alterator-audit-0.3.0/000075500000000000000000000000001230111162100145755ustar00rootroot00000000000000alterator-audit-0.3.0/Makefile000064400000000000000000000005541230111162100162410ustar00rootroot00000000000000NAME=audit DESCRIPTION="System Audit" INSTALL=/usr/bin/install all: clean: install: install-backend install-ui install-data install-data: install -d $(sysconfdir)/sysconfig/alterator-audit/templates cp -a template/* $(sysconfdir)/sysconfig/alterator-audit/templates include /usr/share/alterator/build/ui2.mak include /usr/share/alterator/build/backend.mak alterator-audit-0.3.0/applications/000075500000000000000000000000001230111162100172635ustar00rootroot00000000000000alterator-audit-0.3.0/applications/audit.desktop000064400000000000000000000003171230111162100217650ustar00rootroot00000000000000[Desktop Entry] Type=Application Categories=X-Alterator-System Terminal=false Name=Audit Icon=audit X-Alterator-URI=/audit X-Alterator-Weight=20 X-Alterator-Help=audit Name[ru]=Системный Аудит alterator-audit-0.3.0/backend3/000075500000000000000000000000001230111162100162475ustar00rootroot00000000000000alterator-audit-0.3.0/backend3/audit000075500000000000000000000517661230111162100173220ustar00rootroot00000000000000#!/bin/bash CONFIGDIR="/etc/sysconfig/alterator-audit" RULES_NAME="$CONFIGDIR/names" RULES="$CONFIGDIR/rules" FILTERS="$CONFIGDIR/filters" TEMPLATES="$CONFIGDIR/templates" alterator_api_version=1 . alterator-sh-functions . alterator-service-functions . shell-config daemon_status() { if service_control "auditd" is-enabled && service_control "auditd" is-active; then write_string_param auditd_status "Active" else write_string_param auditd_status "Inactive" fi } daemon_on() { if service_control "auditd" is-enabled && service_control "auditd" is-active; then service_control "auditd" condstop /etc/init.d/auditd stop service_control "auditd" off else auditctl "-D" service_control "auditd" on service_control "auditd" start || : fi daemon_status } list_report() { head= size=0 write_enum_item "auth" write_enum_item "avc" write_enum_item "config" write_enum_item "crypto" write_enum_item "event" write_enum_item "file" write_enum_item "host" # write_enum_item "input" #TODO write_enum_item "login" write_enum_item "mods" write_enum_item "mac" write_enum_item "pid" write_enum_item "response" write_enum_item "syscall" write_enum_item "terminal" write_enum_item "user" write_enum_item "executable" } list_size_page() { write_enum_item "20" "`_ "20 lines"`" write_enum_item "30" "`_ "30 lines"`" write_enum_item "50" "`_ "50 lines"`" write_enum_item "100" "`_ "100 lines"`" } list_time() { write_enum_item " " #all write_enum_item "now" #сейчас write_enum_item "recent" #10 мин назад write_enum_item "today" #сегодня write_enum_item "yesterday" write_enum_item "this-week" write_enum_item "this-month" write_enum_item "this-year" write_enum_item "another" } read_log() { aurep_data="$(aureport $parameters --input-logs | sed -n $(($1+1))','$2'p')" if [ "$(echo "$aurep_data" | sed -n '6p')" = '' ]; then aurep_data= return fi if [ "$(echo "$aurep_data" | sed -n '1p')" = 'usage: aureport [options]' ];then aurep_data= return fi } config_log() { snum=1 fnum=$(($snum + $in_size_page - 1)) nstr=1000 d_nstr=500 dn_str=0 parameters="--$in_report $(create_params)" all_lines="$(($(aureport $parameters --input-logs | wc -l) -5))" read_log 0 $(($nstr+5)) data_head="$(echo "$aurep_data" | sed -n '4p')" head= size=0 for name in $data_head do if [ -n "$head" ]; then head="$head;$name" else head="$name" fi size=$(($size + 1)) done aurep_data="$(echo "$aurep_data" | sed '1,5d')" if [ -n "$(echo "$in_parameter" | tr -d ' ')" ];then advance_search all_lines="$(echo "$aurep_data" | wc -l)" nstr=$(($all_lines+$d_nstr)) fi write_string_param all_lines "$all_lines" write_string_param select_line "$snum" } advance_search() { aurep_data="$(aureport $parameters --input-logs | sed '1,5d')" for search in $in_parameter do