2 * aureport-scan.c - Extract interesting fields and check for match
3 * Copyright (c) 2005-06,2008,2011,2014-15 Red Hat Inc., Durham, North Carolina.
6 * This software may be freely redistributed and/or modified under the
7 * terms of the GNU General Public License as published by the Free
8 * Software Foundation; either version 2, or (at your option) any
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; see the file COPYING. If not, write to the
18 * Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 * Steve Grubb <sgrubb@redhat.com>
29 #include "aureport-options.h"
30 #include "ausearch-parse.h"
31 #include "ausearch-string.h"
32 #include "ausearch-lookup.h"
33 #include "aureport-scan.h"
35 static void do_summary_total(llist *l);
36 static int per_event_summary(llist *l);
37 static int per_event_detailed(llist *l);
41 /* This function inits the counters */
42 void reset_counters(void)
46 sd.acct_changes = 0UL;
54 sd.failed_syscalls = 0UL;
59 slist_create(&sd.users);
60 slist_create(&sd.terms);
61 slist_create(&sd.files);
62 slist_create(&sd.hosts);
63 slist_create(&sd.exes);
64 slist_create(&sd.comms);
65 slist_create(&sd.avc_objs);
66 slist_create(&sd.keys);
67 ilist_create(&sd.pids);
68 ilist_create(&sd.sys_list);
69 ilist_create(&sd.anom_list);
70 ilist_create(&sd.mac_list);
71 ilist_create(&sd.resp_list);
72 ilist_create(&sd.crypto_list);
73 ilist_create(&sd.virt_list);
74 ilist_create(&sd.integ_list);
77 /* This function inits the counters */
78 void destroy_counters(void)
82 sd.acct_changes = 0UL;
90 sd.failed_syscalls = 0UL;
95 slist_clear(&sd.users);
96 slist_clear(&sd.terms);
97 slist_clear(&sd.files);
98 slist_clear(&sd.hosts);
99 slist_clear(&sd.exes);
100 slist_clear(&sd.comms);
101 slist_clear(&sd.avc_objs);
102 slist_clear(&sd.keys);
103 ilist_clear(&sd.pids);
104 ilist_clear(&sd.sys_list);
105 ilist_clear(&sd.anom_list);
106 ilist_create(&sd.mac_list);
107 ilist_clear(&sd.resp_list);
108 ilist_create(&sd.crypto_list);
109 ilist_create(&sd.virt_list);
110 ilist_create(&sd.integ_list);
113 /* This function will return 0 on no match and 1 on match */
114 int classify_success(const llist *l)
116 //printf("%d,succ=%d:%d\n", l->head->type, event_failed, l->s.success);
117 // If match only failed...
118 if (event_failed == F_FAILED)
119 return l->s.success == S_FAILED ? 1 : 0;
120 // If match only success...
121 if (event_failed == F_SUCCESS)
122 return l->s.success == S_SUCCESS ? 1 : 0;
123 // Otherwise...we don't care so pretend it matched
127 /* This function will return 0 on no match and 1 on match */
128 int classify_conf(const llist *l)
131 extern int no_config;
133 switch (l->head->type)
135 case AUDIT_CONFIG_CHANGE:
139 case AUDIT_USYS_CONFIG:
142 if (event_conf_act == C_DEL)
146 if (event_conf_act == C_ADD)
149 case AUDIT_ADD_GROUP:
150 if (event_conf_act == C_DEL)
153 case AUDIT_DEL_GROUP:
154 if (event_conf_act == C_ADD)
157 case AUDIT_MAC_CIPSOV4_ADD:
158 if (event_conf_act == C_DEL)
161 case AUDIT_MAC_CIPSOV4_DEL:
162 if (event_conf_act == C_ADD)
165 case AUDIT_MAC_MAP_ADD:
166 if (event_conf_act == C_DEL)
169 case AUDIT_MAC_MAP_DEL:
170 if (event_conf_act == C_ADD)
173 case AUDIT_MAC_IPSEC_ADDSA:
174 if (event_conf_act == C_DEL)
177 case AUDIT_MAC_IPSEC_DELSA:
178 if (event_conf_act == C_ADD)
181 case AUDIT_MAC_IPSEC_ADDSPD:
182 if (event_conf_act == C_DEL)
185 case AUDIT_MAC_IPSEC_DELSPD:
186 if (event_conf_act == C_ADD)
189 case AUDIT_MAC_UNLBL_STCADD:
190 if (event_conf_act == C_DEL)
193 case AUDIT_MAC_UNLBL_STCDEL:
194 if (event_conf_act == C_ADD)
200 //printf("conf=%d:%d\n", l->head->type, rc);
205 * This function performs that matching of search params with the record.
