diff --git a/0002-Audit-add-security-log.patch b/0002-Audit-add-security-log.patch new file mode 100644 index 0000000000000000000000000000000000000000..808d649c527d2b57b354098ce8efa9a4bd205014 --- /dev/null +++ b/0002-Audit-add-security-log.patch @@ -0,0 +1,1535 @@ +diff --git a/init.d/auditd.conf b/init.d/auditd.conf +index 26760cd..cbc621b 100644 +--- a/init.d/auditd.conf ++++ b/init.d/auditd.conf +@@ -6,7 +6,7 @@ local_events = yes + write_logs = yes + log_file = /var/log/audit/audit.log + log_group = root +-log_format = ENRICHED ++log_format = auditlog + flush = INCREMENTAL_ASYNC + freq = 50 + max_log_file = 8 +diff --git a/src/Makefile.am b/src/Makefile.am +index c4a38bd..2365839 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -26,9 +26,9 @@ SUBDIRS = test + AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src/libev -I${top_srcdir}/auparse -I${top_srcdir}/audisp -I${top_srcdir}/common + sbin_PROGRAMS = auditd auditctl aureport ausearch autrace + AM_CFLAGS = -D_GNU_SOURCE -Wno-pointer-sign ${WFLAGS} +-noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h auditctl-listing.h ausearch-checkpt.h ++noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h auditctl-listing.h ausearch-checkpt.h auditd-removepasswd.h + +-auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c ++auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c auditd-syslog.c auditd-removepasswd.c + if ENABLE_LISTENER + auditd_SOURCES += auditd-listen.c + endif +diff --git a/src/auditd-config.c b/src/auditd-config.c +index 2d43e34..77e5431 100644 +--- a/src/auditd-config.c ++++ b/src/auditd-config.c +@@ -195,6 +195,7 @@ static const struct nv_list log_formats[] = + { + {"raw", LF_RAW }, + {"nolog", LF_NOLOG }, ++ {"auditlog", LF_AUDITLOG }, + {"enriched", LF_ENRICHED }, + { NULL, 0 } + }; +diff --git a/src/auditd-config.h b/src/auditd-config.h +index 0bd69d6..d1bab92 100644 +--- a/src/auditd-config.h ++++ b/src/auditd-config.h +@@ -32,7 +32,7 @@ + #define EOE_TIMEOUT 2L + + typedef enum { D_FOREGROUND, D_BACKGROUND } daemon_t; +-typedef enum { LF_RAW, LF_NOLOG, LF_ENRICHED } logging_formats; ++typedef enum { LF_RAW, LF_NOLOG, LF_AUDITLOG, LF_ENRICHED } logging_formats; + typedef enum { FT_NONE, FT_INCREMENTAL, FT_INCREMENTAL_ASYNC, FT_DATA, FT_SYNC } flush_technique; + typedef enum { FA_IGNORE, FA_SYSLOG, FA_ROTATE, FA_EMAIL, FA_EXEC, FA_SUSPEND, + FA_SINGLE, FA_HALT } failure_action_t; +diff --git a/src/auditd-event.c b/src/auditd-event.c +index c74b420..66c3345 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -43,6 +43,11 @@ + #include "private.h" + #include "auparse.h" + #include "auparse-idata.h" ++#include "auditd-removepasswd.h" ++ ++#if defined(SECURITY_EVENT_SYSLOG) ++#include "auditd-syslog.h" ++#endif + + /* This is defined in auditd.c */ + extern volatile int stop; +@@ -499,6 +504,9 @@ void format_event(struct auditd_event *e) + case LF_RAW: + buf = format_raw(&e->reply); + break; ++ case LF_AUDITLOG: ++ buf = format_raw(&e->reply); ++ break; + case LF_ENRICHED: + buf = format_enrich(&e->reply); + break; +@@ -571,7 +579,22 @@ void handle_event(struct auditd_event *e) + } + if (!logging_suspended && (config->write_logs || + config->daemonize == D_FOREGROUND)) { +- write_to_log(e); ++ int is_syslog = 0; ++ ++ #if defined(SECURITY_EVENT_SYSLOG) ++ /*2024-08-23 modify for only cgel recored security log*/ ++ if( g_isCgel ){ ++ is_syslog = 1; ++ write_to_syslog(e->reply.message, e->reply.type); ++ ++ if(config->log_format == LF_AUDITLOG){ ++ write_to_log(e); ++ } ++ } ++ #endif ++ if(is_syslog == 0){ ++ write_to_log(e); ++ } + + /* See if we need to flush to disk manually */ + if (config->flush == FT_INCREMENTAL || +@@ -666,8 +689,18 @@ static void write_to_log(const struct auditd_event *e) + const char *msg = ""; + + /* write it to disk */ +- rc = fprintf(log_file, "%s\n", e->reply.message); +- ++ //Added for remove unencypte passwd from audit log messages start ++ char *msgDump = strdup(e->reply.message); ++ if (msgDump != NULL) { ++ removeAuditUnencryptPasswd(msgDump); ++ rc = fprintf(log_file, "%s\n", msgDump); ++ free(msgDump); ++ } else { ++ rc = fprintf(log_file, "%s\n", e->reply.message); ++ } ++ ++ //Added for remove unencypte passwd from audit log messages end ++ + /* error? Handle it */ + if (rc < 0) { + if (errno == ENOSPC) { +diff --git a/src/auditd-removepasswd.c b/src/auditd-removepasswd.c +new file mode 100644 +index 0000000..273c0b7 +--- /dev/null ++++ b/src/auditd-removepasswd.c +@@ -0,0 +1,327 @@ ++#include ++#include ++#include ++#include ++#include ++//Added for safety function transformation start. ++#include ++//Added for safety function transformation start. ++#include "libaudit.h" ++#include "auditd-removepasswd.h" ++ ++#define ADDUSER_STR "adduser" ++#define USERADD_STR "useradd" ++#define PASSWD_STR "passwd" ++#define FTPGET_STR "ftpget" ++#define FTPPUT_STR "ftpput" ++#define ADDGROUP_STR "addgroup" ++#define GROUPADD_STR "groupadd" ++#define USERMOD_STR "usermod" ++#define SENDMAIL_STR "sendmail" ++ ++#define PASSWD_OPT0 "-p" ++#define PASSWD_OPT1 "--password" ++#define PASSWD_OPT2 "-o" ++#define PASSWD_OPT3 "--oldpassword" ++#define SENDMAIL_OPT "-ap" ++ ++#define NETS_LENGTH 64 ++/* ++ * Replace unencrypt passwd char with char * ++ */ ++void memSet2Star(char* mem, char* end) { ++ if (NULL == mem) { ++ return; ++ } ++ ++ int index = 0; ++ char nests[NETS_LENGTH]; ++ int nest = 0; ++ ++ memset(nests, 0, NETS_LENGTH); ++ while (mem[index] && isspace(mem[index]) && mem + index < end) { ++ index++; ++ } ++ do { ++ if ('\'' == mem[index] || '\"' == mem[index]) { ++ int n = 0; ++ while (index - n >= 0 && mem[index - n] == '\\') ++ n++; ++ if (n % 2 == 0) { // really ++ if (nest > 0 && nest < NETS_LENGTH) { ++ if (nests[nest - 1] == mem[index]) { ++ nest--; ++ nests[nest] = 0; ++ } else { ++ nests[nest] = mem[index]; ++ nest++; ++ } ++ } else { ++ nests[0] = mem[index]; ++ nest = 1; ++ } ++ } ++ } else if (isspace(mem[index])) { ++ if (0 == nest) { ++ break; ++ } ++ } ++ index++; ++ } while (mem + index < end); ++ ++ index--; ++ do { ++ mem[index--] = '*'; ++ } while (index >= 0); ++ ++ return; ++} ++ ++/** ++ * Remove unencypt passwd by pointer ++ * ++ * @para cmdStr cmd pointer ++ * @para offset the start pointer offset ++ */ ++static void rmPasswd(char* cmdStr, size_t offset) { ++ if (cmdStr != NULL) { ++ char* rmStart = cmdStr + offset; ++ if (rmStart != NULL) { ++ char* rmEnd = strstr(rmStart, "\""); ++ if (rmEnd != NULL) { ++ memSet2Star(rmStart, rmEnd); ++ } ++ } ++ } ++} ++ ++/** ++ * Remove unencypt passwd by option ++ * ++ * @para cmdStart cmd start pointer ++ * @para argc array count ++ * @para optType cmd option ++ */ ++static int rmByOption(char* cmdStart, int argc, const char* optType) { ++ int result = -1; ++ //Added for kw bug: 273358 start ++ if (argc <= 0 || argc > 1024) { ++ return result; ++ } ++ //Added for kw bug: 273358 end ++ char* nextOption = NULL; ++ int i; ++ for (i = argc - 1; i > 0; i--) { ++ char ax[8]; ++ (void)zte_snprintf_s(ax, sizeof(ax), "%s%d%s", "a", i, "="); ++ char* nameStart = strstr(cmdStart, ax); ++ if (nameStart == NULL) { ++ continue; ++ } ++ ++ char hasSpcaceInPPw[32]; ++ (void)zte_snprintf_s(hasSpcaceInPPw, sizeof(hasSpcaceInPPw), "%s%s%s", "\"", optType, "\""); ++ char* option = strstr(nameStart, hasSpcaceInPPw); ++ if (option == NULL) { ++ // PASSWD_OPT1 PASSWD_OPT3 this kinds of option must add space,others cmd has no require, ++ // so here need reIndex has nospace option ++ char noSpcaceInPPw[32]; ++ (void)zte_snprintf_s(noSpcaceInPPw, sizeof(noSpcaceInPPw), "%s%s", "\"", optType); ++ option = strstr(nameStart, noSpcaceInPPw); ++ // 1.Cmd's option has space in passwd and option, such as -p 12457893 ++ // nextOption maybe the passwd. ++ if (option == NULL) { ++ nextOption = nameStart; ++ continue; ++ } else { ++ // 2.Cmd's option has no space in passwd and option, such as -p12457893 ++ // PASSWD_OPT1 PASSWD_OPT3 perhaps contains '=', such as --oldpasswd=124563 ++ // 1.calculate offset, such as '"-p' = 3, '"--oldpassword' = 14 ++ size_t offset = zte_strnlen_s(optType, MAX_AUDIT_MESSAGE_LENGTH ) + 1; ++ if (strcmp(PASSWD_OPT1, optType) == 0 || strcmp(PASSWD_OPT3, optType) == 0) { ++ // 1.if offset + 1 char is =, respect --option='', offset should + 1 ++ char offsetChar = *(option + offset); ++ if (offsetChar == '=') { ++ ++offset; ++ } ++ } ++ rmPasswd(option, offset); ++ result = 0; ++ break; ++ } ++ } ++ ++ // 1.1.Cmd's option has space in passwd and option, such as -p 12457893 ++ if (nextOption != NULL) { ++ rmPasswd(nextOption, 4); ++ result = 0; ++ break; ++ } ++ } ++ return result; ++} ++ ++#ifdef PLAIN_TEXT ++/** ++ * Remove passwd from cmd: passwd ++ * ++ * @para cmdStart cmd start pointer ++ * @para argc para count in cmdOrig ++ */ ++static void rmPwFromPasswd(char* cmdStart, int argc) { ++ if (cmdStart != NULL) { ++ rmByOption(cmdStart, argc, PASSWD_OPT0); ++ rmByOption(cmdStart, argc, PASSWD_OPT2); ++ rmByOption(cmdStart, argc, PASSWD_OPT1); ++ rmByOption(cmdStart, argc, PASSWD_OPT3); ++ } ++} ++#endif ++ ++/** ++ * Remove passwd from cmd: put get ftp ++ * ++ * @para cmdStart cmd start pointer ++ * @para argc para count in cmdOrig ++ */ ++static void rmPwFromFtp(char* cmdStart, int argc) { ++ if (cmdStart != NULL) { ++ rmByOption(cmdStart, argc, PASSWD_OPT0); ++ rmByOption(cmdStart, argc, PASSWD_OPT1); ++ } ++} ++ ++/** ++ * Remove passwd from cmd: sendmail ++ * ++ * @para cmdStart cmd start pointer ++ * @para argc para count in cmdOrig ++ */ ++static void rmPwFromSendMail(char* cmdStart, int argc) { ++ if (cmdStart != NULL) { ++ rmByOption(cmdStart, argc, SENDMAIL_OPT); ++ } ++} ++ ++#ifdef PLAIN_TEXT ++/** ++ * Remove passwd from cmd: useadd and adduser ++ * ++ * @para cmdStart cmd start pointer ++ * @para argc para count in cmdOrig ++ */ ++static void rmPwFromUseradd(char* cmdStart, int argc) { ++ if (cmdStart != NULL) { ++ rmByOption(cmdStart, argc, PASSWD_OPT0); ++ rmByOption(cmdStart, argc, PASSWD_OPT1); ++ } ++} ++#endif ++ ++/** ++ * Parse argc from auditLogMessage. ++ * ++ * @auditLogMessage orignal audit log message ++ */ ++static int parseArgc(char* auditLogMessage) { ++ int argc = 0; ++ char* strStart = strstr(auditLogMessage, "argc="); ++ if (strStart == NULL){ ++ return argc; ++ } ++ char* strEnd = strstr(strStart, " "); ++ if (strEnd == NULL){ ++ return argc; ++ } ++ size_t argcLen = strEnd - strStart - 5; ++ char* digitStart = strStart + 5; ++ char dest[8]; ++ //Added for safety function transformation start. ++ size_t destMax = sizeof(dest); ++ memset(dest, '\0', destMax); ++ if (argcLen > (destMax - 1)) { ++ argcLen = (destMax - 1); ++ } ++ //strncpy -> zte_strncpy_s ++ int result = zte_strncpy_s(dest, destMax, digitStart, argcLen); ++ if (result >= 0) { ++ argc = atoi(dest); ++ } ++ //Added for safety function transformation end. ++ return argc; ++} ++ ++/** ++ * Implements remove unencypt passwd. ++ * ++ * @para auditLogMessage audit log message ++ */ ++static void rmUnencryptInternal(char* auditLogMessage) { ++ if (auditLogMessage == NULL || *auditLogMessage == '\0') { ++ return; ++ } ++ char* cmdName = strstr(auditLogMessage, "type="); ++ // Ignore other type except EXECVE ++ if (NULL == cmdName || NULL == strstr(cmdName, "EXECVE")) { ++ return; ++ } ++ // Parse argc -argc is para count ++ int argc = parseArgc(auditLogMessage); ++ if (argc <= 0 || argc > 1024) { ++ return; ++ } ++ ++ // a0 is cmd name ++ char* arg0 = strstr(auditLogMessage, "a0="); ++ //Added for coverity CERT start ++ if (NULL == arg0) { ++ return; ++ } ++ //Added for coverity CERT end ++ char* cmdStart = strstr(auditLogMessage, "a1="); ++ // Ignore null cmd and no content cmd ++ if (NULL == cmdStart) { ++ return; ++ } ++#ifdef PLAIN_TEXT ++ // handle passwd ++ if (NULL != strstr(arg0, PASSWD_STR)) { ++ rmPwFromPasswd(cmdStart, argc); ++ return; ++ } ++ // handle adduser and useradd ++ if (NULL != strstr(arg0, ADDUSER_STR) || NULL != strstr(arg0, USERADD_STR)) { ++ rmPwFromUseradd(cmdStart, argc); ++ return; ++ } ++#endif ++ // handle ftpget and ftp put ++ if (NULL != strstr(arg0, FTPGET_STR) || NULL != strstr(arg0, FTPPUT_STR)) { ++ rmPwFromFtp(cmdStart, argc); ++ return; ++ } ++ // handle sendmail ++ if (NULL != strstr(arg0, SENDMAIL_STR)) { ++ rmPwFromSendMail(cmdStart, argc); ++ return; ++ } ++} ++ ++/** ++ * Remove unencrypt password from log. ++ */ ++void removeAuditUnencryptPasswd(char* const cmdOrig) { ++ rmUnencryptInternal(cmdOrig); ++} ++ ++#ifdef RMUP_MAIN ++int main(int argc, char** argv) { ++ if (argc != 2) { ++ printf("argc must be 2!\n"); ++ } ++ ++ removeAuditUnencryptPasswd(argv[1]); ++ printf("result is: %s\n", argv[1]); ++} ++ ++#endif +diff --git a/src/auditd-removepasswd.h b/src/auditd-removepasswd.h +new file mode 100644 +index 0000000..e72b9e6 +--- /dev/null ++++ b/src/auditd-removepasswd.h +@@ -0,0 +1,14 @@ ++#ifndef AUDITD_REMOVEPASSWD_H_ ++#define AUDITD_REMOVEPASSWD_H_ ++ ++/** ++ * Method will modify the content of pointer cmdOrig, ++ * but donnot modify the pointer addr. ++ * ++ * Remove unencrypt password from log. ++ */ ++extern void removeAuditUnencryptPasswd(char* const cmdOrig); ++ ++#endif ++ ++ +diff --git a/src/auditd-syslog.c b/src/auditd-syslog.c +new file mode 100644 +index 0000000..00443ec +--- /dev/null ++++ b/src/auditd-syslog.c +@@ -0,0 +1,714 @@ ++/* auditd-syslog.c -- ++ * Copyright 2004-08,2011,2013,2015-16 Red Hat Inc., Durham, North Carolina. ++ * All Rights Reserved. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * ++ * Authors: ++ * Steve Grubb ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#ifdef SECURITY_EVENT_SYSLOG ++#include "security_event_log.h" ++#include "securitysyslog.h" ++#endif ++#include ++#include ++#include "libaudit.h" ++#include ++#include ++#include ++//Added for safety function transformation start. ++#include ++//Added for safety function transformation end. ++ ++//Added for coverity CERT start ++#include ++//Added for coverity CERT end ++ ++#define CHMOD 1 ++#define CHOWN 2 ++#define OPEN 7 ++#define PATH 1302 ++#define EXECUE 1309 ++#define SIZE sizeof(char) * 128 ++#define STRUCT_SIZE 32 ++#define MAX_LEN 512 ++#define PPID_LEN 16 ++#define ID_LEN 64 ++#define MAX_NODE_COUNT 100 ++ ++#if defined(SECURITY_EVENT_SYSLOG) ++#include "securitysyslog.c" ++ ++typedef struct LogInfo{ ++ char id[ID_LEN]; ++ char user[STRUCT_SIZE]; ++ char result[STRUCT_SIZE]; ++ char arg1[STRUCT_SIZE]; ++ char arg2[STRUCT_SIZE]; ++ char arg3[STRUCT_SIZE]; ++ char cmd[STRUCT_SIZE]; ++ char ppid[PPID_LEN]; ++ char pid[PPID_LEN]; ++ int cmdType; ++}LogInfo_t; ++ ++typedef struct LogList_Node_t{ ++ LogInfo_t *info; ++ struct LogList_Node_t *next; ++}LogList_Node_t; ++static LogList_Node_t *listHead = NULL; ++static char logContent[128] = ""; ++static char ip[UT_HOSTSIZE] ; ++ ++//Added for safety function transformation start. ++/** ++ * tranfer memcpy to zte_memcpy_s, if transfer