file(GLOB COMM_SRC src/*.cpp)
-pkg_check_modules(pkgs REQUIRED curl capi-system-info)
+pkg_check_modules(pkgs REQUIRED libcurl capi-system-info)
FOREACH(flag ${pkgs_CFLAGS})
SET(EXTRA_CFLAGS "${EXTRA_CFLAGS} ${flag}")
*/
#include <stdexcept>
#include <cassert>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
#include "audit_trail_client.h"
#include "logging.h"
#include "samonitor_tag.h"
#include "base64.h"
+enum {
+ OBJECT_TYPE_NOOBJECT,
+ OBJECT_TYPE_PROCESS,
+ OBJECT_TYPE_FILE,
+ OBJECT_TYPE_SOCKET,
+};
namespace NMD
{
unsigned int syscall;
unsigned int syscall_args[4];
int syscall_exitcode;
- const char* subj_name;
- const char* subj_label;
- const char* obj_name;
- const char* obj_label;
- int obj_type;
- uid_t subj_uid, subj_euid, obj_uid, obj_euid;
- gid_t subj_gid, subj_egid, obj_gid, obj_egid;
+ char* str_val = nullptr;
+ std::string obj_name;
+ std::string obj_label;
+ int obj_type = OBJECT_TYPE_NOOBJECT;
+ std::string obj_stype;
+ uid_t subj_uid, subj_euid, obj_uid;
+ gid_t subj_gid, subj_egid, obj_gid;
mode_t obj_perm;
ino_t obj_inode;
+ int sock_family;
+ struct sockaddr_un addr_un;
+ struct sockaddr_in addr_in;
Json::Value root;
if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_time(handle, &time, &ms))) {
LOG_E(TAG, "audit_system_log_get_time error %d", result);
}
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_subject_name(handle, &subj_name))) {
- root["subj"] = std::string{subj_name};
+ if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_subject_name(handle, &str_val))) {
+ if (nullptr != str_val) {
+ root["subj"] = std::string{str_val};
+ free(str_val);
+ str_val = nullptr;
+ }
} else {
LOG_E(TAG, "audit_system_log_get_subject_name error %d", result);
}
LOG_E(TAG, "audit_system_log_get_subject_pid error %d", result);
}
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_subject_smack_label(handle, &subj_label))) {
- root["subj_label"] = std::string{subj_label};
+ if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_subject_smack_label(handle, &str_val))) {
+ if (nullptr != str_val) {
+ root["subj_label"] = std::string{str_val};
+ free(str_val);
+ str_val = nullptr;
+ }
} else {
LOG_E(TAG, "audit_system_log_get_subject_smack_label error %d", result);
}
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_type(handle, &obj_type))) {
- root["obj_type"] = obj_type;
- } else {
+ if (AUDIT_TRAIL_ERROR_NONE != (result = audit_system_log_get_object_type(handle, &obj_type))) {
LOG_E(TAG, "audit_system_log_get_object_type error %d", result);
}
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_owner(handle, &obj_uid, &obj_gid))) {
- root["obj_owner_uid"] = obj_uid;
- root["obj_owner_gid"] = obj_gid;
- } else {
+ if (AUDIT_TRAIL_ERROR_NONE != (result = audit_system_log_get_object_owner(handle, &obj_uid, &obj_gid))) {
LOG_E(TAG, "audit_system_log_get_object_owner error %d", result);
}
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_effective_owner(handle, &obj_euid, &obj_egid))) {
- root["obj_owner_euid"] = obj_euid;
- root["obj_owner_egid"] = obj_egid;
- } else {
- LOG_E(TAG, "audit_system_log_get_object_effective_owner error %d", result);
- }
-
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_permission(handle, &obj_perm))) {
- root["obj_perm"] = obj_perm;
- } else {
+ if (AUDIT_TRAIL_ERROR_NONE != (result = audit_system_log_get_object_permission(handle, &obj_perm))) {
LOG_E(TAG, "audit_system_log_get_object_permission error %d", result);
}
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_smack_label(handle, &obj_label))) {
- root["obj_label"] = std::string{obj_label};
