microsoft
/
OMS-Auditd-Plugin
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add setting of backlog_wait_time.

This commit is contained in:
Tad Glines 2020-03-03 12:46:54 -08:00
Родитель 9e3ae80214
Коммит 036a478738
8 изменённых файлов: 483 добавлений и 51 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

54
AuditRulesMonitor.cpp
Просмотреть файл

@ -1,15 +1,25 @@
//
// Created by tad on 3/18/19.
//
/*
microsoft-oms-auditd-plugin
Copyright (c) Microsoft Corporation
All rights reserved.
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ""Software""), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#include <sstream>
#include "AuditRulesMonitor.h"
#include "Logger.h"
#include "ExecUtil.h"
#define PREFERRED_BACKLOG_LIMIT 8192
#include "AuditStatus.h"
void AuditRulesMonitor::run() {
Logger::Info("AuditRulesMonitor: Starting");
@ -278,23 +288,33 @@ bool AuditRulesMonitor::check_kernel_rules() {
}
void AuditRulesMonitor::check_audit_status() {
audit_status status;
auto ret = NetlinkRetry([this,&status]() { return _netlink.AuditGet(status); } );
AuditStatus status;
auto ret = NetlinkRetry([this,&status]() { return status.GetStatus(_netlink); } );
if (ret != 0) {
Logger::Error("Failed to get audit status: %s", std::strerror(-ret));
return;
}
if (status.backlog_limit < PREFERRED_BACKLOG_LIMIT) {
Logger::Error("Increasing audit backlog limit from %u to %u", status.backlog_limit, PREFERRED_BACKLOG_LIMIT);
ret = NetlinkRetry([this]() {
audit_status status;
::memset(&status, 0, sizeof(status));
status.mask = AUDIT_STATUS_BACKLOG_LIMIT;
status.backlog_limit = PREFERRED_BACKLOG_LIMIT;
return _netlink.AuditSet(status);
if (status.GetBacklogLimit() < _backlog_limit) {
AuditStatus new_status;
Logger::Error("Increasing audit backlog limit from %u to %u", status.GetBacklogLimit(), _backlog_limit);
new_status.SetBacklogLimit(_backlog_limit);
ret = NetlinkRetry([this,&new_status]() {
return new_status.UpdateStatus(_netlink);
});
if (ret != 0) {
Logger::Error("Failed to set audit backlog limit to %d: %s", PREFERRED_BACKLOG_LIMIT, std::strerror(-ret));
Logger::Error("Failed to set audit backlog limit to %d: %s", _backlog_limit, std::strerror(-ret));
return;
}
}
if (status.HasFeature(AuditStatus::Feature::BacklogWaitTime) && status.GetBacklogWaitTime() < _backlog_wait_time) {
AuditStatus new_status;
Logger::Error("Increasing audit backlog wait time from %u to %u", status.GetBacklogWaitTime(), _backlog_wait_time);
new_status.SetBacklogWaitTime(_backlog_wait_time);
ret = NetlinkRetry([this,&new_status]() {
return new_status.UpdateStatus(_netlink);
});
if (ret != 0) {
Logger::Error("Failed to set audit backlog wait time to %d: %s", _backlog_wait_time, std::strerror(-ret));
return;
}
}

7
AuditRulesMonitor.h
Просмотреть файл

@ -25,8 +25,9 @@
class AuditRulesMonitor: public RunBase {
public:
AuditRulesMonitor(Netlink& netlink, const std::string& audit_rules_dir, std::shared_ptr<OperationalStatus> op_status):
_netlink(netlink), _audit_rules_dir(audit_rules_dir), _op_status(op_status), _last_audit_file_check(), _last_auoms_file_check(), _desired_rules(), _rules_immutable(false) {}
AuditRulesMonitor(Netlink& netlink, const std::string& audit_rules_dir, uint32_t backlog_limit, uint32_t backlog_wait_time, std::shared_ptr<OperationalStatus> op_status):
_netlink(netlink), _audit_rules_dir(audit_rules_dir), _backlog_limit(backlog_limit), _backlog_wait_time(_backlog_wait_time), _op_status(op_status),
_last_audit_file_check(), _last_auoms_file_check(), _desired_rules(), _rules_immutable(false) {}
protected:
void run() override;
@ -40,6 +41,8 @@ private:
Netlink& _netlink;
std::string _audit_rules_dir;
uint32_t _backlog_limit;
uint32_t _backlog_wait_time;
std::shared_ptr<OperationalStatus> _op_status;
std::chrono::steady_clock::time_point _last_audit_file_check;
std::chrono::steady_clock::time_point _last_auoms_file_check;