206 * It returns 1 on a match, and 0 if no match.
210 // Are we within time range?
211 if (start_time == 0 || l->e.sec >= start_time) {
212 if (end_time == 0 || l->e.sec <= end_time) {
213 // OK - do the heavier checking
214 int rc = extract_search_items(l);
216 if (event_node_list) {
219 slist *sptr = event_node_list;
221 if (l->e.node == NULL)
225 sn=slist_get_cur(sptr);
226 while (sn && !found) {
227 if (sn->str && (!strcmp(sn->str, l->e.node)))
236 if (classify_success(l) && classify_conf(l))
245 int per_event_processing(llist *l)
249 switch (report_detail)
252 rc = per_event_summary(l);
255 rc = per_event_detailed(l);
265 static int per_event_summary(llist *l)
276 if (list_find_msg(l, AUDIT_AVC)) {
277 if (alist_find_avc(l->s.avc)) {
279 slist_add_if_uniq(&sd.avc_objs,
280 l->s.avc->cur->tcontext);
281 } while (alist_next_avc(l->s.avc));
284 if (list_find_msg(l, AUDIT_USER_AVC)) {
285 if (alist_find_avc(l->s.avc)) {
289 l->s.avc->cur->tcontext);
290 } while (alist_next_avc(
297 if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
298 AUDIT_MAC_MAP_DEL)) {
299 ilist_add_if_uniq(&sd.mac_list,
302 if (list_find_msg_range(l,
303 AUDIT_FIRST_USER_LSPP_MSG,
304 AUDIT_LAST_USER_LSPP_MSG)) {
305 ilist_add_if_uniq(&sd.mac_list,
311 if (list_find_msg_range(l,
312 AUDIT_INTEGRITY_FIRST_MSG,
313 AUDIT_INTEGRITY_LAST_MSG)) {
314 ilist_add_if_uniq(&sd.integ_list,
319 if (list_find_msg_range(l,
320 AUDIT_FIRST_VIRT_MSG,
321 AUDIT_LAST_VIRT_MSG)) {
322 ilist_add_if_uniq(&sd.virt_list,
326 case RPT_CONFIG: /* We will borrow the pid list */
327 if (list_find_msg(l, AUDIT_CONFIG_CHANGE) ||
328 list_find_msg(l, AUDIT_DAEMON_CONFIG) ||
329 list_find_msg(l, AUDIT_USYS_CONFIG) ||
330 list_find_msg(l, AUDIT_NETFILTER_CFG) ||
331 list_find_msg(l, AUDIT_FEATURE_CHANGE) ||
332 list_find_msg(l, AUDIT_USER_MAC_CONFIG_CHANGE)||
333 list_find_msg_range(l,
334 AUDIT_MAC_POLICY_LOAD,
335 AUDIT_MAC_UNLBL_STCDEL)) {
336 ilist_add_if_uniq(&sd.pids, l->head->type, 0);
340 if (list_find_msg(l, AUDIT_USER_AUTH)) {
341 if (l->s.loginuid == -2 && l->s.acct)
342 slist_add_if_uniq(&sd.users, l->s.acct);
346 slist_add_if_uniq(&sd.users,
347 aulookup_uid(l->s.loginuid,
352 } else if (list_find_msg(l, AUDIT_USER_MGMT)) {
353 // Only count the failures
354 if (l->s.success == S_FAILED) {
355 if (l->s.loginuid == -2 &&
357 slist_add_if_uniq(&sd.users, l->s.acct);
361 slist_add_if_uniq(&sd.users,
372 if (list_find_msg(l, AUDIT_USER_LOGIN)) {
373 if ((int)l->s.loginuid < 0 && l->s.acct)
374 slist_add_if_uniq(&sd.users, l->s.acct);
378 slist_add_if_uniq(&sd.users,
379 aulookup_uid(l->s.loginuid,
386 case RPT_ACCT_MOD: /* We will borrow the pid list */
387 if (list_find_msg(l, AUDIT_USER_CHAUTHTOK) ||
388 list_find_msg_range(l,
389 AUDIT_ADD_USER, AUDIT_DEL_GROUP) ||
390 list_find_msg(l, AUDIT_USER_MGMT) ||
391 list_find_msg(l, AUDIT_GRP_MGMT) ||
392 list_find_msg_range(l,
