Group :: System/Configuration/Boot and Init
RPM: e4rat
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: e4rat-0.2.3-alt-audit-3.0.7-compat.patch
Download
Download
diff --git a/e4rat/src/listener.cc b/e4rat/src/listener.cc
index f7f0fa1..3d367a0 100644
--- a/e4rat/src/listener.cc
+++ b/e4rat/src/listener.cc
@@ -149,32 +149,32 @@ void AuditListener::watchFileSystemType(long t)
watch_fs_types.insert(t);
}
-void addSyscall(struct audit_rule_data* rule, const char* sc, int machine)
+/*
+ * Apply audit rules to AUDIT_FILTER_EXIT filter.
+ * Monitor all syscalls initialize or perfrom file accesses.
+ */
+void AuditListener::insertAuditRules()
{
- int syscall_nr;
- syscall_nr = audit_name_to_syscall(sc, machine);
- if(syscall_nr == -1)
- throw std::logic_error("Cannot convert syscall to number");
-
- audit_rule_syscall_data(rule, syscall_nr);
-}
+ if(audit_fd < 0)
+ {
+ audit_fd = audit_open();
+ if (-1 == audit_fd)
+ throw std::logic_error("Cannot open audit socket");
+ }
-void AuditListener::activateRules(int machine)
-{
char field[128];
struct audit_rule_data* rule = (struct audit_rule_data*) calloc(1, sizeof(audit_rule_data));
- addSyscall(rule, "execve", machine);
- addSyscall(rule, "open", machine);
- addSyscall(rule, "openat", machine);
- addSyscall(rule, "truncate", machine);
- if(machine == MACH_X86)
- addSyscall(rule, "truncate64", machine);
- addSyscall(rule, "creat", machine);
- addSyscall(rule, "mknod", machine);
- addSyscall(rule, "fork", machine);
- addSyscall(rule, "vfork", machine);
- addSyscall(rule, "clone", machine);
+ audit_rule_syscallbyname_data(rule, "execve");
+ audit_rule_syscallbyname_data(rule, "open");
+ audit_rule_syscallbyname_data(rule, "openat");
+ audit_rule_syscallbyname_data(rule, "truncate");
+ audit_rule_syscallbyname_data(rule, "truncate64");
+ audit_rule_syscallbyname_data(rule, "creat");
+ audit_rule_syscallbyname_data(rule, "mknod");
+ audit_rule_syscallbyname_data(rule, "fork");
+ audit_rule_syscallbyname_data(rule, "vfork");
+ audit_rule_syscallbyname_data(rule, "clone");
#if 0
/*
@@ -197,7 +197,7 @@ void AuditListener::activateRules(int machine)
* Specify arch
*/
strcpy(field, "arch=");
- strcat(field, audit_machine_to_name(machine));
+ strcat(field, audit_machine_to_name(audit_detect_machine()));
if(0 > audit_rule_fieldpair_data(&rule, field, AUDIT_FILTER_EXIT))
error("audit_rule_fieldpair_data failed: %s", field);
@@ -211,42 +211,6 @@ void AuditListener::activateRules(int machine)
rule_vec.push_back(rule);
}
-/*
- * Apply audit rules to AUDIT_FILTER_EXIT filter.
- * Monitor all syscalls initialize or perfrom file accesses.
- */
-void AuditListener::insertAuditRules()
-{
- if(audit_fd < 0)
- {
- audit_fd = audit_open();
- if (-1 == audit_fd)
- throw std::logic_error("Cannot open audit socket");
- }
-
- struct utsname uts;
- if(-1 == uname(&uts))
- throw std::logic_error(std::string("Cannot receive machine hardware name: ") + strerror(errno));
-
- if(0 == strcmp(uts.machine, "x86_64"))
- {
- activateRules(MACH_86_64);
- activateRules(MACH_X86);
- }
- else if(0 == strcmp(uts.machine, "ppc64"))
- {
- activateRules(MACH_PPC64);
- activateRules(MACH_PPC);
- }
- else
- {
- int machine = audit_name_to_machine(uts.machine);
- if(-1 == machine)
- throw std::logic_error(std::string("Unknown machine hardware name ")+ uts.machine);
- activateRules(machine);
- }
-}
-
void AuditListener::removeAuditRules()
{
if (audit_fd < 0)
diff --git a/e4rat/src/listener.hh b/e4rat/src/listener.hh
index 3426b70..91110ba 100644
--- a/e4rat/src/listener.hh
+++ b/e4rat/src/listener.hh
@@ -89,7 +89,6 @@ class AuditListener : public Interruptible
std::string parseField(auparse_state_t*, const char*);
std::string parsePathField(auparse_state_t*, const char*);
private:
- void activateRules(int machine);
void waitForEvent(struct audit_reply* reply);
auparse_state_t* initAuParse(struct audit_reply*);
void parseCwdEvent(auparse_state_t*, boost::shared_ptr<AuditEvent>);