|
1 | 1 | /* |
2 | 2 | * aureport-scan.c - Extract interesting fields and check for match |
3 | | -* Copyright (c) 2005-06,2008,2011,2014-15 Red Hat Inc., Durham, North Carolina. |
| 3 | +* Copyright (c) 2005-06,2008,2011,2014-15 Red Hat Inc. |
4 | 4 | * All Rights Reserved. |
5 | 5 | * |
6 | 6 | * This software may be freely redistributed and/or modified under the |
|
36 | 36 | static void do_summary_total(llist *l); |
37 | 37 | static int per_event_summary(llist *l); |
38 | 38 | static int per_event_detailed(llist *l); |
| 39 | +static void aggregate_anom_item(llist *l); |
| 40 | +static void aggregate_resp_item(llist *l); |
| 41 | +static void aggregate_crypto_item(llist *l); |
39 | 42 |
|
40 | 43 | summary_data sd; |
41 | 44 |
|
@@ -108,7 +111,65 @@ void destroy_counters(void) |
108 | 111 | ilist_clear(&sd.resp_list); |
109 | 112 | ilist_create(&sd.crypto_list); |
110 | 113 | ilist_create(&sd.virt_list); |
111 | | - ilist_create(&sd.integ_list); |
| 114 | + ilist_create(&sd.integ_list); |
| 115 | +} |
| 116 | + |
| 117 | +/* Aggregate counts and key fields for anomaly events. |
| 118 | + * l - pointer to event list |
| 119 | + */ |
| 120 | +static void aggregate_anom_item(llist *l) |
| 121 | +{ |
| 122 | + if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, |
| 123 | + AUDIT_LAST_ANOM_MSG)) { |
| 124 | + ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); |
| 125 | + } else if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, |
| 126 | + AUDIT_LAST_KERN_ANOM_MSG) || |
| 127 | + list_find_msg(l, AUDIT_SECCOMP)) { |
| 128 | + ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); |
| 129 | + } |
| 130 | + if (l->s.exe) |
| 131 | + slist_add_if_uniq(&sd.exes, l->s.exe); |
| 132 | + else if (l->s.comm) |
| 133 | + slist_add_if_uniq(&sd.comms, l->s.comm); |
| 134 | + if (l->s.terminal) |
| 135 | + slist_add_if_uniq(&sd.terms, l->s.terminal); |
| 136 | + if (l->s.hostname) |
| 137 | + slist_add_if_uniq(&sd.hosts, l->s.hostname); |
| 138 | + if (l->s.loginuid != -2) { |
| 139 | + char tmp[32]; |
| 140 | + |
| 141 | + aulookup_uid(l->s.loginuid, tmp, sizeof(tmp)); |
| 142 | + slist_add_if_uniq(&sd.users, tmp); |
| 143 | + } |
| 144 | +} |
| 145 | + |
| 146 | +/* Aggregate counts and key fields for anomaly response events. |
| 147 | + * l - pointer to event list |
| 148 | + */ |
| 149 | +static void aggregate_resp_item(llist *l) |
| 150 | +{ |
| 151 | + if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, |
| 152 | + AUDIT_LAST_ANOM_RESP)) |
| 153 | + ilist_add_if_uniq(&sd.resp_list, l->head->type, 0); |
| 154 | +} |
| 155 | + |
| 156 | +/* Aggregate counts and key fields for crypto events. |
| 157 | + * l - pointer to event list |
| 158 | + */ |
| 159 | +static void aggregate_crypto_item(llist *l) |
| 160 | +{ |
| 161 | + if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, |
| 162 | + AUDIT_LAST_KERN_CRYPTO_MSG) || |
| 163 | + list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, |
| 164 | + AUDIT_LAST_CRYPTO_MSG)) |
| 165 | + ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); |
| 166 | + |
| 167 | + if (l->s.loginuid != -2) { |
| 168 | + char tmp[32]; |
| 169 | + |
| 170 | + aulookup_uid(l->s.loginuid, tmp, sizeof(tmp)); |
| 171 | + slist_add_if_uniq(&sd.users, tmp); |
| 172 | + } |
112 | 173 | } |
113 | 174 |
|
114 | 175 | /* This function will return 0 on no match and 1 on match */ |
@@ -723,53 +784,56 @@ static int per_event_detailed(llist *l) |
723 | 784 | break; |
724 | 785 | case RPT_ANOMALY: |
725 | 786 | if (report_detail == D_DETAILED) { |
726 | | - if (list_find_msg_range(l, |
| 787 | + if (list_find_msg_range(l, |
727 | 788 | AUDIT_FIRST_ANOM_MSG, |
728 | 789 | AUDIT_LAST_ANOM_MSG)) { |
729 | 790 | print_per_event_item(l); |
730 | 791 | rc = 1; |
731 | 792 | } else { |
732 | | - if (list_find_msg_range(l, |
| 793 | + if (list_find_msg_range(l, |
733 | 794 | AUDIT_FIRST_KERN_ANOM_MSG, |
734 | 795 | AUDIT_LAST_KERN_ANOM_MSG) || |
735 | 796 | list_find_msg(l, AUDIT_SECCOMP) ) { |
736 | 797 | print_per_event_item(l); |
737 | 798 | rc = 1; |
738 | 799 | } |
739 | 800 | } |
740 | | - } else { // FIXME: specific anom report |
741 | | - UNIMPLEMENTED; |
| 801 | + } else { |
| 802 | + aggregate_anom_item(l); |
| 803 | + rc = 1; |
742 | 804 | } |
743 | 805 | break; |
744 | 806 | case RPT_RESPONSE: |
745 | 807 | if (report_detail == D_DETAILED) { |
746 | | - if (list_find_msg_range(l, |
| 808 | + if (list_find_msg_range(l, |
747 | 809 | AUDIT_FIRST_ANOM_RESP, |
748 | 810 | AUDIT_LAST_ANOM_RESP)) { |
749 | 811 | print_per_event_item(l); |
750 | 812 | rc = 1; |
751 | 813 | } |
752 | | - } else { // FIXME: specific resp report |
753 | | - UNIMPLEMENTED; |
| 814 | + } else { |
| 815 | + aggregate_resp_item(l); |
| 816 | + rc = 1; |
754 | 817 | } |
755 | 818 | break; |
756 | 819 | case RPT_CRYPTO: |
757 | 820 | if (report_detail == D_DETAILED) { |
758 | | - if (list_find_msg_range(l, |
| 821 | + if (list_find_msg_range(l, |
759 | 822 | AUDIT_FIRST_KERN_CRYPTO_MSG, |
760 | 823 | AUDIT_LAST_KERN_CRYPTO_MSG)) { |
761 | 824 | print_per_event_item(l); |
762 | 825 | rc = 1; |
763 | 826 | } else { |
764 | | - if (list_find_msg_range(l, |
| 827 | + if (list_find_msg_range(l, |
765 | 828 | AUDIT_FIRST_CRYPTO_MSG, |
766 | 829 | AUDIT_LAST_CRYPTO_MSG)) { |
767 | 830 | print_per_event_item(l); |
768 | 831 | rc = 1; |
769 | 832 | } |
770 | 833 | } |
771 | | - } else { // FIXME: specific crypto report |
772 | | - UNIMPLEMENTED; |
| 834 | + } else { |
| 835 | + aggregate_crypto_item(l); |
| 836 | + rc = 1; |
773 | 837 | } |
774 | 838 | break; |
775 | 839 | case RPT_KEY: |
|
0 commit comments