48
AuditStatus.cpp Normal file
Просмотреть файл

@ -0,0 +1,48 @@
/*
microsoft-oms-auditd-plugin
Copyright (c) Microsoft Corporation
All rights reserved.
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ""Software""), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#include "AuditStatus.h"
#include <cstdint>
int AuditStatus::GetStatus(Netlink& netlink) {
::memset(this, 0, sizeof(AuditStatus));
bool received_response = false;
auto ret = netlink.Send(AUDIT_GET, nullptr, 0, [this,&received_response](uint16_t type, uint16_t flags, const void* data, size_t len) -> bool {
if (type == AUDIT_GET) {
std::memcpy(this, data, std::min(len, sizeof(AuditStatus)));
received_response = true;
}
return true;
});
if (ret != 0) {
return ret;
}
if (!received_response) {
return -ENOMSG;
}
return 0;
}
int AuditStatus::UpdateStatus(Netlink& netlink) {
size_t size = sizeof(AuditStatus);
if ((_mask & ~static_cast<uint32_t>(FieldMask::V1Status)) == 0) {
size = offsetof(AuditStatus, _feature_bitmap);
}
return netlink.Send(AUDIT_SET, this, size, nullptr);
}

120
AuditStatus.h Normal file
Просмотреть файл

@ -0,0 +1,120 @@
/*
microsoft-oms-auditd-plugin
Copyright (c) Microsoft Corporation
All rights reserved.
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ""Software""), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#ifndef AUOMS_AUDITSTATUS_H
#define AUOMS_AUDITSTATUS_H
#include "Netlink.h"
class AuditStatus {
public:
enum class FieldMask: uint32_t {
Enabled = 0x0001, // AUDIT_STATUS_ENABLED
Failure = 0x0002, // AUDIT_STATUS_FAILURE
Pid = 0x0004, // AUDIT_STATUS_PID
RateLimit = 0x0008, // AUDIT_STATUS_RATE_LIMIT
BacklogLimit = 0x0010, // AUDIT_STATUS_BACKLOG_LIMIT
BacklogWaitTime = 0x0020, // AUDIT_STATUS_BACKLOG_WAIT_TIME
Lost = 0x0040, // AUDIT_STATUS_LOST
V1Status = 0x001F, // Only fields available in old kernels (e.g. < 3.12.0)
};
enum class Feature: uint32_t {
BacklogLimit = 0x00000001, // AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT
BacklogWaitTime = 0x00000002, // AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME
ExecutablePath = 0x00000004, // AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
ExcludeExtend = 0x00000008, // AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
SessionidFilter = 0x00000010, // AUDIT_FEATURE_BITMAP_SESSIONID_FILTER
LostReset = 0x00000020, // AUDIT_FEATURE_BITMAP_LOST_RESET
FilterFs = 0x00000040, // AUDIT_FEATURE_BITMAP_FILTER_FS
};
AuditStatus() {
::memset(this, 0, sizeof(AuditStatus));
}
inline bool HasFeature(Feature feature) {
if (feature == Feature::BacklogLimit) {
return _feature_bitmap == 0 || (_feature_bitmap & static_cast<uint32_t>(Feature::BacklogLimit)) != 0;
} else {
return (_feature_bitmap & static_cast<uint32_t>(feature)) != 0;
}
}
uint32_t GetEnabled() { return _enabled; }
uint32_t GetFailure() { return _failure; }
uint32_t GetPid() { return _pid; }
uint32_t GetRateLimit() { return _rate_limit; }
uint32_t GetBacklogLimit() { return _backlog_limit; }
uint32_t GetLost() { return _lost; }
uint32_t GetBacklog() { return _backlog; }
uint32_t GetBacklogWaitTime() { return _backlog_wait_time; }
void SetEnabled(uint32_t value) {
_mask |= static_cast<uint32_t>(FieldMask::Enabled);
_enabled = value;
}
void SetFailure(uint32_t value) {
_mask |= static_cast<uint32_t>(FieldMask::Failure);
_failure = value;
}
void SetPid(uint32_t value) {
_mask |= static_cast<uint32_t>(FieldMask::Pid);
_pid = value;
}
void SetRateLimit(uint32_t value) {
_mask |= static_cast<uint32_t>(FieldMask::RateLimit);
_rate_limit = value;
}
void SetBacklogLimit(uint32_t value) {
_mask |= static_cast<uint32_t>(FieldMask::BacklogLimit);
_backlog_limit = value;
}
void SetBacklogWaitTime(uint32_t value) {
_mask |= static_cast<uint32_t>(FieldMask::BacklogWaitTime);
_backlog_wait_time = value;
}
void SetLost(uint32_t value) {
_mask |= static_cast<uint32_t>(FieldMask::Lost);
_lost = value;
}
int GetStatus(Netlink& netlink);
int UpdateStatus(Netlink& netlink);
private:
// These fields mirror the struct audit_status fields defined in /usr/include/linux/audit.h
// DO NOT ADD OR REMOVE ANY FIELDS IN THE CLASS (except to mirror struct audit_status fields defined in /usr/include/linux/audit.h)
uint32_t _mask;
uint32_t _enabled;
uint32_t _failure;
uint32_t _pid;
uint32_t _rate_limit;
uint32_t _backlog_limit;
uint32_t _lost;
uint32_t _backlog;
uint32_t _feature_bitmap;
uint32_t _backlog_wait_time;
};
#endif //AUOMS_AUDITSTATUS_H

