->watched_mk_exe = E_YES;
223 config->watched_mk_exe_act = A_IDMEF;
225 config->tty_act = A_IDMEF;
226 ilist_create(&config->watched_accounts);
229 int load_config(prelude_conf_t *config, const char *file)
231 int fd, rc, mode, lineno = 1;
236 clear_config(config);
240 rc = open(file, mode);
243 if (errno != ENOENT) {
244 syslog(LOG_ERR, "Error opening %s (%s)", file,
249 "Config file %s doesn't exist, skipping", file);
254 /* check the file's permissions: owned by root, not world writable,
257 if (fstat(fd, &st) < 0) {
259 syslog(LOG_ERR, "Error fstat'ing config file (%s)",
264 if (st.st_uid != 0) {
266 syslog(LOG_ERR, "Error - %s isn't owned by root",
271 if ((st.st_mode & S_IWOTH) == S_IWOTH) {
273 syslog(LOG_ERR, "Error - %s is world writable",
278 if (!S_ISREG(st.st_mode)) {
280 syslog(LOG_ERR, "Error - %s is not a regular file",
286 /* it's ok, read line by line */
287 f = fdopen(fd, "rm");
290 syslog(LOG_ERR, "Error - fdopen failed (%s)",
296 while (get_line(f, buf)) {
297 // convert line into name-value pair
298 const struct kw_pair *kw;
300 rc = nv_split(buf, &nv);
304 case 1: // not the right number of tokens.
306 "Wrong number of arguments for line %d in %s",
309 case 2: // no '=' sign
311 "Missing equal sign for line %d in %s",
314 default: // something else went wrong...
316 "Unknown error for line %d in %s",
320 if (nv.name == NULL) {
324 if (nv.value == NULL) {
330 /* identify keyword or error */
331 kw = kw_lookup(nv.name);
332 if (kw->name == NULL) {
335 "Unknown keyword \"%s\" in line %d of %s",
336 nv.name, lineno, file);
341 /* Check number of options */
342 if (kw->max_options == 0 && nv.option != NULL) {
345 "Keyword \"%s\" has invalid option "
346 "\"%s\" in line %d of %s",
347 nv.name, nv.option, lineno, file);
352 /* dispatch to keyword's local parser */
353 rc = kw->parser(&nv, lineno, config);
357 return 1; // local parser puts message out
365 return sanity_check(config, file);
369 static char *get_line(FILE *f, char *buf)
371 if (fgets_unlocked(buf, 128, f)) {
373 char *ptr = strchr(buf, 0x0a);
381 static int nv_split(char *buf, struct nv_pair *nv)
383 /* Get the name part */
384 char *ptr, *saved = NULL;
389 ptr = strtok_r(buf, " ", &saved);
391 return 0; /* If there's nothing, go to next line */
393 return 0; /* If there's a comment, go to next line */
396 /* Check for a '=' */
397 ptr = strtok_r(NULL, " ", &saved);
400 if (strcmp(ptr, "=") != 0)
404 ptr = strtok_r(NULL, " ", &saved);
409 /* Everything is OK */
413 static const struct kw_pair *kw_lookup(const char *val)
416 while (keywords[i].name != NULL) {
417 if (strcasecmp(keywords[i].name, val) == 0)
424 static int profile_parser(struct nv_pair *nv, int line,
425 prelude_conf_t *config)
428 free((char*)config->profile);
429 config->profile = strdup(nv->value);
434 static int lookup_enabler(const char *value, enable_t *enabled)
437 for (i=0; enabler_words[i].name != NULL; i++) {
438 if (strcasecmp(value, enabler_words[i].name) == 0) {
439 *enabled = enabler_words[i].option;
446 static int lookup_action(const char *value, action_t *action)
449 for (i=0; action_words[i].name != NULL; i++) {
450 if (strcasecmp(value, action_words[i].name) == 0) {
451 *action = action_words[i].option;
458 static int avc_parser(struct nv_pair *nv, int line, prelude_conf_t *config)
460 if (lookup_enabler(nv->value, &config->avcs) == 0)
462 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
466 static int avc_act_parser(struct nv_pair *nv, int line, prelude_conf_t *config)
468 if (lookup_action(nv->value, &config->avcs_act) == 0)
470 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
474 static int login_parser(struct nv_pair *nv, int line, prelude_conf_t *config)
476 if (lookup_enabler(nv->value, &config->logins) == 0)
478 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
482 static int login_act_parser(struct nv_pair *nv, int line,
483 prelude_conf_t *config)
485 if (lookup_action(nv->value, &config->logins_act) == 0)
487 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
491 static int login_failure_parser(struct nv_pair *nv, int line,
492 prelude_conf_t *config)
494 if (lookup_enabler(nv->value, &config->login_failure_max) == 0)
496 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
500 static int login_failure_act_parser(struct nv_pair *nv, int line,
501 prelude_conf_t *config)
503 if (lookup_action(nv->value, &config->login_failure_max_act) == 0)
505 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
509 static int login_session_parser(struct nv_pair *nv, int line,
510 prelude_conf_t *config)
512 if (lookup_enabler(nv->value, &config->login_session_max) == 0)
514 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
518 static int login_session_act_parser(struct nv_pair *nv, int line,
519 prelude_conf_t *config)
521 if (lookup_action(nv->value, &config->login_session_max_act) == 0)
523 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
527 static int login_location_parser(struct nv_pair *nv, int line,
528 prelude_conf_t *config)
530 if (lookup_enabler(nv->value, &config->login_location) == 0)
532 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
536 static int login_location_act_parser(struct nv_pair *nv, int line,
537 prelude_conf_t *config)
539 if (lookup_action(nv->value, &config->login_location_act) == 0)
541 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
545 static int login_time_parser(struct nv_pair *nv, int line,
546 prelude_conf_t *config)
548 if (lookup_enabler(nv->value, &config->login_time) == 0)
550 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
554 static int login_time_act_parser(struct nv_pair *nv, int line,
555 prelude_conf_t *config)