+ if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_smack_label(handle, &str_val))) {
+ if (nullptr != str_val) {
+ obj_label = str_val;
+ free(str_val);
+ str_val = nullptr;
+ }
} else {
LOG_E(TAG, "audit_system_log_get_object_smack_label error %d", result);
}
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_name(handle, &obj_name))) {
- root["obj"] = std::string{obj_name};
+ if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_name(handle, &str_val))) {
+ if (nullptr != str_val) {
+ obj_name = str_val;
+ free(str_val);
+ }
} else {
LOG_E(TAG, "audit_system_log_get_object_name error %d", result);
}
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_pid(handle, &obj_pid))) {
- root["obj_pid"] = obj_pid;
- } else {
+ if (AUDIT_TRAIL_ERROR_NONE != (result = audit_system_log_get_object_pid(handle, &obj_pid))) {
LOG_E(TAG, "audit_system_log_get_object_pid error %d", result);
}
- if (AUDIT_TRAIL_ERROR_NONE == (result = audit_system_log_get_object_inode(handle, &obj_inode))) {
- root["obj_inode"] = Json::UInt64(obj_inode);
- } else {
+ if (AUDIT_TRAIL_ERROR_NONE != (result = audit_system_log_get_object_inode(handle, &obj_inode))) {
LOG_E(TAG, "audit_system_log_get_object_inode error %d", result);
}
LOG_E(TAG, "audit_system_log_get_action_exitcode error %d", result);
}
+ switch(obj_type) {
+ case OBJECT_TYPE_NOOBJECT:
+ obj_stype = std::string{"no_object"};
+ break;
+ case OBJECT_TYPE_PROCESS:
+ obj_stype = std::string{"process"};
+ root["obj"] = obj_name;
+ root["obj_label"] = obj_label;
+ root["obj_pid"] = obj_pid;
+ root["obj_uid"] = obj_uid;
+ root["obj_gid"] = obj_gid;
+ break;
+ case OBJECT_TYPE_FILE:
+ obj_stype = std::string{"file"};
+ root["obj"] = obj_name;
+ root["obj_label"] = obj_label;
+ root["obj_inode"] = Json::UInt64(obj_inode);
+ root["obj_mode"] = obj_perm;
+ root["obj_uid"] = obj_uid;
+ root["obj_gid"] = obj_gid;
+ break;
+ case OBJECT_TYPE_SOCKET:
+ {
+ obj_stype = std::string{"socket"};
+ root["obj"] = obj_name;
+ root["obj_label"] = obj_label;
+ root["obj_inode"] = Json::UInt64(obj_inode);
+ root["obj_mode"] = obj_perm;
+ root["obj_uid"] = obj_uid;
+ root["obj_gid"] = obj_gid;
+
+ if (AUDIT_TRAIL_ERROR_NONE != (result = audit_system_log_get_object_sockaddr(handle, nullptr, &sock_family))) {
+ LOG_E(TAG, "audit_system_log_get_object_sockaddr error %d", result);
+ break;
+ }
+
+ if (sock_family == AF_UNIX) {
+ audit_system_log_get_object_sockaddr(handle, reinterpret_cast<struct sockaddr *>(&addr_un), &sock_family);
+ root["obj_sock_family"] = std::string{"unix"};
+ root["obj_sockpath"] = std::string{addr_un.sun_path};
+ } else if (sock_family == AF_INET) {
+ audit_system_log_get_object_sockaddr(handle, reinterpret_cast<struct sockaddr *>(&addr_in), &sock_family);
+ root["obj_sock_family"] = std::string{"inet"};
+ root["obj_sockaddr"] = std::string{inet_ntoa(addr_in.sin_addr)} + ":" + std::to_string(ntohs(addr_in.sin_port));
+ }
+ }
+ default:
+ break;
+ }
+
if (!root.empty()) {
+ root["obj_type"] = obj_stype;
client->m_reporter->sendReport(std::string{"syscall"}, root);
} else {
LOG_E(TAG, "Failed to collect system log info. Log is empty.");
unsigned short ms;
pid_t pid;
int type;
- const char* text = "";
+ char* text = nullptr;
int result;
Json::Value root;
}
if (AUDIT_TRAIL_ERROR_NONE == (result = audit_user_log_get_text(handle, &text))) {
- root["text"] = base64_encode(text);
+ if (nullptr != text) {
+ root["text"] = base64_encode(text);
+ free(text);
+ }
} else {
LOG_E(TAG, "audit_trail_get_user_log_text error %d", result);
}
{
public:
