// client->m_proxy_thread->addDefferedTask(&AuditTrailClient::sendReport, client, std::string{"syscall"}, std::string{log});
}
+void userLogCallback(audit_trail_user_h handle, void* user_data)
+{
+ assert(user_data);
+
+ AuditTrailClient* client = reinterpret_cast<AuditTrailClient*>(user_data);
+ assert(client);
+
+ time_t time;
+ unsigned short ms;
+ int type;
+ const char* text;
+ int result;
+
+ if (AUDIT_TRAIL_ERROR_NONE != (result = audit_trail_get_user_time(handle, &time, &ms))) {
+ LOG_E(TAG, "audit_trail_get_user_time error %d", result);
+ return;
+ }
+
+ if (AUDIT_TRAIL_ERROR_NONE != (result = audit_trail_get_user_log_type(handle, &type))) {
+ LOG_E(TAG, "audit_trail_get_user_log_type error %d", result);
+ return;
+ }
+
+ if (AUDIT_TRAIL_ERROR_NONE != (result = audit_trail_get_user_log_text(handle, &text))) {
+ LOG_E(TAG, "audit_trail_get_user_log_text error %d", result);
+ return;
+ }
+
+
+ std::ostringstream os;
+ os << "[DLP] audit(" << time << '.' << ms << ":0) type=" << type << " text=" << text;
+
+ LOG_D(TAG, "DLP log callback: %s", os.str().c_str());
+
+ client->m_proxy_thread->addDefferedTask(&AuditTrailClient::sendReport, client, std::string{"dlp"}, os.str());
+}
+
AuditTrailClient::AuditTrailClient(const std::string& device_id, ProxyThread* proxy_thread,
std::shared_ptr<ReportHandler> report_handler, WorkingMode mode)
: m_device_id(device_id), m_proxy_thread(proxy_thread), m_report_handler(report_handler), m_mode(mode),
- m_audit_trail(nullptr), m_dac_cb_id(-1), m_mac_cb_id(-1), m_syscall_cb_id(-1)
+ m_audit_trail(nullptr), m_dac_cb_id(-1), m_mac_cb_id(-1), m_syscall_cb_id(-1), m_user_cb_id(-1)
{
assert(m_device_id != "");
assert(m_proxy_thread != nullptr);
audit_trail_remove_syscall_cb(m_audit_trail, m_syscall_cb_id);
}
+bool AuditTrailClient::start_user_auditing()
+{
+ return ((audit_trail_enable_user(m_audit_trail, true) == AUDIT_TRAIL_ERROR_NONE) &&
+ (audit_trail_add_user_cb(m_audit_trail, userLogCallback, (void*)this, &m_user_cb_id) == AUDIT_TRAIL_ERROR_NONE));
+}
+
+void AuditTrailClient::stop_user_auditing()
+{
+ audit_trail_remove_user_cb(m_audit_trail, m_user_cb_id);
+}
+
bool AuditTrailClient::start_auditing()
{
bool result = start_dac_auditing();
result &= start_mac_auditing();
// result &= start_syscall_auditing();
+ result &= start_user_auditing();
return result;
}
stop_dac_auditing();
stop_mac_auditing();
// stop_syscall_auditing();
+ stop_user_auditing();
}
void AuditTrailClient::sendReport(std::string report_name, std::string report)
#include <audit-trail/mac.h>
#include <audit-trail/syscall.h>
#include <audit-trail/audit-trail.h>
+#include <audit-trail/user.h>
#endif
#include "proxythread.h"
#include "reporthandler.h"
*/
friend void sysCallLogCallback(audit_trail_syscall_h handle, void* user_data);
+ /**
+ * @brief User log callback
+ * @details Called when a new user occurs
+ * @param[in] log
+ * @param[in] user_data
+ */
+ friend void userLogCallback(audit_trail_user_h handle, void* user_data);
+
public:
/**
* @brief CTOR
void stop_syscall_auditing();
/**
+ * @brief Start User(Data Protection Leak) auditing
+ * @details This API can be used to start to collect User logs
+ */
+ bool start_user_auditing();
+
+ /**
+ * @brief Stop User(Data Protection Leak) auditing
+ * @details This API can be used to stop to collect User logs
+ */
+ void stop_user_auditing();
+
+ /**
* @brief Start DAC, MAC and system calls auditing
* @details This API can be used to start to collect logs
*/
int m_dac_cb_id;
int m_mac_cb_id;
int m_syscall_cb_id;
+ int m_user_cb_id;
};
} // namespace NMD
projects / platform / core / security / suspicious-activity-monitor.git / commitdiff