2
CMakeLists.txt
Просмотреть файл

@ -138,6 +138,7 @@ add_executable(auoms
TranslateErrno.cpp
AuditRules.cpp
AuditRulesMonitor.cpp
AuditStatus.cpp AuditStatus.h
KernelInfo.cpp
Version.cpp
UnixDomainListener.cpp
@ -175,6 +176,7 @@ add_executable(auomsctl
auoms_version.h
Netlink.cpp
NetlinkAudit.cpp
AuditStatus.cpp AuditStatus.h
RunBase.cpp
Signals.cpp
Logger.cpp

2
SyscallMetrics.cpp
Просмотреть файл

@ -81,7 +81,7 @@ bool SyscallMetrics::init() {
}
if (!PathExists(FTRACE_SYS_ENTER_TRIGGER) || !PathExists(FTRACE_SYS_ENTER_HIST)) {
Logger::Warn("SyscallMetrics: ftrace doesn't support hist trigger on this system, syscall metrics will not be collected", FTRACE_INSTANCE_DIR);
Logger::Warn("SyscallMetrics: ftrace doesn't support hist trigger on this system, syscall metrics will not be collected");
return false;
}

14
auoms.cpp
Просмотреть файл

@ -128,6 +128,9 @@ int main(int argc, char**argv) {
std::string data_dir = AUOMS_DATA_DIR;
std::string run_dir = AUOMS_RUN_DIR;
uint32_t backlog_limit = 10240;
uint32_t backlog_wait_time = 1;
if (config.HasKey("outconf_dir")) {
outconf_dir = config.GetString("outconf_dir");
}
@ -170,6 +173,14 @@ int main(int argc, char**argv) {
}
}
if (config.HasKey("backlog_limit")) {
backlog_limit = static_cast<uint32_t>(config.GetUint64("backlog_limit"));
}
if (config.HasKey("backlog_wait_time")) {
backlog_limit = static_cast<uint32_t>(config.GetUint64("backlog_wait_time"));
}
std::string input_socket_path = run_dir + "/input.socket";
std::string status_socket_path = run_dir + "/status.socket";
std::string queue_file = data_dir + "/queue.dat";
@ -257,11 +268,10 @@ int main(int argc, char**argv) {
Netlink netlink;
netlink.Open(nullptr);
CollectionMonitor collection_monitor(netlink, queue, auditd_path, collector_path, collector_config_path);
collection_monitor.Start();
AuditRulesMonitor rules_monitor(netlink, rules_dir, operational_status);
AuditRulesMonitor rules_monitor(netlink, rules_dir, backlog_limit, backlog_wait_time, operational_status);
rules_monitor.Start();
auto user_db = std::make_shared<UserDB>();