MOCK_METHOD2(audit_system_log_get_time, int(time_t *time, unsigned short *ms));
- MOCK_METHOD1(audit_system_log_get_subject_name, int(const char **name));
+ MOCK_METHOD1(audit_system_log_get_subject_name, int(char **name));
MOCK_METHOD2(audit_system_log_get_subject_owner, int(uid_t *uid, gid_t *gid));
MOCK_METHOD2(audit_system_log_get_subject_effective_owner, int(uid_t *euid, gid_t *egid));
MOCK_METHOD1(audit_system_log_get_subject_pid, int(pid_t *pid));
- MOCK_METHOD1(audit_system_log_get_subject_smack_label, int(const char **label));
+ MOCK_METHOD1(audit_system_log_get_subject_smack_label, int(char **label));
MOCK_METHOD1(audit_system_log_get_object_type, int(int *type));
MOCK_METHOD2(audit_system_log_get_object_owner, int(uid_t *uid, gid_t *gid));
- MOCK_METHOD2(audit_system_log_get_object_effective_owner, int(uid_t *euid, gid_t *egid));
MOCK_METHOD1(audit_system_log_get_object_permission, int(mode_t *mode));
- MOCK_METHOD1(audit_system_log_get_object_smack_label, int(const char **label));
- MOCK_METHOD1(audit_system_log_get_object_name, int(const char **name));
+ MOCK_METHOD1(audit_system_log_get_object_smack_label, int(char **label));
+ MOCK_METHOD1(audit_system_log_get_object_name, int(char **name));
MOCK_METHOD1(audit_system_log_get_object_pid, int(pid_t *pid));
MOCK_METHOD1(audit_system_log_get_object_inode, int(ino_t *inode));
- MOCK_METHOD1(audit_system_log_object_sockaddr, int(const char **socketaddr));
+ MOCK_METHOD2(audit_system_log_get_object_sockaddr, int(struct sockaddr *addr, int *family));
MOCK_METHOD1(audit_system_log_get_action_systemcall, int(unsigned int *systemcall));
MOCK_METHOD1(audit_system_log_get_action_arguments, int(unsigned int (*args)[4]));
MOCK_METHOD1(audit_system_log_get_action_exitcode, int(int *exitcode));
MOCK_METHOD2(audit_user_log_get_time, int(time_t *time, unsigned short *ms));
MOCK_METHOD1(audit_user_log_get_pid, int(pid_t *pid));
MOCK_METHOD1(audit_user_log_get_type, int(int *type));
- MOCK_METHOD1(audit_user_log_get_text, int(const char **text));
+ MOCK_METHOD1(audit_user_log_get_text, int(char **text));
};
IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
return p->audit_system_log_get_time(time, ms);
}
-int audit_system_log_get_subject_name(audit_system_log_h handle,
- const char **name)
+int audit_system_log_get_subject_name(audit_system_log_h handle, char **name)
{
IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
return p->audit_system_log_get_subject_name(name);
return p->audit_system_log_get_subject_pid(pid);
}
int audit_system_log_get_subject_smack_label(audit_system_log_h handle,
- const char **label)
+ char **label)
{
IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
return p->audit_system_log_get_subject_smack_label(label);
IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
return p->audit_system_log_get_object_owner(uid, gid);
}
-int audit_system_log_get_object_effective_owner(audit_system_log_h handle,
- uid_t *euid, gid_t *egid)
-{
- IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
- return p->audit_system_log_get_object_effective_owner(euid, egid);
-}
int audit_system_log_get_object_permission(audit_system_log_h handle, mode_t *mode)
{
IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
return p->audit_system_log_get_object_permission(mode);
}
-int audit_system_log_get_object_smack_label(audit_system_log_h handle, const char **label)
+int audit_system_log_get_object_smack_label(audit_system_log_h handle, char **label)
{
IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
return p->audit_system_log_get_object_smack_label(label);
}