failure, will write msg to audit log. ++ */ ++static void memcpy_s(void * dest, size_t destMax, const void * src, size_t n) { ++ int result = zte_memcpy_s(dest, destMax, src, n); ++ if (result < 0) { ++ const char *err_str = zte_strerror_s(zte_errno); ++ if (err_str != NULL) { ++ syslog(LOG_WARNING, "Error zte_memcpy_s result (%s)\n", err_str); ++ } else { ++ syslog(LOG_WARNING, "Error zte_memcpy_s result (NULL)\n"); ++ } ++ } ++} ++ ++/** ++ * If strlen(src) > maxLength,return maxLength, else return strlen(src). ++ */ ++static size_t getMaxLength(const char * src, size_t maxLength) { ++ int srcLen = zte_strnlen_s(src, MAX_AUDIT_MESSAGE_LENGTH ); ++ if (srcLen < 0) { ++ const char *err_str = zte_strerror_s(zte_errno); ++ if (err_str != NULL) { ++ syslog(LOG_WARNING, "Error zte_strnlen_s result (%s)\n", err_str); ++ } else { ++ syslog(LOG_WARNING, "Error zte_strnlen_s result (NULL)\n"); ++ } ++ srcLen = 0; ++ } ++ return srcLen > maxLength ? maxLength : srcLen; ++} ++//Added for safety function transformation end. ++ ++static int logListAdd_node(LogList_Node_t *a_node) ++{ ++ ++ if(NULL == a_node){ ++ return -1; ++ } ++ LogList_Node_t *c_node=NULL,*p=NULL; ++ ++ if(NULL == listHead){ ++ return -1; ++ } ++ p = listHead; ++ c_node = p->next; ++ int count = 0; ++ while(c_node!=NULL){ ++ if(strcmp(c_node->info->id, a_node->info->id) == 0) ++ return -1; ++ p = c_node; ++ c_node = p->next; ++ count ++; ++ } ++ p->next = a_node; ++ a_node->next = NULL; ++ if(count > MAX_NODE_COUNT){ ++ LogList_Node_t *tmp = listHead; ++ listHead = listHead->next; ++ free(tmp->info); ++ free(tmp); ++ } ++ return 0; ++} ++ ++static LogList_Node_t * logListFind_node_byID(char *id) ++{ ++ if(NULL == id){ ++ return NULL; ++ } ++ if(NULL == listHead){ ++ return NULL; ++ } ++ LogList_Node_t *c_node; ++ LogList_Node_t *p=NULL; ++ ++ p = listHead; ++ c_node=p->next; ++ while (c_node!=NULL) { ++ if(strcmp(c_node->info->id, id) == 0) ++ break; ++ p = c_node; ++ c_node = p->next; ++ } ++ ++ return c_node; ++} ++ ++static int delLogList_node(LogList_Node_t *d_node) ++{ ++ if(NULL == d_node || NULL == d_node->info){ ++ return -1; ++ } ++ LogList_Node_t *c_node=NULL; ++ LogList_Node_t *p=NULL; ++ p = listHead; ++ c_node=p->next; ++ while(c_node!=NULL){ ++ if(strcmp(c_node->info->id, d_node->info->id) == 0){ ++ p->next=c_node->next; ++ free(c_node->info); ++ free(c_node); ++ c_node=NULL; ++ return 0; ++ } ++ p = c_node; ++ c_node = p->next; ++ } ++ return -1; ++ ++} ++ ++static int spiltByStr(char *auditLogMessage,const char *str, char **str_data, size_t str_data_len) { ++ if (NULL == auditLogMessage || NULL == str) { ++ return -1; ++ } ++ ++ if (NULL == str_data || NULL == *str_data) { ++ return -1; ++ } ++ ++ char *str_start = strstr(auditLogMessage, str); ++ if (NULL == str_start) { ++ return -1; ++ } ++ char *str_end = strstr(str_start, " "); ++ if (NULL == str_end) { ++ return -1; ++ } ++ int str_len = str_end - str_start; ++ str_len = (str_len >= (str_data_len - 1)) ? (str_data_len - 1) : str_len; ++ memset(*str_data, 0, str_len + 1); ++ //Added for safety function transformation start. ++ memcpy_s(*str_data, str_len, str_start, str_len); ++ //Added for safety function transformation end. ++ return 0; ++} ++ ++static void getIpAddress(char *id) { ++ pid_t ppid = 0; ++ //Added for safety function transformation start. ++#ifdef __riscv ++ sscanf(id, "%d", &ppid); ++#else ++ rsize_t size_array[] = {0}; ++ zte_sscanf_s(id, "%d", size_array, &ppid); ++#endif ++ //Added for safety function transformation end. ++ getIpByPid(ppid, ip, UT_HOSTSIZE); ++} ++ ++/*set info into struct LogInfo_t*/ ++static void setInfo(char *auditLogMessage,LogInfo_t **info) ++{ ++ ++ char *success_data ,*ppid_data,*pid_data,*cmd_data=NULL,*syscall_data=NULL, *arg1_data=NULL, *arg2_data=NULL, *arg3_data=NULL; ++ char *uid_data=NULL, *ppid_data_org = NULL, *pid_data_org = NULL, *arg1=NULL, *arg2=NULL, *arg3=NULL, *str_uid=NULL, *sep=NULL, *uidStr=NULL; ++ int syscall = -1; ++ success_data = (char*)malloc(SIZE); ++ if(success_data != NULL){ ++ memset(success_data,0,SIZE); ++ spiltByStr(auditLogMessage, "success=", &success_data, SIZE); ++ }else{ ++ goto free_data; ++ } ++ ++ ppid_data = (char*)malloc(SIZE); ++ if(ppid_data != NULL){ ++ memset(ppid_data,0,SIZE); ++ spiltByStr(auditLogMessage, "ppid=", &ppid_data, SIZE); ++ }else{ ++ goto free_data; ++ } ++ pid_data = (char*)malloc(SIZE); ++ if(pid_data != NULL){ ++ memset(pid_data,0,SIZE); ++ char *str_start = strstr(auditLogMessage," pid="); ++ str_start = str_start + 1; ++ char *str_end = strstr(str_start," "); ++ //Added for safety function transformation start. ++ memcpy_s(pid_data, SIZE, str_start, (str_end - str_start) < SIZE ? str_end - str_start : (SIZE-1)); ++ //Added for safety function transformation end. ++ }else{ ++ goto free_data; ++ } ++ cmd_data = (char*)malloc(SIZE); ++ if(cmd_data != NULL){ ++ memset(cmd_data,0,SIZE); ++ spiltByStr(auditLogMessage, "comm=", &cmd_data, SIZE); ++ }else{ ++ goto free_data; ++ } ++ ++ syscall_data = (char*)malloc(SIZE); ++ if(syscall_data != NULL){ ++ spiltByStr(auditLogMessage, "syscall=", &syscall_data, SIZE); ++ }else{ ++ goto free_data; ++ } ++ syscall = (int)strtoul(syscall_data+8, NULL, 10); ++ ++ arg1_data = (char*)malloc(SIZE); ++ if(arg1_data != NULL){ ++ memset(arg1_data,0,SIZE); ++ spiltByStr(auditLogMessage, "a1=", &arg1_data, SIZE); ++ }else{ ++ goto free_data; ++ } ++ ++ arg2_data = (char*)malloc(SIZE); ++ if(arg2_data == NULL){ ++ goto free_data; ++ } ++ memset(arg2_data,0,SIZE); ++ spiltByStr(auditLogMessage, "a2=", &arg2_data, SIZE); ++ ++ arg3_data = (char*)malloc(SIZE); ++ if(arg3_data == NULL){ ++ goto free_data; ++ } ++ memset(arg3_data,0,SIZE); ++ spiltByStr(auditLogMessage, "a3=", &arg3_data, SIZE); ++ ++ uid_data = (char*)malloc(SIZE); ++ if(uid_data == NULL){ ++ goto free_data; ++ } ++ memset(uid_data,0,SIZE); ++ ++ //Added for coverity CERT start ++ uidStr = strstr(auditLogMessage, " uid="); ++ if(uidStr == NULL){ ++ goto free_data; ++ } ++ spiltByStr(uidStr, "=", &uid_data, SIZE); ++ if(strtok(arg1_data,"=") == NULL){ ++ goto free_data; ++ } ++ //Added for coverity CERT end ++ arg1 = strtok(NULL,"="); ++ if(arg1 == NULL){ ++ goto free_data; ++ } ++ //Added for safety function transformation start. ++ memcpy_s((*info)->arg1, STRUCT_SIZE, arg1, getMaxLength(arg1, STRUCT_SIZE)); ++ //Added for safety function transformation end. ++ ++ //Added for coverity CERT start ++ if(strtok(arg2_data,"=") == NULL){ ++ goto free_data; ++ } ++ //Added for coverity CERT end ++ arg2 = strtok(NULL,"="); ++ if(arg2 == NULL){ ++ goto free_data; ++ } ++ //Added for safety function transformation start. ++ memcpy_s((*info)->arg2, STRUCT_SIZE, arg2, getMaxLength(arg2, STRUCT_SIZE)); ++ //Added for safety function transformation end. ++ //Added for coverity CERT start ++ if(strtok(arg3_data,"=") == NULL){ ++ goto free_data; ++ } ++ //Added for coverity CERT end ++ arg3 = strtok(NULL,"="); ++ if(arg3 == NULL){ ++ goto free_data; ++ } ++ ++ //Added for safety function transformation start. ++ memcpy_s((*info)->arg3, STRUCT_SIZE, arg3, getMaxLength(arg3, STRUCT_SIZE)); ++ //Added for safety function transformation end. ++ struct passwd *pwd; ++ str_uid = strtok(uid_data,"="); ++ if(str_uid == NULL){ ++ goto free_data; ++ } ++ pwd = getpwuid(atoi(str_uid)); ++ ++ //Added for safety function transformation start. ++ memcpy_s((*info)->result, STRUCT_SIZE, success_data, getMaxLength(success_data, STRUCT_SIZE)); ++ memcpy_s((*info)->cmd, STRUCT_SIZE, cmd_data, getMaxLength(cmd_data, STRUCT_SIZE)); ++ //Added for safety function transformation end. ++ ppid_data_org = ppid_data; ++ strsep(&ppid_data,"="); ++ sep = strsep(&ppid_data," "); ++ if (sep != NULL) { ++ //Added for safety function transformation start. ++ memcpy_s((*info)->ppid, PPID_LEN, sep, getMaxLength(sep, PPID_LEN-1)); ++ //Added for safety function transformation end. ++ } else { ++ goto free_data; ++ } ++ pid_data_org = pid_data; ++ if(NULL != strsep(&pid_data,"=")){ ++ //Added for safety function transformation start. ++ memcpy_s((*info)->pid, PPID_LEN, pid_data, getMaxLength(pid_data, PPID_LEN-1)); ++ //Added for safety function transformation end. ++ } ++ //memcpy((*info)->user,pwd->pw_name,strlen(pwd->pw_name)>STRUCT_SIZE?STRUCT_SIZE:strlen(pwd->pw_name)); ++ if(pwd!=NULL){ ++ //Added for safety function transformation start. ++ memcpy_s((*info)->user, STRUCT_SIZE, pwd->pw_name, getMaxLength(pwd->pw_name, STRUCT_SIZE)); ++ //Added for safety function transformation end. ++ }else{ ++ //Added for safety function transformation start. ++ memcpy_s((*info)->user, STRUCT_SIZE, str_uid, getMaxLength(str_uid, STRUCT_SIZE)); ++ //Added for safety function transformation end. ++ } ++ ++#ifdef SYS_chmod ++ if(syscall == SYS_chmod){//8 is length for syscall= ++ (*info)->cmdType = CHMOD; ++ } ++#else ++ ++#ifdef SYS_fchmodat ++ if(syscall == SYS_fchmodat){ ++ (*info)->cmdType = CHMOD; ++ } ++#endif ++#endif ++#ifdef SYS_chown ++ if(syscall == SYS_chown){ ++ (*info)->cmdType = CHOWN; ++ } ++#else ++#ifdef SYS_fchownat ++ if(syscall == SYS_fchownat){ ++ (*info)->cmdType = CHOWN; ++ } ++#endif ++#endif ++#ifdef SYS_open ++ if(syscall == SYS_open){ ++ (*info)->cmdType = OPEN; ++ } ++#endif ++#ifdef SYS_openat ++ if(syscall == SYS_openat){ ++ (*info)->cmdType = OPEN; ++ } ++#endif ++#ifdef SYS_rename ++ if(syscall == SYS_rename){ ++ (*info)->cmdType = OPEN; ++ } ++#endif ++#ifdef SYS_renameat ++ if(syscall == SYS_renameat){ ++ (*info)->cmdType = OPEN; ++ } ++#endif ++ ++ ++free_data: ++ if(success_data != NULL){ ++ free(success_data); ++ success_data = NULL; ++ } ++ if(cmd_data != NULL){ ++ free(cmd_data); ++ cmd_data = NULL; ++ } ++ if(syscall_data != NULL){ ++ free(syscall_data); ++ syscall_data = NULL; ++ } ++ if(arg1_data != NULL){ ++ free(arg1_data); ++ arg1_data = NULL; ++ } ++ if(arg2_data != NULL){ ++ free(arg2_data); ++ arg2_data = NULL; ++ } ++ ++ if(arg3_data != NULL){ ++ free(arg3_data); ++ arg3_data = NULL; ++ } ++ ++ if(uid_data != NULL){ ++ free(uid_data); ++ uid_data = NULL; ++ } ++ if(ppid_data_org != NULL){ ++ free(ppid_data_org); ++ ppid_data_org = NULL; ++ } ++ if(pid_data_org != NULL){ ++ free(pid_data_org); ++ pid_data_org = NULL; ++ } ++ ++} ++ ++static int changeHexToDec(char *hexNum) ++{ ++ int i,t; ++ int decNum=0; ++ for(i=0;hexNum[i];i++) ++ { ++ if(hexNum[i]<='9') ++ t=hexNum[i]-'0'; ++ else ++ t=hexNum[i]-'a'+10; ++ decNum=decNum*16+t; ++ } ++ return decNum; ++} ++ ++static void syslogForChmod(char *auditLogMessage,int auditLogType,LogList_Node_t *node) ++{ ++ //audit是用16进制表示8进制的权限,如chmod 750,在日志中就是1e8,权限的最大值是7777,16进制为FFF,其长度小于等于3.