287
auomsctl.cpp
Просмотреть файл

@ -29,6 +29,7 @@
#include "Translate.h"
#include "UnixDomainListener.h"
#include "Event.h"
#include "AuditStatus.h"
#include <iostream>
@ -68,9 +69,19 @@ void usage()
;
}
int show_audit_status() {
bool check_permissions() {
if (geteuid() != 0) {
std::cerr << "Must be root to request audit status" << std::endl;
std::cerr << "Must be root to perform this operation" << std::endl;
return false;
}
return true;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int show_audit_status() {
if (!check_permissions()) {
return 1;
}
@ -83,8 +94,8 @@ int show_audit_status() {
return 1;
}
audit_status status;
ret = NetlinkRetry([&netlink,&status]() { return netlink.AuditGet(status); });
AuditStatus status;
ret = NetlinkRetry([&netlink,&status]() { return status.GetStatus(netlink); });
netlink.Close();
@ -93,20 +104,119 @@ int show_audit_status() {
return 1;
}
std::cout << "enabled " << status.enabled << std::endl;
std::cout << "failure " << status.failure << std::endl;
std::cout << "pid " << status.pid << std::endl;
std::cout << "rate_limit " << status.rate_limit << std::endl;
std::cout << "backlog_limit " << status.backlog_limit << std::endl;
std::cout << "lost " << status.lost << std::endl;
std::cout << "backlog " << status.backlog << std::endl;
std::cout << "enabled " << status.GetEnabled() << std::endl;
std::cout << "failure " << status.GetFailure() << std::endl;
std::cout << "pid " << status.GetPid() << std::endl;
std::cout << "rate_limit " << status.GetRateLimit() << std::endl;
std::cout << "backlog_limit " << status.GetBacklogLimit() << std::endl;
std::cout << "lost " << status.GetLost() << std::endl;
std::cout << "backlog " << status.GetBacklog() << std::endl;
if (status.HasFeature(AuditStatus::Feature::BacklogWaitTime)) {
std::cout << "backlog_wait_time " << status.GetBacklogWaitTime() << std::endl;
}
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int set_backlog_limit(const std::string& str) {
if (!check_permissions()) {
return 1;
}
uint32_t backlog_limit = 0;
try {
backlog_limit = std::stoul(str);
} catch(std::exception&) {
std::cerr << "Invalid backlog limit (" << str << ")" << std::endl;
}
Netlink netlink;
netlink.SetQuite();
Defer([&netlink]() {netlink.Close();});
auto ret = netlink.Open(nullptr);
if (ret != 0) {
Logger::Error("Failed to open Netlink socket");
return 1;
}
AuditStatus status;
ret = NetlinkRetry([&netlink,&status]() { return status.GetStatus(netlink); });
if (ret != 0) {
Logger::Error("Failed to retrieve audit status: %s\n", strerror(-ret));
return 1;
}
if (status.GetBacklogLimit() != backlog_limit) {
AuditStatus new_status;
new_status.SetBacklogLimit(backlog_limit);
ret = NetlinkRetry([&netlink,&new_status]() { return new_status.UpdateStatus(netlink); });
if (ret != 0) {
Logger::Error("Failed to set backlog limit: %s\n", strerror(-ret));
return 1;
}
} else {
std::cerr << "The backlog limit is already set to (" << str << ")" << std::endl;
}
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int set_backlog_wait_time(const std::string& str) {
if (!check_permissions()) {
return 1;
}
uint32_t backlog_wait_time = 0;
try {
backlog_wait_time = std::stoul(str);
} catch(std::exception&) {
std::cerr << "Invalid backlog limit (" << str << ")" << std::endl;
}
Netlink netlink;
netlink.SetQuite();
Defer([&netlink]() {netlink.Close();});
auto ret = netlink.Open(nullptr);
if (ret != 0) {
Logger::Error("Failed to open Netlink socket");
return 1;
}
AuditStatus status;
ret = NetlinkRetry([&netlink,&status]() { return status.GetStatus(netlink); });
if (ret != 0) {
Logger::Error("Failed to retrieve audit status: %s\n", strerror(-ret));
return 1;
}
if (status.GetBacklogWaitTime() != backlog_wait_time) {
AuditStatus new_status;
new_status.SetBacklogWaitTime(backlog_wait_time);
ret = NetlinkRetry([&netlink,&new_status]() { return new_status.UpdateStatus(netlink); });
if (ret != 0) {
Logger::Error("Failed to set backlog wait time: %s\n", strerror(-ret));
return 1;
}
} else {
std::cerr << "The backlog wait time is already set to (" << str << ")" << std::endl;
}
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int list_rules(bool raw_fmt, const std::string& key) {
if (geteuid() != 0) {
std::cerr << "Must be root to request audit rules" << std::endl;
if (!check_permissions()) {
return 1;
}
@ -148,9 +258,11 @@ int list_rules(bool raw_fmt, const std::string& key) {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int delete_rules(const std::string& key) {