-int audit_system_log_get_object_name(audit_system_log_h handle, const char **name)
+int audit_system_log_get_object_name(audit_system_log_h handle, char **name)
{
IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
return p->audit_system_log_get_object_name(name);
IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
return p->audit_system_log_get_object_inode(inode);
}
-int audit_system_log_object_sockaddr(audit_system_log_h handle, const char **socketaddr)
+int audit_system_log_get_object_sockaddr(audit_system_log_h handle, struct sockaddr *addr, int *family)
{
IAuditSystemLogStub* p = reinterpret_cast<IAuditSystemLogStub*>(handle);
- return p->audit_system_log_object_sockaddr(socketaddr);
+ return p->audit_system_log_get_object_sockaddr(addr, family);
}
int audit_system_log_get_action_systemcall(audit_system_log_h handle, unsigned int *systemcall)
{
IAuditUserLogStub* p = reinterpret_cast<IAuditUserLogStub*>(handle);
return p->audit_user_log_get_type(type);
}
-int audit_user_log_get_text(audit_user_log_h handle, const char **text)
+int audit_user_log_get_text(audit_user_log_h handle, char **text)
{
IAuditUserLogStub* p = reinterpret_cast<IAuditUserLogStub*>(handle);
return p->audit_user_log_get_text(text);
public:
virtual ~IAuditSystemLogStub() = default;
virtual int audit_system_log_get_time(time_t *time, unsigned short *ms) = 0;
- virtual int audit_system_log_get_subject_name(const char **name) = 0;
+ virtual int audit_system_log_get_subject_name(char **name) = 0;
virtual int audit_system_log_get_subject_owner(uid_t *uid, gid_t *gid) = 0;
virtual int audit_system_log_get_subject_effective_owner(uid_t *euid, gid_t *egid) = 0;
virtual int audit_system_log_get_subject_pid(pid_t *pid) = 0;
- virtual int audit_system_log_get_subject_smack_label(const char **label) = 0;
+ virtual int audit_system_log_get_subject_smack_label(char **label) = 0;
virtual int audit_system_log_get_object_type(int *type) = 0;
virtual int audit_system_log_get_object_owner(uid_t *uid, gid_t *gid) = 0;
- virtual int audit_system_log_get_object_effective_owner(uid_t *euid, gid_t *egid) = 0;
virtual int audit_system_log_get_object_permission(mode_t *mode) = 0;
- virtual int audit_system_log_get_object_smack_label(const char **label) = 0;
- virtual int audit_system_log_get_object_name(const char **name) = 0;
+ virtual int audit_system_log_get_object_smack_label(char **label) = 0;
+ virtual int audit_system_log_get_object_name(char **name) = 0;
virtual int audit_system_log_get_object_pid(pid_t *pid) = 0;
virtual int audit_system_log_get_object_inode(ino_t *inode) = 0;
- virtual int audit_system_log_object_sockaddr(const char **socketaddr) = 0;
+ virtual int audit_system_log_get_object_sockaddr(struct sockaddr *addr, int *family) = 0;
virtual int audit_system_log_get_action_systemcall(unsigned int *systemcall) = 0;
virtual int audit_system_log_get_action_arguments(unsigned int (*args)[4]) = 0;
virtual int audit_system_log_get_action_exitcode(int *exitcode) = 0;
virtual int audit_user_log_get_time(time_t *time, unsigned short *ms) = 0;
virtual int audit_user_log_get_pid(pid_t *pid) = 0;
virtual int audit_user_log_get_type(int *type) = 0;
- virtual int audit_user_log_get_text(const char **text) = 0;
+ virtual int audit_user_log_get_text(char **text) = 0;
};
#endif // AUDITTRAILSTUB_H
#include "audit_trail_client.h"
#include "audit_trail_mock.h"
#include "ireportermock.h"
-#include <iostream>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <cstring>
using namespace NMD;
using ::testing::Return;
namespace
{
+
+enum {
+ OBJECT_TYPE_NOOBJECT,