394 AUDIT_ROLE_REMOVE)) {
395 ilist_add_if_uniq(&sd.pids, l->head->type, 0);
398 case RPT_EVENT: /* We will borrow the pid list */
399 if (l->head->type != -1) {
400 ilist_add_if_uniq(&sd.pids, l->head->type, 0);
406 slist *sptr = l->s.filename;
409 sn=slist_get_cur(sptr);
412 slist_add_if_uniq(&sd.files,
420 slist_add_if_uniq(&sd.hosts, l->s.hostname);
423 if (l->s.pid != -1) {
424 ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
428 if (l->s.syscall > 0) {
429 ilist_add_if_uniq(&sd.sys_list,
430 l->s.syscall, l->s.arch);
435 slist_add_if_uniq(&sd.terms, l->s.terminal);
438 if (l->s.loginuid != -2) {
440 snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid);
441 slist_add_if_uniq(&sd.users, tmp);
446 slist_add_if_uniq(&sd.exes, l->s.exe);
450 slist_add_if_uniq(&sd.comms, l->s.comm);
453 if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG,
454 AUDIT_LAST_ANOM_MSG)) {
455 ilist_add_if_uniq(&sd.anom_list,
458 if (list_find_msg_range(l,
459 AUDIT_FIRST_KERN_ANOM_MSG,
460 AUDIT_LAST_KERN_ANOM_MSG)) {
461 ilist_add_if_uniq(&sd.anom_list,
467 if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP,
468 AUDIT_LAST_ANOM_RESP)) {
469 ilist_add_if_uniq(&sd.resp_list,
474 if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
475 AUDIT_LAST_KERN_CRYPTO_MSG)) {
476 ilist_add_if_uniq(&sd.crypto_list,
479 if (list_find_msg_range(l,
480 AUDIT_FIRST_CRYPTO_MSG,
481 AUDIT_LAST_CRYPTO_MSG)) {
482 ilist_add_if_uniq(&sd.crypto_list,
490 slist *sptr = l->s.key;
493 sn=slist_get_cur(sptr);
496 strcmp(sn->str, "(null)"))
497 slist_add_if_uniq(&sd.keys,
512 static int per_event_detailed(llist *l)
519 if (list_find_msg(l, AUDIT_AVC)) {
520 print_per_event_item(l);
522 } else if (list_find_msg(l, AUDIT_USER_AVC)) {
523 print_per_event_item(l);
528 if (report_detail == D_DETAILED) {
529 if (list_find_msg_range(l,
530 AUDIT_MAC_POLICY_LOAD,
531 AUDIT_MAC_UNLBL_STCDEL)) {
532 print_per_event_item(l);
535 if (list_find_msg_range(l,
536 AUDIT_FIRST_USER_LSPP_MSG,
537 AUDIT_LAST_USER_LSPP_MSG)) {
538 print_per_event_item(l);
545 if (report_detail == D_DETAILED) {
546 if (list_find_msg_range(l,
547 AUDIT_INTEGRITY_FIRST_MSG,
548 AUDIT_INTEGRITY_LAST_MSG)) {
549 print_per_event_item(l);
555 if (report_detail == D_DETAILED) {
556 if (list_find_msg_range(l,
557 AUDIT_FIRST_VIRT_MSG,
558 AUDIT_LAST_VIRT_MSG)) {
559 print_per_event_item(l);
565 if (list_find_msg(l, AUDIT_CONFIG_CHANGE)) {
566 print_per_event_item(l);
568 } else if (list_find_msg(l, AUDIT_DAEMON_CONFIG)) {
569 print_per_event_item(l);
571 } else if (list_find_msg(l, AUDIT_USYS_CONFIG)) {
572 print_per_event_item(l);
574 } else if (list_find_msg(l, AUDIT_NETFILTER_CFG)) {
575 print_per_event_item(l);
577 } else if (list_find_msg(l, AUDIT_FEATURE_CHANGE)) {
578 print_per_event_item(l);
580 } else if (list_find_msg(l,
581 AUDIT_USER_MAC_CONFIG_CHANGE)) {
582 print_per_event_item(l);