aurep_data="$(echo "$aurep_data" | grep "$search")" done } title_logtable() { if [ -z "$head" ]; then head="Log Audit"; fi echo "$size $head" } list_table() { if [ -n "$aurep_data" ]; then if [ $fnum -gt $nstr ] || [ $snum -lt $dn_str ]; then nstr=$snum local low=$(($snum-$d_nstr+5)) local high=$(($snum+$d_nstr+5)) test $low -lt 5 && low=5 && high=$(($snum+$d_nstr+5)) read_log $low $high dn_str=$(($snum-$d_nstr)) test $dn_str -lt 5 && dn_str=0 fi local data_page="$(echo "$aurep_data" | sed -n $(($snum-$dn_str))','$(($fnum-$dn_str))'p' | tr '\n' ' ' | sed -e 's/ \{1,\}/;;/g')" write_enum_item "$data_page" else write_enum_item "Empty Log;;" fi } page_table() { local psize=$in_size if [ "$in_page" = 'back' ]; then snum=$(($snum - $psize)) fnum=$(($fnum - $psize)) if [ $snum -lt 1 ]; then snum=1 fnum=$psize fi elif [ "$in_page" = 'next' ]; then if [ $fnum -lt $all_lines ]; then snum=$(($fnum + 1)) fnum=$(($fnum + $psize)) fi elif [ "$in_page" = 'size' ]; then snum=$snum fnum=$(($snum + $psize -1)) else if [ $in_page -le $all_lines ]; then snum=$in_page fnum=$(($snum + $psize - 1)) fi fi write_string_param select_line "$snum" write_string_param prev_num "$snum" } create_params() { local params= if [ "$in_interplet" = '#t' ]; then params="-i"; fi if [ "$in_success" = '#t' ]; then params="$params --success"; fi if [ "$in_failed" = '#t' ]; then params="$params --failed"; fi if [ "$in_time" = '#t' ]; then if [ "$in_start_time" != ' ' ]; then if [ "$in_start_time" != 'another' ]; then params="$params -ts $in_start_time" else params="$(echo $params -ts "$(echo $in_s_date | sed -e 's/^.\{2\}//' | awk -F'-' '{print $2,$3,$1}' | tr ' ' '/')" "$in_s_time")" fi fi if [ "$in_end_time" != ' ' ]; then if [ "$in_end_time" != 'another' ]; then params="$params -te $in_end_time" else params="$(echo $params -te "$(echo $in_e_date | sed -e 's/^.\{2\}//' | awk -F'-' '{print $2,$3,$1}' | tr ' ' '/')" "$in_e_time")" fi fi fi if [ "$in_summary" = '#t' ]; then params="$params --summary"; fi echo $params } save_log() { if [ -z "$in_path" ];then write_error "`_ "Empty path"`" return fi echo "$(echo "$head" | tr ';' ' ')" > "$in_path" if ! [ -f "$in_path" ];then write_error "`_ "Can't create file in $in_path"`" return fi if [ "$in_full" = "full" ];then if [ $nstr = $(($all_lines+$d_nstr)) ];then echo "$aurep_data" >> "$in_path" else read_log 5 $(($all_lines+5)) fi elif [ "$in_full" = "page" ];then echo "$(echo "$aurep_data" | sed -n $(($snum-$dn_str))','$(($fnum-$dn_str))'p')" >> "$in_path" fi } edit_config() { local number=$(grep -n $1'=' "$CONFIGDIR/config" | awk -F':' '{print $1}') sed -i $number"i $1=$2" "$CONFIGDIR/config" sed -i $(($number+1))'d' "$CONFIGDIR/config" } check_name_params() { local number=$(grep -n $in_name'::' $FILTERS | awk -F':' '{print $1}') if [ -z "$number" ]; then number=$(grep -n '::'"$(create_params)" $FILTERS | awk -F':' '{print $1}') fi echo "$number" } list_filter_log() { local name= value= cat $FILTERS | while read line do name="$(echo $line | awk -F'::' '{print $1}')" value="$(echo $line | awk -F'::' '{print $2}')" write_enum_item "$value" "$name" # write_table_item "$(echo $line | awk -F'::' '{print $1}')" "$(echo $line | awk -F'::' '{print $2}')" done } change_filter() { case "$in_mode" in "save") save_filter "add" ;; "del") delete_filter ;; "chan") save_filter "ch" ;; esac list_filter_log } save_filter() { local params="$(create_params)" params="$in_name::$in_report $params" # if [ "$in_fo_search" = '#t' ]; then # params="$params --options=" # while read fil # do # params="$params$in_fil_list" # done < <(echo $in_fil_list) if [ -n "$in_parameter" ];then params="$params --options=$in_parameter" fi if [ "$1" = "add" ];then echo "$params" >> $FILTERS else if [ $in_number != -1 ];then sed -i $(($in_number+1))"i $params" $FILTERS sed -i $(($in_number+2))'d' $FILTERS fi fi } delete_filter() { if [ -n "$in_number" ];then sed -i $(($in_number+1))'d' $FILTERS fi } init_filter() { local report="$(echo $in_params | awk -F' ' '{print $1}')" local start_time="$(echo $in_params | grep "ts " | sed -r 's/.