+ OBJECT_TYPE_PROCESS,
+ OBJECT_TYPE_FILE,
+ OBJECT_TYPE_SOCKET,
+};
+
const int SYSCALL_CB_ID = 1;
const int USER_CB_ID = 2;
const gid_t TEST_SYS_SUBJ_EGID = 4;
const pid_t TEST_SYS_SUBJ_PID = 5;
const char* TEST_SYS_SUBJ_LABEL = "subj_label";
-const int TEST_SYS_OBJ_TYPE = 6;
+const int TEST_SYS_OBJ_TYPE = OBJECT_TYPE_SOCKET;
const uid_t TEST_SYS_OBJ_UID = 7;
const gid_t TEST_SYS_OBJ_GID = 8;
const uid_t TEST_SYS_OBJ_EUID = 9;
const pid_t TEST_USER_PID = 21;
const int TEST_USER_TYPE = 22;
const char* TEST_USER_TEXT = "user-text";
-
+const char* TEST_SOCKADDR = "11.22.33.44";
}
ACTION_P(invokeCallbackWith, h) { arg0(h, arg1); }
}
}
+ACTION_P2(saddrAssign, p1, p2) { \
+ if (nullptr != arg0) memcpy(arg0, p1, sizeof(struct sockaddr)); \
+ *arg1 = p2;\
+}
+
/**
* @brief TEST for auditing usecase
* 1. Create objects and mocks
AuditTrailUserLogMock userLog;
NetworkManager::IReporterMock reporter;
+ struct sockaddr_in saddr;
+ saddr.sin_family = AF_INET;
+ saddr.sin_port = 80;
+ inet_aton(TEST_SOCKADDR, &saddr.sin_addr);
EXPECT_CALL(reporter, sendReport(Eq(std::string{"syscall"}), _)).Times(1);
EXPECT_CALL(reporter, sendReport(Eq(std::string{"user"}), _)).Times(1);
EXPECT_CALL(sysLog, audit_system_log_get_subject_name(_))
.WillOnce(
DoAll(
- SetArgPointee<0>(TEST_SYS_SUBJ_NAME),
+ SetArgPointee<0>(strdup(TEST_SYS_SUBJ_NAME)),
Return(AUDIT_TRAIL_ERROR_NONE)
)
);
EXPECT_CALL(sysLog, audit_system_log_get_subject_smack_label(_))
.WillOnce(
DoAll(
- SetArgPointee<0>(TEST_SYS_SUBJ_LABEL),
+ SetArgPointee<0>(strdup(TEST_SYS_SUBJ_LABEL)),
Return(AUDIT_TRAIL_ERROR_NONE)
)
);
Return(AUDIT_TRAIL_ERROR_NONE)
)
);
- EXPECT_CALL(sysLog, audit_system_log_get_object_effective_owner(_, _))
- .WillOnce(
- DoAll(
- SetArgPointee<0>(TEST_SYS_OBJ_EUID),
- SetArgPointee<1>(TEST_SYS_OBJ_EGID),
- Return(AUDIT_TRAIL_ERROR_NONE)
- )
- );
EXPECT_CALL(sysLog, audit_system_log_get_object_permission(_))
.WillOnce(
DoAll(
EXPECT_CALL(sysLog, audit_system_log_get_object_smack_label(_))
.WillOnce(
DoAll(
- SetArgPointee<0>(TEST_SYS_OBJ_LABEL),
+ SetArgPointee<0>(strdup(TEST_SYS_OBJ_LABEL)),
Return(AUDIT_TRAIL_ERROR_NONE)
)
);
EXPECT_CALL(sysLog, audit_system_log_get_object_name(_))
.WillOnce(
DoAll(
- SetArgPointee<0>(TEST_SYS_OBJ_NAME),
+ SetArgPointee<0>(strdup(TEST_SYS_OBJ_NAME)),
Return(AUDIT_TRAIL_ERROR_NONE)
)
);
Return(AUDIT_TRAIL_ERROR_NONE)
)
);
+ EXPECT_CALL(sysLog, audit_system_log_get_object_sockaddr(_,_))
+ .WillRepeatedly(
+ DoAll(
+ saddrAssign(&saddr, AF_INET),
+ Return(AUDIT_TRAIL_ERROR_NONE)
+ )
+ );
EXPECT_CALL(sysLog, audit_system_log_get_action_exitcode(_))
.WillOnce(
DoAll(
EXPECT_CALL(userLog, audit_user_log_get_text(_))
.WillOnce(
DoAll(
- SetArgPointee<0>(TEST_USER_TEXT),
+ SetArgPointee<0>(strdup(TEST_USER_TEXT)),
Return(AUDIT_TRAIL_ERROR_NONE)
)
);
.WillOnce(Return(AUDIT_TRAIL_ERROR_NO_DATA));
EXPECT_CALL(sysLog, audit_system_log_get_object_owner(_, _))
.WillOnce(Return(AUDIT_TRAIL_ERROR_NO_DATA));
- EXPECT_CALL(sysLog, audit_system_log_get_object_effective_owner(_, _))
- .WillOnce(Return(AUDIT_TRAIL_ERROR_NO_DATA));
EXPECT_CALL(sysLog, audit_system_log_get_object_permission(_))
.WillOnce(Return(AUDIT_TRAIL_ERROR_NO_DATA));
EXPECT_CALL(sysLog, audit_system_log_get_object_smack_label(_))
* 3. Search for owned devices
* 4. Iterate thoughout the list and print devices info
*/
-TEST(Test_REST, test_get)
+TEST(Test_REST, DISABLED_test_get)
{
try {
RestRequest request("http://106.125.46.139:11000/swagger-ui.html#/rest-device");
projects / platform / core / security / suspicious-activity-monitor.git / commitdiff