584 } else if (list_find_msg_range(l,
585 AUDIT_MAC_POLICY_LOAD,
586 AUDIT_MAC_UNLBL_STCDEL)) {
587 print_per_event_item(l);
592 if (list_find_msg(l, AUDIT_USER_AUTH)) {
593 print_per_event_item(l);
595 } else if (list_find_msg(l, AUDIT_USER_MGMT)) {
596 // Only count the failed acct
597 if (l->s.success == S_FAILED) {
598 print_per_event_item(l);
604 if (list_find_msg(l, AUDIT_USER_LOGIN)) {
605 print_per_event_item(l);
610 if (list_find_msg(l, AUDIT_USER_CHAUTHTOK)) {
611 print_per_event_item(l);
613 } else if (list_find_msg_range(l,
614 AUDIT_ADD_USER, AUDIT_DEL_GROUP)) {
615 print_per_event_item(l);
617 } else if (list_find_msg(l, AUDIT_USER_MGMT)) {
618 print_per_event_item(l);
620 } else if (list_find_msg(l, AUDIT_GRP_MGMT)) {
621 print_per_event_item(l);
623 } else if (list_find_msg_range(l,
625 AUDIT_ROLE_REMOVE)) {
626 print_per_event_item(l);
632 if (report_detail == D_DETAILED) {
633 print_per_event_item(l);
635 } else { // specific event report
641 if (report_detail == D_DETAILED) {
643 print_per_event_item(l);
646 } else { // specific file report
652 if (report_detail == D_DETAILED) {
654 print_per_event_item(l);
657 } else { // specific host report
663 if (report_detail == D_DETAILED) {
665 print_per_event_item(l);
668 } else { // specific pid report
674 if (report_detail == D_DETAILED) {
676 print_per_event_item(l);
679 } else { // specific syscall report
685 if (report_detail == D_DETAILED) {
687 print_per_event_item(l);
690 } else { // specific terminal report
696 if (report_detail == D_DETAILED) {
697 if (l->s.uid != -1) {
698 print_per_event_item(l);
701 } else { // specific user report
707 if (report_detail == D_DETAILED) {
709 print_per_event_item(l);
712 } else { // specific exe report
718 if (report_detail == D_DETAILED) {
720 print_per_event_item(l);
723 } else { // specific exe report
728 if (report_detail == D_DETAILED) {
729 if (list_find_msg_range(l,
730 AUDIT_FIRST_ANOM_MSG,
731 AUDIT_LAST_ANOM_MSG)) {
732 print_per_event_item(l);
735 if (list_find_msg_range(l,
736 AUDIT_FIRST_KERN_ANOM_MSG,
737 AUDIT_LAST_KERN_ANOM_MSG)) {
738 print_per_event_item(l);
742 } else { // FIXME: specific anom report
747 if (report_detail == D_DETAILED) {
748 if (list_find_msg_range(l,
749 AUDIT_FIRST_ANOM_RESP,
750 AUDIT_LAST_ANOM_RESP)) {
751 print_per_event_item(l);
754 } else { // FIXME: specific resp report
759 if (report_detail == D_DETAILED) {
760 if (list_find_msg_range(l,
761 AUDIT_FIRST_KERN_CRYPTO_MSG,
762 AUDIT_LAST_KERN_CRYPTO_MSG)) {
763 print_per_event_item(l);
766 if (list_find_msg_range(l,
767 AUDIT_FIRST_CRYPTO_MSG,
768 AUDIT_LAST_CRYPTO_MSG)) {
769 print_per_event_item(l);
773 } else { // FIXME: specific crypto report
779 if (report_detail == D_DETAILED) {
781 slist_first(l->s.key);
782 if (strcmp(l->s.key->cur->str,
784 print_per_event_item(l);
788 } else { // specific key report
793 if (l->head->type == AUDIT_TTY ||