if (geteuid() != 0) {
std::cerr << "Must be root to delete audit rules" << std::endl;
if (!check_permissions()) {
return 1;
}
@ -201,9 +313,11 @@ int delete_rules(const std::string& key) {
return exit_code;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int load_rules(const std::string& path) {
if (geteuid() != 0) {
std::cerr << "Must be root to load audit rules" << std::endl;
if (!check_permissions()) {
return 1;
}
@ -250,6 +364,9 @@ int load_rules(const std::string& path) {
return exit_code;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int print_rules(const std::string& path) {
try {
auto lines = ReadFile(path);
@ -272,6 +389,9 @@ int print_rules(const std::string& path) {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int merge_rules(const std::string& file1, const std::string& file2) {
try {
auto rules1 = ParseRules(ReadFile(file1), nullptr);
@ -288,6 +408,9 @@ int merge_rules(const std::string& file1, const std::string& file2) {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int diff_rules(const std::string& file1, const std::string& file2) {
try {
auto rules1 = MergeRules(ParseRules(ReadFile(file1), nullptr));
@ -304,9 +427,11 @@ int diff_rules(const std::string& file1, const std::string& file2) {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int show_auoms_status() {
if (geteuid() != 0) {
std::cerr << "Must be root to request auoms status" << std::endl;
if (!check_permissions()) {
return 1;
}
@ -327,6 +452,9 @@ int show_auoms_status() {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
std::string get_service_util_path() {
std::string path = "/sbin/service";
if (!PathExists(path)) {
@ -338,6 +466,9 @@ std::string get_service_util_path() {
return path;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
bool is_auditd_plugin_enabled() {
if (!PathExists(AUOMS_PLUGIN_FILE)) {
return false;
@ -353,6 +484,10 @@ bool is_auditd_plugin_enabled() {
}
return false;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
void set_auditd_plugin_status(bool enabled) {
std::vector<std::string> lines;
lines.emplace_back("# This file controls the auoms plugin.");
@ -372,6 +507,9 @@ void set_auditd_plugin_status(bool enabled) {
chmod(AUOMS_PLUGIN_FILE, 0640);
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
bool is_service_sysv_enabled() {
std::string service_name(AUOMS_SERVICE_NAME);
int count = 0;
@ -387,6 +525,9 @@ bool is_service_sysv_enabled() {
return count > 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
bool is_service_enabled() {
std::string service_name(AUOMS_SERVICE_NAME);
std::string path = SYSTEMCTL_PATH;
@ -409,6 +550,9 @@ bool is_service_enabled() {
return true;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
void enable_service() {
std::string path;
std::vector<std::string> args;
@ -445,6 +589,9 @@ void enable_service() {
}
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
void disable_service() {
std::string path;
std::vector<std::string> args;
@ -482,6 +629,9 @@ void disable_service() {
}
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
bool is_service_proc_running(const std::string& comm) {
std::string path = "/usr/bin/pgrep";
std::vector<std::string> args;
@ -507,6 +657,9 @@ bool is_service_proc_running(const std::string& comm) {
return true;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
void kill_service_proc(const std::string& comm) {
std::string path = "/usr/bin/pkill";
std::vector<std::string> args;
@ -530,6 +683,9 @@ void kill_service_proc(const std::string& comm) {
}
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
void service_cmd(const std::string& svc_cmd, const std::string& name) {
std::string path = get_service_util_path();
std::vector<std::string> args;
@ -552,6 +708,9 @@ void service_cmd(const std::string& svc_cmd, const std::string& name) {
}
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
bool start_service() {
if (is_service_proc_running(AUOMS_COMM)) {
return true;
@ -568,6 +727,9 @@ bool start_service() {
return false;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
void stop_service() {
if (is_service_proc_running(AUOMS_COMM)) {
try {
@ -604,12 +766,18 @@ void stop_service() {
}
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
bool restart_service() {
stop_service();
return start_service();
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