*-ts ([^ ]+).*/\1/')" local end_time="$(echo $in_params | grep "te " | sed -r 's/.*-te ([^ ]+).*/\1/')" local s_date= s_time= e_date= e_time= if [ -n "$(echo $start_time | grep '/')" ]; then start_time="another" s_date="$(echo "$in_params" | grep "ts " | sed -r 's/.*-ts ([^-]+).*/\1/')" s_time="$(echo "$s_date" | awk -F' ' '{print $2}')" s_date="$(echo "$s_date" | awk -F' ' '{print $1}' | awk -F'/' '{print $3,$1,$2}' | tr ' ' '-')" if [ $(echo $s_date | cut -c 1) -eq 9 ];then s_date="19$s_date" else s_date="20$s_date" fi fi if [ -n "$(echo $end_time | grep '/')" ]; then end_time="another" e_date="$(echo "$in_params" | grep "te " | sed -r 's/.*-te ([^-]+).*/\1/')" e_time="$(echo "$e_date" | awk -F' ' '{print $2}')" e_date="$(echo "$e_date" | awk -F' ' '{print $1}' | awk -F'/' '{print $3,$1,$2}' | tr ' ' '-')" if [ $(echo $e_date | cut -c 1) -eq 9 ];then e_date="19$e_date" else e_date="20$e_date" fi fi local options="$(echo "$in_params" | grep "options" | sed -r 's/.*--options=([^-]+).*/\1/')" # if [ -n "$options" ]; then # write_string_param write_string_param report "$report" write_string_param start_time "$start_time" write_string_param end_time "$end_time" write_string_param s_date "$s_date" write_string_param e_date "$e_date" write_string_param s_time "$s_time" write_string_param e_time "$e_time" write_string_param search_param "$options" } #================================rules================ list_all_rules() { local list="$(cat $RULES)" # local list=$(/sbin/auditctl -l | awk -F: '{print $2}') if [ -z "$(echo $list|tr -d '/n')" ];then return;fi local stat_= i=1 name= j=1 while read rule do name="$(sed -n $i'p' $RULES_NAME)" test "$(echo "$rule"|cut -c1)" != '#' && stat_="on" || rule="$(echo "$rule"|cut -c2-)" if [ -z "$name" ]; then name="rule_$j" j=$(($j+1)) fi write_table_item name "$rule" rule "$name" check "$stat_" name= stat_= i=$(($i+1)) done < <(echo "$list") } delete_rule() { if [ "$in_option" = "del_all" ];then auditctl -D cat /dev/null > $RULES cat /dev/null > $RULES_NAME return fi test $in_num -lt 0 && return local rule="$(sed -n $(($in_num+1))'p' $RULES)" local active=true # local rule="$in_rule" test "$(echo "$rule"|cut -c1)" = '#' && active=false local param_rule="$(echo "$rule" | awk -F' ' '{print $1}')" rule="$(echo "$rule" |cut -d ' ' -f 2- )" test $param_rule = '-w' && rule="-W $rule" || rule="-d $rule" local err= if service_control "auditd" is-active; then err="$(auditctl $rule 2>&1)";fi if [ -n "$err" ] && $active;then write_error "`_ "Error deleting rules!"`"" $err" echo "err" return fi sed -i $(($in_num+1))'d' $RULES_NAME sed -i $(($in_num+1))'d' $RULES } new_rule_simple() { local err="$(auditctl -w "$1" -p $2 2>&1)" test -n "$err" && write_error "`_ "Error creating rule!"`"" $err" && return local rule="$in_path -p $2" if [ -z "$err" ];then if [ "$in_add_rule" = 'add' ];then echo "-w $rule" >> $RULES echo "$in_name" >> $RULES_NAME else test -n delete_rule && return rule="-w $rule" sed -i $(($in_num+1))"i $rule" $RULES sed -i $(($in_num+1))"i $in_name" $RULES_NAME fi else write_error "`_ "Error creating rule: Path not found!"`" return fi # new_rule_name } new_rule() { test -z "$in_name" && write_error "`_ "Empty name"`" && return # test -n "$(grep -x $in_name $RULES_NAME)" && write_error "`_ "This name is already exists"`" && return local perm=$(echo "$in_perm" | grep -o "[rwxa]" | tr -d '\n') test -z "$perm" && perm="rwxa" test "$in_expert" = '#t' && new_rule_expert || new_rule_simple "$in_path" $perm } config_rule() { local rule="$(echo "$in_rule" | cut -c2-)" local i=1 param= value= permiss="rwxa" syscall= local string="$(echo "$rule" | awk -F'-' -F' -' '{print $1}')" while [ -n "$string" ] do param="$(echo "$string" | awk -F' ' '{print $1}')" value="$(echo "$string" | cut -c3-)" check_param "$param" "$value" i=$(($i+1)) string="$(echo "$rule" | awk -F'-' -F' -' '{print $'$i'}')" done write_string_param rule_syscall "$syscall" test_permiss "$permiss" } activate_rule() { if [ $in_num != -1 ];then local rule="$(sed -n $(($in_num+1))'p' $RULES)" test "$in_stat" = '#f' && rule="#$rule" || rule="$(echo "$rule"|cut -c2-)" sed -i $(($in_num+1))"i $rule" $RULES sed -i $(($in_num+2))'d' $RULES fi } reload_rules() { auditctl -D auditctl -R $RULES } test_path() { write_string_param path_file "$1" if [ -d "$1" ];then write_bool_param check_file false return elif [ -f "$1" ];then write_bool_param check_file true else write_error "`_ "Error rule: Path not found!"`" fi syscall="all" } test_permiss() { test -n "$(echo "$1" | grep 'r')" && write_bool_param perm_r true || write_bool_param perm_r false test -n "$(echo "$1" | grep 'w')" && write_bool_param perm_w true || write_bool_param perm_w false test -n "$(echo "$1" | grep 'x')" && write_bool_param perm_x true || write_bool_param perm_x false test -n "$(echo "$1" | grep 'a')" && write_bool_param perm_a true || write_bool_param perm_a false } check_param() { case "$1" in w) test_path "$2" write_string_param rule_list 'exit' write_string_param rule_action 'always' ;; p) permiss="$2" ;; a) write_string_param rule_list "$(echo "$2" | awk -F, '{print $1}')" write_string_param rule_action "$(echo "$2" | awk -F, '{print $2}')" ;; F) local cond="$(echo $2 | grep -o "[!=<>&]")" local fil="$(echo $2 | awk -F$cond '{print $1}')" local val="$(echo $2 | awk -F$cond '{print $2}')" case $fil in perm) permiss="$val" ;; dir|path) test_path "$val" ;; esac ;; S) test $2 = 'all' || syscall="$syscall $2" ;; esac } #==============expert rules============== list_rules() { write_enum_item "task" write_enum_item "entry" write_enum_item "exit" write_enum_item "user" write_enum_item "exclude" } list_filters() { local rule="$(echo "$in_rule" | cut -c2-)" test -z $rule && return local string="$(echo "$rule" | awk -F'-' -F' -' '{print $1}')" local i=1 param= value= local fil= val= cond= while [ -n "$string" ] do param="$(echo "$string" | awk -F' ' '{print $1}')" value="$(echo "$string" | cut -c3-)" case "$param" in F) cond="$(echo "$value" | grep -o "[!=<>&]")" fil="$(echo "$value" | awk -F$cond '{print $1}')" val="$(echo "$value" | awk -F$cond '{print $2}')" write_table_item name "$value" label "$fil" check "$cond" summary "$val" ;; w) test -d "$value" && write_table_item name "dir=$value" label "dir" check "=" summary "$value" || write_table_item name "path=$value" label "path" check "=" summary "$value" ;; p) write_table_item name "perm=$value" label "perm" check "=" summary "$value" ;; esac i=$(($i+1)) string="$(echo "$rule" | awk -F'-' -F' -' '{print $'$i'}')" done } list_all_filters() { write_enum_item "dir" write_enum_item "path" write_enum_item "perm" write_enum_item "arch" write_enum_item "auid" write_enum_item "devmajor" write_enum_item "devminor" write_enum_item "egid" write_enum_item "euid" write_enum_item "exit" write_enum_item "fsgid" write_enum_item "fsuid" write_enum_item "gid" write_enum_item "inode" write_enum_item "key" write_enum_item "msgtype" write_enum_item "obj_user" write_enum_item "obj_role" write_enum_item "obj_type" write_enum_item "obj_lev_low" write_enum_item "obj_lev_high" write_enum_item "path" write_enum_item "perm" write_enum_item "pers" write_enum_item "pid" write_enum_item "ppid" write_enum_item "subj_user" write_enum_item "subj_role" write_enum_item "subj_type" write_enum_item "subj_sen" write_enum_item "subj_clr" write_enum_item "sgid" write_enum_item "success" write_enum_item "suid" write_enum_item "uid" write_enum_item "a0" write_enum_item "a1" write_enum_item "a2" write_enum_item "a3" } list_all_conditions() { write_enum_item "=" write_enum_item "!