当arg1长度大于3时,认为arg2才是权限值。 ++ bool normalMode = (zte_strnlen_s(node->info->arg1, STRUCT_SIZE - 1) <= 3); ++ if(auditLogType == PATH){ ++ char *name_data = (char*)malloc(SIZE); ++ if(NULL == name_data){ ++ return; ++ } ++ memset(name_data,0,SIZE); ++ spiltByStr(auditLogMessage, "name=", &name_data, SIZE); /*get chmod file or directory name*/ ++ getIpAddress(node->info->ppid); ++ //Added for coverity CERT start ++ errno = 0; ++ long permissionValues = strtol(normalMode ? node->info->arg1 : node->info->arg2, NULL, 16); ++ if (errno == ERANGE){ ++ //TODO ++ } ++ char* name = NULL; ++ if(NULL != strtok(name_data,"=")){ ++ name = strtok(NULL,"\""); ++ } ++ (void)snprintf(logContent, sizeof(logContent), "chmod %lo %s",permissionValues,name != NULL ? name : "NULL"); ++ //Added for coverity CERT end ++ logEvent(CHMOD_EVENT_ID, logContent, node->info->user,ip,EVENT_RESULT_SUCCESS); ++ ++ delLogList_node(node); ++ ++ free(name_data); ++ name_data = NULL; ++ } ++} ++ ++static void syslogForChown(char *auditLogMessage,int auditLogType,LogList_Node_t *node) ++{ ++ //当arg1的长度小于65565(ffff),粗略计算其长度小于等于4,则认为arg1,arg2为uid,gid;否则认为arg2,arg3为uid,gid ++ bool normalMode = (zte_strnlen_s(node->info->arg1, STRUCT_SIZE - 1) <= 4); ++ if(auditLogType == PATH){ ++ char *name_data = (char*)malloc(SIZE); ++ if(NULL == name_data){ ++ return; ++ } ++ memset(name_data,0,SIZE); ++ spiltByStr(auditLogMessage, "name=", &name_data, SIZE); /*get Chown file or directory name*/ ++ //Added for coverity CERT strtok start ++ char* name = NULL; ++ if(NULL != strtok(name_data,"=")){ ++ name = strtok(NULL,"\""); ++ } ++ //Added for coverity CERT strtok end ++ //struct passwd* pwd = getpwuid(changeHexToDec(node->info->arg1)); ++ struct group* grp = getgrgid(changeHexToDec(normalMode ? node->info->arg2 : node->info->arg3)); ++ getIpAddress(node->info->ppid); ++ struct passwd *pwd = getpwuid(changeHexToDec(normalMode ? node->info->arg1 : node->info->arg2)); ++ char userid[10] = {0}; ++ (void)snprintf(userid,sizeof(userid), "%d",changeHexToDec(normalMode ? node->info->arg1 : node->info->arg2)); ++ char grpid[10] = {0}; ++ (void)snprintf(grpid,sizeof(userid), "%d",changeHexToDec(normalMode ? node->info->arg2 : node->info->arg3)); ++ (void)snprintf(logContent, sizeof(logContent), "chown %s:%s %s", pwd != NULL ? pwd->pw_name : userid ,grp != NULL ? grp->gr_name : grpid,name != NULL ? name : "NULL"); ++ logEvent(CHOWN_EVENT_ID,logContent,node->info->user,ip, EVENT_RESULT_SUCCESS); ++ ++ delLogList_node(node); ++ ++ free(name_data); ++ name_data = NULL; ++ } ++} ++ ++ ++//luoxg modify 2019-06-04 by filename ,记录修改日志 ++static void syslogForModifyPasswdPolicy(LogList_Node_t *node) ++{ ++ getIpAddress(node->info->ppid); ++ struct passwd *pwd = getpwuid(0); ++ logEvent(MODIFY_PASSWD_POLICY_EVENT_ID, "modify passwd policy", pwd != NULL ? pwd->pw_name : "NULL",ip, EVENT_RESULT_SUCCESS); ++} ++ ++void write_to_syslog(char *auditLogMessage,int auditLogType) ++{ ++ char *msg_data = (char*)malloc(SIZE); ++ if(msg_data == NULL){ ++ return; ++ } ++ memset(msg_data,0,SIZE); ++ spiltByStr(auditLogMessage, "msg=", &msg_data, SIZE); ++ LogList_Node_t *find_node = logListFind_node_byID(msg_data); ++ if(find_node == NULL){ ++ char *success_start = strstr(auditLogMessage, "success="); ++ if(success_start == NULL){ ++ free(msg_data); ++ msg_data = NULL; ++ return; ++ } ++ else{ ++ LogInfo_t *info = (LogInfo_t*)malloc(sizeof(LogInfo_t)); ++ if(NULL != info){ ++ memset(info,0,sizeof(LogInfo_t)); ++ size_t tmp_msgLen = zte_strnlen_s(msg_data, SIZE - 1); ++ size_t msgLen = tmp_msgLen > (ID_LEN - 1) ? (ID_LEN - 1) : tmp_msgLen; ++ //Added for safety function transformation start. ++ memcpy_s(info->id, ID_LEN, msg_data, msgLen); ++ //Added for safety function transformation end. ++ free(msg_data); ++ msg_data = NULL; ++ LogList_Node_t *node = (LogList_Node_t*)malloc(sizeof(LogList_Node_t)); ++ if(NULL != node){ ++ node->info = info; ++ setInfo(auditLogMessage,&(node->info)); ++ if( node->info->cmdType == CHMOD || ++ node->info->cmdType == CHOWN || node->info->cmdType == OPEN){ ++ logListAdd_node(node); ++ } ++ else{ ++ free(node->info); ++ free(node); ++ } ++ }else{ ++ free(info); ++ } ++ } ++ } ++ } ++ else{ ++ if(find_node->info == NULL || find_node->info->cmd[0] == '\0'){ ++ char *success_start = strstr(auditLogMessage, "success="); ++ if(success_start == NULL){ ++ free(msg_data); ++ msg_data = NULL; ++ return; ++ } ++ else{ ++ setInfo(auditLogMessage,&(find_node->info)); ++ } ++ } ++ else{ ++ if(auditLogType == PATH ){ ++ if ( NULL != strstr( auditLogMessage, "system-auth-ac") || NULL != strstr( auditLogMessage, "login.defs" )) { ++ syslogForModifyPasswdPolicy(find_node); ++ ++ } ++ if(NULL == strstr( auditLogMessage, "nametype=PARENT") && find_node->info->cmdType == OPEN ){ ++ delLogList_node(find_node); ++ free(msg_data); ++ msg_data = NULL; ++ return; ++ } ++ } ++ switch (find_node->info->cmdType){ ++ case CHMOD: ++ syslogForChmod(auditLogMessage,auditLogType,find_node); ++ break; ++ ++ case CHOWN: ++ syslogForChown(auditLogMessage,auditLogType,find_node); ++ break; ++ } ++ } ++ } ++ if(msg_data != NULL){ ++ free(msg_data); ++ msg_data = NULL; ++ } ++} ++ ++ ++int logListInit() ++{ ++ LogInfo_t *info = (LogInfo_t *)malloc(sizeof(LogInfo_t)); ++ if(NULL == info){ ++ return -1; ++ } ++ memset(info,0,sizeof(LogInfo_t)); ++ ++ listHead = (LogList_Node_t*)malloc(sizeof(LogList_Node_t)); ++ if( listHead == NULL ){ ++ free(info); ++ return -1; ++ } ++ memset(listHead,0,sizeof(LogList_Node_t)); ++ listHead->info = info; ++ listHead->next = NULL; ++ return 0; ++} ++ ++ ++ ++/*free all node*/ ++void LogList_free() ++{ ++ LogList_Node_t *p= NULL; ++ LogList_Node_t *c_node=listHead->next; ++ while(c_node!=NULL){ ++ if(c_node->info != NULL){ ++ free(c_node->info); ++ c_node->info=NULL; ++ } ++ p = c_node; ++ c_node = p->next; ++ free(p); ++ ++ } ++ free(listHead->info); ++ ++} ++ ++void logEvent(int eventID, char *content, char *user, char *ip, int eventResult){ ++ syslog(LOG_INFO, "eventID=%d, user=%s, IP=%s, result=%s, content=%s\n", eventID, user, ip, eventResult == EVENT_RESULT_SUCCESS ? "success" : "failed", content); ++} ++ ++#endif ++ ++ ++ ++ ++ ++ ++ +diff --git a/src/auditd-syslog.h b/src/auditd-syslog.h +new file mode 100644 +index 0000000..e8c9b99 +--- /dev/null ++++ b/src/auditd-syslog.h +@@ -0,0 +1,36 @@ ++ ++#ifndef AUDITD_SYSLOG_H ++#define AUDITD_SYSLOG_H ++ ++/*2019-12-12 xuwei add for security syslog */ ++#include ++ ++ ++#define EVENT_RESULT_SUCCESS 1 ++#define EVENT_RESULT_FAIL 0 ++ ++ ++int logListInit(); ++ ++void LogList_free(); ++ ++void write_to_syslog(char *auditLogMessage,int auditLogType); ++ ++ ++void logEvent(int eventID, char *content, char *user, char *ip, int eventResult); ++ ++/*2024-08-23 add for cgsl for security syslog*/ ++extern int g_isCgel; ++ ++#endif ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/src/auditd.c b/src/auditd.c +index 2dedf35..9ea1785 100644 +--- a/src/auditd.c ++++ b/src/auditd.c +@@ -49,6 +49,10 @@ + + #include "ev.h" + ++#if defined(SECURITY_EVENT_SYSLOG) ++#include "auditd-syslog.h" ++#endif ++ + #if EV_CHILD_ENABLE + #error "LIBEV must not have EV_CHILD_ENABLE set" + #endif +@@ -591,6 +595,48 @@ static void close_pipes(void) + close(pipefds[0]); + close(pipefds[1]); + } ++/*2024-08-23 add for cgsl security log */ ++ ++#if defined(SECURITY_EVENT_SYSLOG) ++#include ++#include ++#include ++#include ++ ++#define BUF_LEN 1024 ++ ++int g_isCgel = 0; ++ ++static int isCgel(void) ++{ ++ char *command = "uname -a"; ++ char buffer[BUF_LEN]; ++ FILE *pipe; ++ char *token; ++ int isCgel=1; ++ ++ // 执行命令 ++ pipe = popen(command, "r"); ++ if (pipe == NULL) { ++ perror("popen failed"); ++ return 0; ++ } ++ ++ // 读取命令输出 ++ if(fgets(buffer, sizeof(buffer), pipe) != NULL){ ++ if(strcasestr(buffer,"cgsl") != NULL){ ++ isCgel = 0; ++ } ++ } ++ ++ // 关闭管道 ++ pclose(pipe); ++ ++ return isCgel; ++} ++ ++#endif ++/*end*/ + + struct ev_loop *loop; + int main(int argc, char *argv[]) +@@ -688,6 +734,11 @@ int main(int argc, char *argv[]) + } + #endif + ++ #if defined(SECURITY_EVENT_SYSLOG) ++ g_isCgel = isCgel(); ++ logListInit(); ++ #endif ++ + /* Register sighandlers */ + sa.sa_flags = 0 ; + sigemptyset( &sa.sa_mask ) ; +@@ -1029,6 +1080,10 @@ int main(int argc, char *argv[]) + free_config(&config); + ev_default_destroy(); + ++ #if defined(SECURITY_EVENT_SYSLOG) ++ LogList_free(); ++ #endif ++ + return 0; + } + +diff --git a/src/security_event_log.h b/src/security_event_log.h +new file mode 100644 +index 0000000..0536572 +--- /dev/null ++++ b/src/security_event_log.h +@@ -0,0 +1,39 @@ ++/* security_event_log.h */ ++ ++#ifndef _SECURITY_EVENT_LOG_H_ ++#define _SECURITY_EVENT_LOG_H_ ++ ++#define USER_OPER_ID 1004 ++ ++#define USER_LOGIN_ID "1001" ++ ++#define USER_LOGFAIL_ID "1002" ++ ++#define USER_LOGOUT_ID "1003" ++ ++#define CHMOD_EVENT_ID 1005 ++ ++#define CHOWN_EVENT_ID 1005 ++ ++#define PASSWD_L_EVENT_ID 1006 ++ ++#define PASSWD_U_EVENT_ID 1007 ++ ++#define PAM_LOCK_EVENT_ID 1006 ++ ++#define PAM_UNLOCK_EVENT_ID 1007 ++ ++#define USER_ADD_EVENT_ID 1008 ++ ++#define USER_DEL_EVENT_ID 1009 ++ ++#define MODIFY_PASSWD_POLICY_EVENT_ID 1010 ++ ++#define PASSWD_EVENT_ID 1011 ++ ++#define SU_EVENT_ID 1022 ++ ++extern int pattern_match(char *pattern,char *buf, char **match); ++ ++#endif /* !