bool start_auditd_service() {
if (is_service_proc_running(AUDITD_COMM)) {
return true;
@ -625,6 +793,9 @@ bool start_auditd_service() {
return false;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
void stop_auditd_service() {
service_cmd("stop", AUDITD_SERVICE_NAME);
@ -648,6 +819,9 @@ void stop_auditd_service() {
kill_service_proc(AUOMSCOLLECT_COMM);
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
bool restart_auditd_service() {
stop_auditd_service();
@ -659,9 +833,11 @@ bool restart_auditd_service() {
return is_service_proc_running(AUDITD_COMM);
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int enable_auoms() {
if (geteuid() != 0) {
std::cerr << "Must be root to enable auoms" << std::endl;
if (!check_permissions()) {
return 1;
}
@ -704,6 +880,9 @@ int enable_auoms() {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int remove_rules_from_audit_files() {
if (RemoveAuomsRulesAuditdFiles()) {
Cmd cmd(AUGENRULES_BIN, {}, Cmd::NULL_STDIN|Cmd::COMBINE_OUTPUT);
@ -718,9 +897,11 @@ int remove_rules_from_audit_files() {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int disable_auoms() {
if (geteuid() != 0) {
std::cerr << "Must be root to disable auoms" << std::endl;
if (!check_permissions()) {
return 1;
}
@ -754,6 +935,9 @@ int disable_auoms() {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int start_auoms(bool all) {
int ret = 0;
try {
@ -776,6 +960,9 @@ int start_auoms(bool all) {
return ret;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int stop_auoms(bool all) {
try {
if (all && PathExists(AUDITD_BIN)) {
@ -791,6 +978,9 @@ int stop_auoms(bool all) {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int restart_auoms(bool all) {
int ret = 0;
try {
@ -811,6 +1001,9 @@ int restart_auoms(bool all) {
return ret;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
/*
* Return:
* 0 = running
@ -849,9 +1042,11 @@ int show_auoms_state() {
}
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int tap_audit() {
if (geteuid() != 0) {
std::cerr << "Must be root to collect audit events" << std::endl;
if (!check_permissions()) {
return 1;
}
@ -953,6 +1148,9 @@ int tap_audit() {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
void handle_raw_connection(int fd) {
std::array<uint8_t, 1024*256> data;
@ -1011,6 +1209,9 @@ void handle_raw_connection(int fd) {
}
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
bool reload_auoms() {
std::string path = "/usr/bin/pkill";
std::vector<std::string> args;
@ -1037,9 +1238,11 @@ bool reload_auoms() {
return true;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int monitor_auoms_events() {
if (geteuid() != 0) {
std::cerr << "Must be root to collect audit events" << std::endl;
if (!check_permissions()) {
return 1;
}
@ -1080,6 +1283,9 @@ int monitor_auoms_events() {
return retcode;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int set_rules() {
auto rules = ReadAuditRulesFromDir(AUOMS_RULES_DIR, nullptr);
std::vector<AuditRule> desired_rules;
@ -1141,6 +1347,9 @@ int set_rules() {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
template<typename T>
bool is_set_intersect(T a, T b) {
for (auto& e: b) {
@ -1151,6 +1360,9 @@ bool is_set_intersect(T a, T b) {
return true;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int load_rules() {
auto rules = ReadAuditRulesFromDir(AUOMS_RULES_DIR, nullptr);
std::vector<AuditRule> desired_rules;
@ -1272,9 +1484,11 @@ int load_rules() {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int upgrade() {
if (geteuid() != 0) {
std::cerr << "Must be root to enable auoms" << std::endl;
if (!check_permissions()) {
return 1;
}
@ -1337,6 +1551,9 @@ int upgrade() {
return 0;
}
/**********************************************************************************************************************
**
*********************************************************************************************************************/
int main(int argc, char**argv) {
if (argc < 2 || strlen(argv[1]) < 2) {
usage();
@ -1352,6 +1569,18 @@ int main(int argc, char**argv) {
return 0;
} else if (strcmp(argv[1], "-s") == 0) {
return show_audit_status();
} else if (strcmp(argv[1], "-bl") == 0) {
if (argc < 3) {
usage();
exit(1);
}
return set_backlog_limit(argv[2]);
} else if (strcmp(argv[1], "-bwt") == 0) {
if (argc < 3) {
usage();
exit(1);
}
return set_backlog_wait_time(argv[2]);
} else if (strcmp(argv[1], "-l") == 0) {
std::string key;
if (argc > 2) {