=" write_enum_item "<" write_enum_item ">" write_enum_item "<=" write_enum_item ">=" write_enum_item "&" write_enum_item "&=" } new_rule_name() { local number=1 local size_rules=$(wc -l $RULES_NAME | awk -F' ' '{print $1}') if [ $in_count > $size_rules ]; then for ((i=$size_rules;i<$in_count+1;i++)) do echo >> $RULES_NAME done fi # echo >> $CONFIGDIR/Rules local num=$(echo $(grep -nx $in_name $RULES_NAME) | awk -F':' '{print $1}') if [ -z "$num" ];then if [ "$in_option" = "first" ];then sed -i '1i' "$in_name" $RULES_NAME else number=$(($in_count + 1)) if [ "$size_rules" = "0" ];then number=$in_count;fi sed -i $number"i $in_name" $RULES_NAME sed -i $(($number+1))',$d' $RULES_NAME fi fi #"$in_name" "$CONFIGDIR/Rules" # echo "$in_name" >> $CONFIGDIR/Rules } new_rule_expert() { local err= local fil_list=$(echo "$in_filter_name" | tr ';' '\n') local fil_cond=$(echo "$in_filter_cond" | tr ';' '\n') local fil_val=$(echo "$in_filter_val" | tr ';' '\n') local rule= if [ -z "$in_rule" ]; then write_error "`_ "Empty type of rule!"`" return;fi if [ -n "$in_action" ];then rule="$in_rule,$in_action" else rule="$in_rule,always" fi if [ "$in_option" = "syscall_all" ];then rule="$rule -S all" elif [ -n "$in_syscall" ];then rule="${rule}$(echo " $in_syscall" | sed 's/ \{1,\}/ /g' | sed 's/[ \t]*$//' | sed 's/ / -S /g')" elif [ -z "$in_filter_name"]; then write_error "`_ "Empty filters list!"`" return fi local value= cond= i=1 while read filter do value=$(echo "$fil_val" | sed -n $i'p') cond=$(echo "$fil_cond" | sed -n $i'p') test -n "$filter" && rule="$rule -F $filter$cond$value" i=$(($i+1)) done < <(echo "$fil_list") if [ -n "$in_name" ]; then err="$(auditctl -a $rule 2>&1)" local info="$(echo "$err" | tr -d '\n' | cut -c1)" if [ -z "$info" ];then if [ "$in_add_rule" = 'add' ];then echo "-a $rule" >> $RULES echo "$in_name" >> $RULES_NAME else test -n delete_rule && return rule="-a $rule" sed -i $(($in_num+1))"i $rule" $RULES sed -i $(($in_num+1))"i $in_name" $RULES_NAME fi else case "$info" in W) rule="$(echo $(auditctl -l) | awk -F',| ' '{print $2}'),$(echo "$rule" | cut -d ',' -f 2-)" if [ "$in_add_rule" = 'add' ];then echo "-a $rule" >> $RULES echo "$in_name" >> $RULES_NAME else test -n delete_rule && return rule="-a $rule" sed -i $(($in_num+1))"i $rule" $RULES sed -i $(($in_num+1))"i $in_name" $RULES_NAME fi ;; *) write_error "$err" return ;; esac fi fi } clean_all() { write_string_param rule_action "#f" write_string_param filters "" write_string_param condition "" write_string_param rule_list "" write_string_param filter_val "" write_string_param name "" } on_message() { case "$in_action" in list) case "$in__objects" in title_table) title_logtable | write_enum ;; # filters_list) # list_filters | write_enum # ;; esac ;; read) ;; esac } #-----------------------------templates------------------------------------- list_templates() { ls -1 "$TEMPLATES" | while read line do if [ "$line" != "system" ] && [ -z "$(echo "$line"|grep '.names')" ];then write_enum_item "$line";fi done ls -1 "$TEMPLATES/system" | while read line do write_enum_item "system/$line" done } templates() { if [ "$in_what" = 'load' ];then template_load elif [ "$in_what" = 'save' ]; then template_save elif [ "$in_what" = 'remove' ]; then template_remove fi } template_load() { if [ "$in_addend" != '#f' ];then write_error "`_ "rule: $in_template!"`" # auditctl -D # cat /dev/null > "$TEMPLATES/$in_template" # cat /dev/null > "$TEMPLATES/$in_template"".names" return fi # local list=$(/sbin/auditctl -l | awk -F: '{print $2}') local list="$(cat $TEMPLATES/$in_template)" # local all_names="$(cat "$TEMPLATES/$in_template"".names")" local i=1 name= err= while read rule do err="$(auditctl $rule 2>&1)" # if [ -z "$all_name" ];then name="$(echo "$in_template"|tr '/' '_')_$i" # else # name="$(sed -n $i'p' $all_names)" # fi if [ -z "$err" ];then # echo "-a$(echo $(auditctl -l | tail -n 1)| awk -F: '{print $2}')" >> $RULES echo "$rule" >> $RULES echo "$name" >> $RULES_NAME else write_error "`_ "Error creating rules!"`"" ERR: $err" return fi name= i=$(($i+1)) done < <(echo "$list") } template_save() { local file="$TEMPLATES/$in_name" if [ "$in_addend" != '#f' ];then if [ -n "$(echo "$in_template"|grep "^system/")" ];then write_error "`_ "Impossible to change. This is a systemic template!"