[PATCH 5/5] Add support for loginuid_set option for event filtering and searches.

Richard Guy Briggs rgb at redhat.com
Tue Aug 2 09:39:01 UTC 2016 

Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---
 trunk/src/aureport-options.c |    1 +
 trunk/src/ausearch-common.h  |    1 +
 trunk/src/ausearch-options.c |   43 +++++++++++++++++++++++++++++++++++++++++-
 trunk/src/ausearch-parse.c   |   16 +++++++-------
 4 files changed, 52 insertions(+), 9 deletions(-)

diff --git a/trunk/src/aureport-options.c b/trunk/src/aureport-options.c
index b15cbb5..a0c78ea 100644
--- a/trunk/src/aureport-options.c
+++ b/trunk/src/aureport-options.c
@@ -44,6 +44,7 @@ int no_config = 0;
 /* These are for compatibility with parser */
 unsigned int event_id = -1;
 uid_t event_uid = -1, event_loginuid = -2, event_euid = -1;
+int event_loginuid_set = -1;
 const char *event_tuid = NULL, *event_teuid = NULL, *event_tauid = NULL;
 gid_t event_gid = -1, event_egid = -1;
 slist *event_node_list = NULL;
diff --git a/trunk/src/ausearch-common.h b/trunk/src/ausearch-common.h
index d60ea5f..cdb51e9 100644
--- a/trunk/src/ausearch-common.h
+++ b/trunk/src/ausearch-common.h
@@ -48,6 +48,7 @@ extern gid_t event_gid, event_egid;
 extern pid_t event_pid;
 extern int event_exact_match;
 extern uid_t event_uid, event_euid, event_loginuid;
+extern int event_loginuid_set;
 extern const char *event_tuid, *event_teuid, *event_tauid;
 slist *event_node_list;
 extern const char *event_comm;
diff --git a/trunk/src/ausearch-options.c b/trunk/src/ausearch-options.c
index f970c76..143a26f 100644
--- a/trunk/src/ausearch-options.c
+++ b/trunk/src/ausearch-options.c
@@ -50,6 +50,7 @@ success_t event_success = S_UNSET;
 int event_exact_match = 0;
 uid_t event_uid = -1, event_euid = -1, event_loginuid = -2;
 const char *event_tuid = NULL, *event_teuid = NULL, *event_tauid = NULL;
+int event_loginuid_set = -1;
 int event_syscall = -1, event_machine = -1;
 int event_ua = 0, event_ga = 0, event_se = 0;
 int just_one = 0;
@@ -84,7 +85,7 @@ struct nv_pair {
 
 enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
 S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
-S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
+S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, S_LOGINUID_SET,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
 S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_SESSIONID_SET, S_EXIT,
 S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
@@ -159,6 +160,7 @@ static struct nv_pair optiontab[] = {
 	{ S_UUID, "--uuid" },
 	{ S_LOGINID, "-ul" },
 	{ S_LOGINID, "--loginuid" },
+	{ S_LOGINUID_SET, "--loginuid_set" },
 	{ S_VERSION, "-v" },
 	{ S_VERSION, "--version" },
 	{ S_VMNAME, "-vm" },
@@ -221,6 +223,7 @@ static void usage(void)
 	"\t-ue,--uid-effective <effective User id>  search based on Effective\n\t\t\t\t\tuser id\n"
 	"\t-ui,--uid <User Id>\t\tsearch based on user id\n"
 	"\t-ul,--loginuid <login id>\tsearch based on the User's Login id\n"
+	"\t--loginuid_set <0/1>\tsearch based on the User's Login id set or unset\n"
 	"\t-uu,--uuid <guest UUID>\t\tsearch for events related to the virtual\n"
 	"\t\t\t\t\tmachine with the given UUID.\n"
 	"\t-v,--version\t\t\tversion\n"
@@ -1107,6 +1110,44 @@ int check_params(int count, char *vars[])
 			}
 			c++;
 			break;
+		case S_LOGINUID_SET:
+			if (!optarg) {
+				if ((c+1 < count) && vars[c+1])
+					optarg = vars[c+1];
+				else {
+					fprintf(stderr,
+						"Argument is required for %s\n",
+						vars[c]);
+					retval = -1;
+					break;
+				}
+			}
+			{
+			size_t len = strlen(optarg);
+                        if (isdigit(optarg[0])) {
+				errno = 0;
+                        	event_loginuid = strtoul(optarg,NULL,10);
+				if (errno) {
+                        		fprintf(stderr, 
+						"Error (%s) converting %s\n",
+						strerror(errno), optarg);
+                                        retval = -1;
+				}
+				if (event_loginuid_set > 1) {
+					fprintf(stderr, 
+					"Loginuid_set must be a boolean value, was %s\n",
+						optarg);
+					retval = -1;
+				}
+                        } else {
+				fprintf(stderr, 
+				"Loginuid_set must be a boolean value, was %s\n",
+					optarg);
+				retval = -1;
+                        }
+			}
+			c++;
+			break;
 		case S_UUID:
 			if (!optarg) {
 				fprintf(stderr,
diff --git a/trunk/src/ausearch-parse.c b/trunk/src/ausearch-parse.c
index c45d54e..a489d25 100644
--- a/trunk/src/ausearch-parse.c
+++ b/trunk/src/ausearch-parse.c
@@ -251,7 +251,7 @@ static int parse_task_info(lnode *n, search_items *s)
 		*term = ' ';
 	}
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL) {
 			str = strstr(term, "loginuid=");
@@ -823,7 +823,7 @@ static int parse_user(const lnode *n, search_items *s)
 		s->tuid = lookup_uid("uid", s->uid);
 	}
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		*term = ' ';
 		str = strstr(term, "auid=");
 		if (str == NULL) { // Try the older one
@@ -1271,7 +1271,7 @@ static int parse_login(const lnode *n, search_items *s)
 		}
 	}
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "new auid=");
 		if (str == NULL) {
 			// 3.14 kernel changed it to the next line
@@ -1354,7 +1354,7 @@ static int parse_daemon1(const lnode *n, search_items *s)
 	term = mptr;
 
 	// optionally get auid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(mptr, "auid=");
 		if (str == NULL)
 			return 1;
@@ -1613,7 +1613,7 @@ static int parse_integrity(const lnode *n, search_items *s)
 	}
 
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(n->message, "auid=");
 		if (str) {
 			ptr = str + 5;
@@ -1890,7 +1890,7 @@ static int parse_kernel_anom(const lnode *n, search_items *s)
 	char *str, *ptr, *term = n->message;
 
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL)
 			return 1;
@@ -2078,7 +2078,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
 	char *str, *ptr, *term = n->message;
 
 	// optionally get loginuid - old kernels skip auid for CONFIG_CHANGE
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL && n->type != AUDIT_CONFIG_CHANGE)
 			return 1;
@@ -2257,7 +2257,7 @@ static int parse_tty(const lnode *n, search_items *s)
 	}
 
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL)
 			return 5;
-- 
1.7.1

More information about the Linux-audit mailing list