557 if (lookup_action(nv->value, &config->login_time_act) == 0)
559 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
563 static int abends_parser(struct nv_pair *nv, int line, prelude_conf_t *config)
565 if (lookup_enabler(nv->value, &config->abends) == 0)
567 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
571 static int abends_act_parser(struct nv_pair *nv, int line,
572 prelude_conf_t *config)
574 if (lookup_action(nv->value, &config->abends_act) == 0)
576 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
580 static int promiscuous_parser(struct nv_pair *nv, int line,
581 prelude_conf_t *config)
583 if (lookup_enabler(nv->value, &config->promiscuous) == 0)
585 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
589 static int promiscuous_act_parser(struct nv_pair *nv, int line,
590 prelude_conf_t *config)
592 if (lookup_action(nv->value, &config->promiscuous_act) == 0)
594 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
598 static int mac_status_parser(struct nv_pair *nv, int line,
599 prelude_conf_t *config)
601 if (lookup_enabler(nv->value, &config->mac_status) == 0)
603 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
607 static int mac_status_act_parser(struct nv_pair *nv, int line,
608 prelude_conf_t *config)
610 if (lookup_action(nv->value, &config->mac_status_act) == 0)
612 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
616 static int group_auth_parser(struct nv_pair *nv, int line,
617 prelude_conf_t *config)
619 if (lookup_enabler(nv->value, &config->group_auth) == 0)
621 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
625 static int group_auth_act_parser(struct nv_pair *nv, int line,
626 prelude_conf_t *config)
628 if (lookup_action(nv->value, &config->group_auth_act) == 0)
630 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
634 static int watched_acct_parser(struct nv_pair *nv, int line,
635 prelude_conf_t *config)
637 if (lookup_enabler(nv->value, &config->watched_acct) == 0)
639 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
643 static int watched_acct_act_parser(struct nv_pair *nv, int line,
644 prelude_conf_t *config)
646 if (lookup_action(nv->value, &config->watched_acct_act) == 0)
648 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
652 static int string_is_numeric(const char *s)
664 static int watched_accounts_parser(struct nv_pair *nv, int line,
665 prelude_conf_t *config)
667 char *str = (char *)nv->value;
669 char *ptr = strchr(str, '-');
677 if (string_is_numeric(user1)) {
678 start = strtoul(user1, NULL, 10);
681 pw = getpwnam(user1);
684 "user %s is invalid - line %d, skipping",
691 if (i>0 && user2[i-1] == ',')
693 if (string_is_numeric(user2)) {
694 end = strtoul(user2, NULL, 10);
697 pw = getpwnam(user2);
700 "user %s is invalid - line %d, skipping",
708 "%s is larger or equal to %s, please fix, skipping",
712 for (i=start; i<=end; i++) {
714 &config->watched_accounts, i);
718 if (string_is_numeric(str))
719 acct = strtoul(str, NULL, 10);
725 "user %s is invalid - line %d, skipping",
731 ilist_add_if_uniq(&config->watched_accounts, acct);
733 str = strtok(NULL, ", ");
739 static int watched_syscall_parser(struct nv_pair *nv, int line,
740 prelude_conf_t *config)
742 if (lookup_enabler(nv->value, &config->watched_syscall) == 0)
744 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
748 static int watched_syscall_act_parser(struct nv_pair *nv, int line,
749 prelude_conf_t *config)
751 if (lookup_action(nv->value, &config->watched_syscall_act) == 0)
753 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
757 static int watched_file_parser(struct nv_pair *nv, int line,
758 prelude_conf_t *config)
760 if (lookup_enabler(nv->value, &config->watched_file) == 0)
762 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
766 static int watched_file_act_parser(struct nv_pair *nv, int line,
767 prelude_conf_t *config)
769 if (lookup_action(nv->value, &config->watched_file_act) == 0)
771 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
775 static int watched_exec_parser(struct nv_pair *nv, int line,
776 prelude_conf_t *config)
778 if (lookup_enabler(nv->value, &config->watched_exec) == 0)
780 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
784 static int watched_exec_act_parser(struct nv_pair *nv, int line,
785 prelude_conf_t *config)
787 if (lookup_action(nv->value, &config->watched_exec_act) == 0)
789 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
793 static int watched_mk_exe_parser(struct nv_pair *nv, int line,
794 prelude_conf_t *config)
796 if (lookup_enabler(nv->value, &config->watched_mk_exe) == 0)
798 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
802 static int watched_mk_exe_act_parser(struct nv_pair *nv, int line,
803 prelude_conf_t *config)
805 if (lookup_action(nv->value, &config->watched_mk_exe_act) == 0)
807 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
811 static int tty_parser(struct nv_pair *nv, int line,
812 prelude_conf_t *config)
814 if (lookup_enabler(nv->value, &config->tty) == 0)
816 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
820 static int tty_act_parser(struct nv_pair *nv, int line,
821 prelude_conf_t *config)
823 if (lookup_action(nv->value, &config->tty_act) == 0)
825 syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
829 * This function is where we do the integrated check of the audispd config
830 * options. At this point, all fields have been read. Returns 0 if no
831 * problems and 1 if problems detected.
833 static int sanity_check(prelude_conf_t *config, const char *file)
839 void free_config(prelude_conf_t *config)
841 free((void *)config->profile);
842 ilist_clear(&config->watched_accounts);