_SECURITY_EVENT_LOG_H_ */ ++/* security_event_log.h */ +diff --git a/src/securitysyslog.c b/src/securitysyslog.c +new file mode 100644 +index 0000000..4baa588 +--- /dev/null ++++ b/src/securitysyslog.c +@@ -0,0 +1,133 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "securitysyslog.h" ++ ++#ifdef SECURITY_EVENT_SYSLOG ++#define MAX_LEN 512 ++#define PID_KTHREADD 2/*linux下线程调度的进程,如果有进程的parent为它,则表示异常,找不到其parent*/ ++ ++static pid_t get_parent_pid(pid_t pid) ++{ ++ char path[MAX_LEN] = {0}; ++ char buf[MAX_LEN] = {0}; ++ pid_t ppid=0; ++ char fpth[MAX_LEN]={0}; ++ ++ FILE * fp = NULL; ++ int read; ++ zte_snprintf_s(path,sizeof(path),"/proc/%d/stat",pid); ++ ++ fp = fopen(path,"r"); ++ if( NULL==fp ) { ++ return -1; ++ } ++ read = fread(buf,1,MAX_LEN,fp); ++ if ( read <=0 ) { ++ (void)fclose(fp); ++ return -1; ++ } ++ (void)fclose(fp); ++ ++#ifdef __riscv ++ sscanf(buf,"%*d %*c%s %*c %d %*s",fpth,&ppid); ++#else ++ rsize_t size_array[2] = {MAX_LEN,0}; ++ zte_sscanf_s(buf,"%*d %*c%s %*c %d %*s",size_array, fpth,&ppid); ++#endif ++ ++ if( PID_KTHREADD == ppid ) { ++ return -1; ++ }else{ ++ return ppid; ++ } ++} ++ ++static struct utmp * get_session_utmp(pid_t pid ) ++{ ++ struct utmp *ut = NULL; ++ struct utmp *ret = NULL; ++ setutent (); ++ /* First, try to find a valid utmp entry for su parent process. */ ++ while ((ut = getutent ()) != NULL) { ++ if ( ut->ut_pid == pid ){ ++ break; ++ } ++ } ++ ++ if (NULL != ut) { ++ ret = (struct utmp *) malloc (sizeof (*ret)); ++ if(NULL != ret){ ++ //memcpy (ret, ut, sizeof (*ret)); ++ zte_memcpy_s (ret,sizeof (*ret), ut, sizeof (*ret)); ++ } ++ } ++ ++ endutent (); ++ ++ return ret; ++} ++ ++static struct utmp * get_pid_session_internal(pid_t ppid){ ++ struct utmp *ut = NULL; ++ ut = get_session_utmp(ppid); ++ if(ut==NULL){ ++ while(NULL==ut || ut->ut_host[0] == '\0'){ ++ ppid = get_parent_pid(ppid); ++ if(ppid <= 1){ ++ break; ++ } ++ ut = get_session_utmp(ppid); ++ ++ } ++ } ++ return ut; ++} ++ ++struct utmp * get_pid_session(pid_t ppid) ++{ ++ struct utmp *ut = NULL; ++ ut = get_pid_session_internal(ppid); ++ return ut; ++} ++ ++ ++void getIpByPid(pid_t ppid, char *ip, size_t destMaxLen){ ++ struct utmp *ut = NULL; ++ memset(ip,0,destMaxLen); ++ ut = get_pid_session(ppid); ++ if(NULL != ut && ut->ut_host[0] != '\0'){ ++ size_t len = zte_strnlen_s(ut->ut_host, UT_HOSTSIZE - 1); ++ zte_memcpy_s(ip,destMaxLen,ut->ut_host,len); ++ }else{ ++ zte_memcpy_s(ip,destMaxLen,LOCALHOST,zte_strnlen_s(LOCALHOST, UT_HOSTSIZE - 1)); ++ } ++ if(NULL != ut){ ++ free(ut); ++ ut = NULL; ++ } ++} ++ ++/** ++ * @由命令调用,根据命令的ppid,获取登录的IP,并记录安全日志 ++ * ++ * @param event_id ++ * @param msg ++ * @param result ++ */ ++void logSecurityEvent(int event_id, char *msg, int result){ ++ char ip[UT_HOSTSIZE] =""; ++ struct passwd *pwent = getpwuid(getuid()); ++ const char* my_name = pwent!= NULL ? pwent->pw_name : ""; ++ getIpByPid(getppid(), ip, UT_HOSTSIZE); ++ syslog(LOG_INFO, "eventID=%d, user=%s, IP=%s, result=%s, content=%s\n", event_id, my_name, ip, result == SECURITY_EVENT_FAIL ? "failed" : "success", msg); ++} ++ ++#endif ++ +diff --git a/src/securitysyslog.h b/src/securitysyslog.h +new file mode 100644 +index 0000000..bbd71d3 +--- /dev/null ++++ b/src/securitysyslog.h +@@ -0,0 +1,18 @@ ++#ifndef SECURITYSYSLOG_H_ ++#define SECURITYSYSLOG_H_ ++ ++/** ++ * Method will modify the content of pointer cmd_orig, ++ * but donnot modify the pointer addr. ++ */ ++#ifdef SECURITY_EVENT_SYSLOG ++#define SECURITY_EVENT_SUCCESS 1 ++#define SECURITY_EVENT_FAIL 0 ++#define LOCALHOST "127.0.0.1" ++ ++extern struct utmp * get_pid_session(pid_t pid ); ++extern void getIpByPid(pid_t ppid, char *ip, size_t destMaxLen); ++extern void logSecurityEvent(int event_id, char *msg, int result); ++#endif ++ ++#endif /* SECURITYSYSLOG_H_*/ diff --git a/audit.spec b/audit.spec index 407311796761e209575dd2e268b5d281e0858856..48515d6f916e081f516e7fafaa357a8a38cc4caf 100644 --- a/audit.spec +++ b/audit.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 Summary: User space tools for kernel auditing Name: audit @@ -10,6 +10,7 @@ Source0: https://github.com/linux-audit/audit-userspace/archive/v%{version}/%{na Source1: https://www.gnu.org/licenses/lgpl-2.1.txt Patch0: 0001-Add-loongarch-support-for-audit-userspace.patch +Patch1: 0002-Audit-add-security-log.patch BuildRequires: make gcc BuildRequires: krb5-devel @@ -99,10 +100,10 @@ The %{name}-doc package contains documentation files for %{name}. %setup -q -n %{name}-userspace-%{version} cp %{SOURCE1} . %ifarch loongarch64 -%patch -P 0 -p 1 +%patch0 -p1 %endif +%patch1 -p1 - %build autoreconf -fv --install # Remove the ids code, its not ready @@ -282,6 +283,9 @@ fi %doc README ChangeLog %changelog +* Mon Oct 13 2025 Zaiqiang Su - 3.1.2-5 +- Audit add security log + * Tue Jun 17 2025 mgb01105731 - 3.1.2-4 - Upstream url changed