${COMMON_PATH}/containers/BinaryQueue.cpp
${COMMON_PATH}/error/api.cpp
${COMMON_PATH}/lock/FileLock.cpp
+ ${COMMON_PATH}/log/AuditLog.cpp
${COMMON_PATH}/log/log.cpp
${COMMON_PATH}/plugin/PluginManager.cpp
${COMMON_PATH}/protocol/ProtocolAdmin.cpp
--- /dev/null
+/*
+ * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * @file src/common/log/AuditLog.cpp
+ * @author Adam Malinowski <a.malinowsk2@partner.samsung.com>
+ * @version 1.0
+ * @brief This file implements privilege check logging utility.
+ */
+
+#include <systemd/sd-journal.h>
+
+#include "AuditLog.h"
+
+namespace Cynara {
+
+AuditLog::AuditLog() : m_logLevel(AL_DENY) {
+ init();
+}
+
+void AuditLog::init(void) {
+ char *env_val = getenv("CYNARA_AUDIT_LEVEL");
+ if (env_val) {
+ m_logLevel = stringToLevel(env_val);
+ }
+}
+
+AuditLog::AuditLevel AuditLog::stringToLevel(const std::string &name) {
+ if (name == "NONE")
+ return AL_NONE;
+
+ if (name == "DENY")
+ return AL_DENY;
+
+ if (name == "ALLOW")
+ return AL_ALLOW;
+
+ if (name == "OTHER")
+ return AL_OTHER;
+
+ if (name == "ALL")
+ return AL_ALL;
+
+ return AL_NONE;
+}
+
+const char *AuditLog::policyResultToString(const PolicyResult &policyResult) {
+ if (policyResult.policyType() == PredefinedPolicyType::DENY)
+ return "DENY";
+
+ if (policyResult.policyType() == PredefinedPolicyType::ALLOW)
+ return "ALLOW";
+
+ return "OTHER";
+}
+
+void AuditLog::log(const PolicyKey &policyKey, const PolicyResult &policyResult) {
+ if (m_logLevel == AL_NONE)
+ return;
+
+ PolicyType policyType = policyResult.policyType();
+ namespace PPT = PredefinedPolicyType;
+
+ if (m_logLevel == AL_ALL || (m_logLevel == AL_DENY && policyType == PPT::DENY) ||
+ (m_logLevel == AL_ALLOW && policyType == PPT::ALLOW) ||
+ (m_logLevel == AL_OTHER && policyType != PPT::ALLOW && policyType != PPT::DENY)) {
+ sd_journal_send("MESSAGE=%s;%s;%s => %s", policyKey.client().toString().c_str(),
+ policyKey.user().toString().c_str(),
+ policyKey.privilege().toString().c_str(),
+ policyResultToString(policyResult), "PRIORITY=%i", LOG_INFO,
+ "CYNARA_LOG_TYPE=AUDIT", NULL);
+ }
+}
+
+} /* namespace Cynara */
--- /dev/null
+/*
+ * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * @file src/common/log/AuditLog.h
+ * @author Adam Malinowski <a.malinowsk2@partner.samsung.com>
+ * @version 1.0
+ * @brief This file defines privilege check logging utility.
+ */
+
+#ifndef SRC_COMMON_LOG_AUDITLOG_H
+#define SRC_COMMON_LOG_AUDITLOG_H
+
+#include <string>
+
+#include <types/Policy.h>
+
+namespace Cynara {
+
+class AuditLog {
+public:
+ AuditLog();
+
+ void log(const PolicyKey &policyKey, const PolicyResult &policyResult);
+
+private:
+ typedef enum {
+ AL_NONE,
+ AL_DENY,
+ AL_ALLOW,
+ AL_OTHER,
+ AL_ALL
+ } AuditLevel;
+
+ int m_logLevel;
+
+ void init(void);
+ static AuditLevel stringToLevel(const std::string &name);
+ static const char *policyResultToString(const PolicyResult &policyResult);
+};
+
+#endif /* SRC_COMMON_LOG_AUDITLOG_H */
+
+} // namespace Cynara
void Logic::execute(RequestContextPtr context, CheckRequestPtr request) {
PolicyResult result(PredefinedPolicyType::DENY);
if (check(context, request->key(), request->sequenceNumber(), result)) {
+ m_auditLog.log(request->key(), result);
context->returnResponse(context, std::make_shared<CheckResponse>(result,
request->sequenceNumber()));
}
}
if (answerReady && context->responseQueue()) {
+ m_auditLog.log(key, result);
context->returnResponse(context, std::make_shared<CheckResponse>(result, checkId));
return true;
}
}
}
}
+ m_auditLog.log(request->key(), result);
context->returnResponse(context, std::make_shared<SimpleCheckResponse>(retValue, result,
request->sequenceNumber()));
}
if (!checkContextPtr->cancelled() && checkContextPtr->m_requestContext->responseQueue()) {
PolicyResult result(PredefinedPolicyType::DENY);
+ m_auditLog.log(checkContextPtr->m_key, result);
checkContextPtr->m_requestContext->returnResponse(checkContextPtr->m_requestContext,
std::make_shared<CheckResponse>(result, checkContextPtr->m_checkId));
}
#include <map>
#include <vector>
+#include <log/AuditLog.h>
#include <types/Policy.h>
#include <types/PolicyBucketId.h>
#include <types/PolicyKey.h>
PluginManagerPtr m_pluginManager;
StoragePtr m_storage;
SocketManagerPtr m_socketManager;
+ AuditLog m_auditLog;
bool check(const RequestContextPtr &context, const PolicyKey &key,
ProtocolFrameSequenceNumber checkId, PolicyResult &result);
NoNewPrivileges=true
#Environment="CYNARA_LOG_LEVEL=LOG_DEBUG"
+#Environment="CYNARA_AUDIT_LEVEL=ALL"
[Install]
WantedBy=multi-user.target
projects / platform / core / security / cynara.git / commitdiff