794 l->head->type == AUDIT_USER_TTY) {
795 print_per_event_item(l);
805 static void do_summary_total(llist *l)
810 // add config changes
811 if (list_find_msg(l, AUDIT_CONFIG_CHANGE))
813 if (list_find_msg(l, AUDIT_DAEMON_CONFIG))
815 if (list_find_msg(l, AUDIT_USYS_CONFIG))
817 if (list_find_msg(l, AUDIT_NETFILTER_CFG))
819 if (list_find_msg(l, AUDIT_FEATURE_CHANGE))
821 if (list_find_msg(l, AUDIT_USER_MAC_CONFIG_CHANGE))
824 if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
825 AUDIT_MAC_UNLBL_STCDEL))
829 if (list_find_msg(l, AUDIT_USER_CHAUTHTOK))
831 if (list_find_msg_range(l, AUDIT_ADD_USER, AUDIT_DEL_GROUP))
833 if (list_find_msg(l, AUDIT_USER_MGMT))
835 if (list_find_msg(l, AUDIT_GRP_MGMT))
838 if (list_find_msg_range(l, AUDIT_ROLE_ASSIGN, AUDIT_ROLE_REMOVE))
843 if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
844 AUDIT_LAST_KERN_CRYPTO_MSG))
846 if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG,
847 AUDIT_LAST_CRYPTO_MSG))
851 if (list_find_msg(l, AUDIT_USER_LOGIN)) {
852 if (l->s.success == S_SUCCESS)
854 else if (l->s.success == S_FAILED)
859 if (list_find_msg(l, AUDIT_USER_AUTH)) {
860 if (l->s.success == S_SUCCESS)
862 else if (l->s.success == S_FAILED)
864 } else if (list_find_msg(l, AUDIT_USER_MGMT)) {
865 // Only count the failures
866 if (l->s.success == S_FAILED)
868 } else if (list_find_msg(l, AUDIT_GRP_AUTH)) {
869 if (l->s.success == S_SUCCESS)
871 else if (l->s.success == S_FAILED)
876 if (l->s.loginuid != -2) {
878 snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid);
879 slist_add_if_uniq(&sd.users, tmp);
884 slist_add_if_uniq(&sd.terms, l->s.terminal);
888 slist_add_if_uniq(&sd.hosts, l->s.hostname);
892 slist_add_if_uniq(&sd.exes, l->s.exe);
896 slist_add_if_uniq(&sd.comms, l->s.comm);
901 slist *sptr = l->s.filename;
904 sn=slist_get_cur(sptr);
907 slist_add_if_uniq(&sd.files, sn->str);
913 if (list_find_msg(l, AUDIT_AVC))
915 else if (list_find_msg(l, AUDIT_USER_AVC))
920 if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
921 AUDIT_MAC_UNLBL_STCDEL))
923 if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG,
924 AUDIT_LAST_USER_LSPP_MSG))
929 if (list_find_msg_range(l, AUDIT_FIRST_VIRT_MSG,
930 AUDIT_LAST_VIRT_MSG))
935 if (list_find_msg_range(l, AUDIT_INTEGRITY_FIRST_MSG,
936 AUDIT_INTEGRITY_LAST_MSG))
939 // add failed syscalls
940 if (l->s.success == S_FAILED && l->s.syscall > 0)
941 sd.failed_syscalls++;
944 if (l->s.pid != -1) {
945 ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
949 if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG))
951 if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG,
952 AUDIT_LAST_KERN_ANOM_MSG))
955 // add response to anomalies
956 if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP))
962 slist *sptr = l->s.key;
965 sn=slist_get_cur(sptr);
967 if (sn->str && strcmp(sn->str, "(null)")) {
968 slist_add_if_uniq(&sd.keys, sn->str);