`" return fi if [ -z "$in_name" ];then write_error "`_ "Empty name"`" return fi file="$TEMPLATES/$in_template" cat /dev/null > "$file" cat /dev/null > "$file"".names" fi echo "$(cat $RULES)" >> "$file" echo "$(cat $RULES_NAME)" >> "$file"".names" } template_remove() { if [ -n "$(echo "$in_template"|grep "^system/")" ];then write_error "`_ "Impossible to remove. This is a systemic template!"`" return fi rm -f "$TEMPLATES/$in_template" rm -f "$TEMPLATES/$in_template"".names" } alterator_export_proc list_templates alterator_export_proc templates alterator_export_proc daemon_status alterator_export_proc daemon_on alterator_export_proc list_table alterator_export_proc list_report alterator_export_proc list_time alterator_export_proc config_log alterator_export_proc save_log #alterator_export_proc init_config alterator_export_proc page_table alterator_export_proc list_size_page alterator_export_proc list_search alterator_export_proc change_filter alterator_export_proc list_filter_log alterator_export_proc init_filter alterator_export_proc list_filters alterator_export_proc new_rule alterator_export_proc delete_rule alterator_export_proc list_rules alterator_export_proc activate_rule alterator_export_proc reload_rules alterator_export_proc list_all_rules alterator_export_proc list_all_filters alterator_export_proc list_all_conditions alterator_export_proc config_rule alterator_export_proc clean_all message_loop alterator-audit-0.3.0/template/000075500000000000000000000000001230111162100164105ustar00rootroot00000000000000alterator-audit-0.3.0/template/system/000075500000000000000000000000001230111162100177345ustar00rootroot00000000000000alterator-audit-0.3.0/template/system/at_configure000064400000000000000000000000641230111162100223240ustar00rootroot00000000000000-w /var/spool/at -w /etc/at.allow -w /etc/at.deny alterator-audit-0.3.0/template/system/audit_configure000064400000000000000000000001711230111162100230250ustar00rootroot00000000000000-w /etc/audit/auditd.conf -p wa -w /etc/audit/audit.rules -p wa -w /etc/libaudit.conf -p wa -w /etc/default/auditd -p wa alterator-audit-0.3.0/template/system/audit_log000064400000000000000000000000601230111162100216220ustar00rootroot00000000000000-w /var/log/audit/ -w /var/log/audit/audit.log alterator-audit-0.3.0/template/system/cron_tasks000064400000000000000000000003501230111162100220230ustar00rootroot00000000000000-w /etc/cron.allow -p wa -w /etc/cron.deny -p wa -w /etc/cron.d/ -p wa -w /etc/cron.daily/ -p wa -w /etc/cron.hourly/ -p wa -w /etc/cron.monthly/ -p wa -w /etc/cron.weekly/ -p wa -w /etc/crontab -p wa -w /var/spool/cron/root alterator-audit-0.3.0/template/system/hostnames000064400000000000000000000000241230111162100216540ustar00rootroot00000000000000-w /etc/hosts -p wa alterator-audit-0.3.0/template/system/init.d000064400000000000000000000000541230111162100210430ustar00rootroot00000000000000-w /etc/init.d/ -w /etc/init.d/auditd -p wa alterator-audit-0.3.0/template/system/ld.conf000064400000000000000000000000561230111162100212030ustar00rootroot00000000000000-w /etc/ld.so.conf.d -w /etc/ld.so.conf -p wa alterator-audit-0.3.0/template/system/localtime000064400000000000000000000000301230111162100216210ustar00rootroot00000000000000-w /etc/localtime -p wa alterator-audit-0.3.0/template/system/modprobe000064400000000000000000000000241230111162100214620ustar00rootroot00000000000000-w /etc/modprobe.d/ alterator-audit-0.3.0/template/system/pam.d000064400000000000000000000000171230111162100206540ustar00rootroot00000000000000-w /etc/pam.d/ alterator-audit-0.3.0/template/system/ssh_server000064400000000000000000000000301230111162100220330ustar00rootroot00000000000000-w /etc/ssh/sshd_config alterator-audit-0.3.0/template/system/sysctl000064400000000000000000000000321230111162100211730ustar00rootroot00000000000000-w /etc/sysctl.conf -p wa alterator-audit-0.3.0/template/system/system_login000064400000000000000000000001261230111162100223720ustar00rootroot00000000000000-w /etc/login.defs -p wa -w /etc/securetty -w /var/log/faillog -w /var/log/lastlog alterator-audit-0.3.0/template/system/system_users000064400000000000000000000000721230111162100224230ustar00rootroot00000000000000-w /etc/group -p wa -w /etc/passwd -p wa -w /etc/shadow alterator-audit-0.3.0/ui/000075500000000000000000000000001230111162100152125ustar00rootroot00000000000000alterator-audit-0.3.0/ui/audit/000075500000000000000000000000001230111162100163205ustar00rootroot00000000000000alterator-audit-0.3.0/ui/audit/index.scm000064400000000000000000000226641230111162100201450ustar00rootroot00000000000000(document:surround "/std/frame") (define (ui-init) (form-update-enum "report" (woo-list "/audit/list_report")) (form-update-enum "size_page" (woo-list "/audit/list_size_page")) (form-update-enum "filters" (woo-list "/audit/list_filter_log")) (form-update-enum "start_time" (woo-list "/audit/list_time")) (form-update-enum "end_time" (woo-list "/audit/list_time")) (let ((data (woo-read-first "/audit/daemon_status"))) (daemon text (woo-get-option data 'auditd_status))) (update-header_log) ) (define (daemon_turn_off) (let ((data (woo-read-first "/audit/daemon_on"))) (daemon text (woo-get-option data 'auditd_status)))) (define (update-header_log) (tabels rows-clear) (form-update-visibility "tabel" #f) (map (lambda(data) (simple-notify tabels 'action "new" 'parent group_tab 'columns (woo-get-option data 'name) 'type "listbox" )) (woo-list "/audit/title_table")) (map (lambda(data) (tabels columns (woo-get-option data 'name) header (woo-get-option data 'label) )) (woo-list "/audit/title_table")) ) (define (update-table) (let ((data (woo-read-first "/audit/config_log" 'report (form-value "report") 'size_page (form-value "size_page") 'summary (form-value "fo_summary") 'success (form-value "fo_success") 'failed (form-value "fo_failed") 'interplet (form-value "fo_interplet") 'time (form-value "fo_time") 'start_time (form-value "start_time") 's_time (form-value "s_time") 's_date (form-value "s_date") 'end_time (form-value "end_time") 'e_time (form-value "e_time") 'e_date (form-value "e_date") 'parameter (form-value "search_param") ))) (form-update-value-list '("all_lines" "select_line") data)) (update-header_log) (tabels enumref "/audit/list_table") (simple-notify tabels 'action "create-event" 'value "clicked") (form-update-value "prev_num" 1) ) (define (setting_rules) (frame:replace "/audit/rules") ) (define (visible_start_time) (if (and (equal? (form-value "start_time") "another") (form-value "fo_time")) (begin (form-update-visibility "s_date" #t) (form-update-visibility "s_time" #t)) (begin (form-update-visibility "s_date" #f) (form-update-visibility "s_time" #f))) ) (define (visible_end_time) (if (and (equal? (form-value "end_time") "another") (form-value "fo_time")) (begin (form-update-visibility "e_date" #t) (form-update-visibility "e_time" #t)) (begin (form-update-visibility "e_date" #f) (form-update-visibility "e_time" #f))) ) (define (show_time) (form-update-visibility "start_time" (form-value "fo_time")) (form-update-visibility "end_time" (form-value "fo_time")) (form-update-visibility "label_start_time" (form-value "fo_time")) (form-update-visibility "label_end_time" (form-value "fo_time")) (visible_start_time) (visible_end_time)) ;---------------------------list all filters--------------- (define (select_filter) (form-update-value "name" (filters text)) (if (string-contains (form-value "filters") "--failed") (form-update-value "fo_failed" #t) (form-update-value "fo_failed" #f)) (if (string-contains (form-value "filters") "--success") (form-update-value "fo_success" #t) (form-update-value "fo_success" #f)) (if (string-contains (form-value "filters") "--summary") (form-update-value "fo_summary" #t) (form-update-value "fo_summary" #f)) (if (string-contains (form-value "filters") "-i") (form-update-value "fo_interplet" #t) (form-update-value "fo_interplet" #f)) (if (string-contains (form-value "filters") (or "-ts" "-te")) (form-update-value "fo_time" #t) (form-update-value "fo_time" #f)) ; (if (string-contains (form-value "filters") "--options") ; (form-update-value "fo_search" #t) ; (form-update-value "fo_search" #f)) (let ((data (woo-read "/audit/init_filter" 'params (filters value)))) (form-update-value-list '("report" "start_time" "end_time" "s_date" "s_time" "e_date" "e_time" "search_param" ) data)) (show_time) ; (form-update-visibility "advance_search" (form-value "fo_search")) ) (define (change_filter mode) (form-update-enum "filters" (woo-list "/audit/change_filter" 'mode mode 'number (filters current) 'name (form-value "name") 'report (form-value "report") 'summary (form-value "fo_summary") 'success (form-value "fo_success") 'failed (form-value "fo_failed") 'interplet (form-value "fo_interplet") 'time (form-value "fo_time") 'start_time (form-value "start_time") 's_time (form-value "s_time") 's_date (form-value "s_date") 'end_time (form-value "end_time") 'e_time (form-value "e_time") 'e_date (form-value "e_date") 'parameter (form-value "search_param") ) ) ) (define (f_change_page data) (form-update-value-list '("select_line" "prev_num") (woo-read "/audit/page_table" 'page data 'size (form-value "size_page"))) (tabels enumref "/audit/list_table") ) (define (save_log data) (catch/message (lambda() (woo-write "/audit/save_log" 'full data 'path (form-value "path_log") )) ) ) ;---------------------------addvance search------------ ;(define (config_filter) ; (fil value (list_fo_search text)) ; (fil_check value (car(list_fo_search row-item (list (list_fo_search current) 1)))) ; (fil_val value (car(list_fo_search row-item (list (list_fo_search current) 2)))) ; (form-update-visibility "change_fo_search" #t) ; (form-update-visibility "delete_fo_search" #t) ; (form-update-visibility "clean_list_search" #t) ;) ; ;(define (change_search) ; (list_fo_search row-item (list_fo_search current) (list (fil value))) ; (list_fo_search row-item (list (list_fo_search current) 1) (list (fil_check value))) ; (list_fo_search row-item (list (list_fo_search current) 2) (fil_val value)) ;) ; ;(define (add_search) ; (if (and (not (equal? (fil value) "")) ; (not (equal? (fil_check value) "")) ; (not (equal? (fil_val value)"")) ) ; (list_fo_search append-row (vector (fil value) (fil_check value) (fil_val text)) )) ;) ; ; ;--------------------UI-------------- (define (line) (form-update-value "select_line" (+ (string->number (form-value "prev_num")) (tabels current)) ) ) (edit name "prev_num" value 1 visibility #f) (gridbox columns "4;100;4" align "top" (spacer) (vbox (hbox align "left;top" ; (button (_ "Log Settings") name "log_setting") ; ) ; (hbox align "left" (label (_ "Status: ")) (document:id daemon (button (when clicked (daemon_turn_off)))) (label " ") (button (_ "Setting Rules") name "rules_setting")) (document:id group_tab (groupbox (_ "Log audit") height 380 (document:id tabels (listbox name "tabel" (when clicked (line)) )) )) (hbox (hbox align "left" (button (_ "Back") (when clicked (f_change_page "back"))) (button (_ "Next") (when clicked (f_change_page "next"))) (combobox name "size_page" (when changed (f_change_page "size"))) (spinbox name "select_line" minimum "1" step "1" (when changed (f_change_page (form-value "select_line")))) (label "/") (label name "all_lines" value "1") ) (hbox align "right" ; (button (_ "Copy in buffer") (when clicked (woo-write "/audit/copy_buffer"))) (label "path:") (edit name "path_log") (button (_ "Save Page") (when clicked (save_log "page"))) (button (_ "Save Log") (when clicked (save_log "full"))) ) ) (separator) (gridbox columns "70;50;5;100;5;60" align "top" (document:id filters (listbox name "filters" (when selected (select_filter)) )) (vbox align "top" (groupbox (_ "Filter options") align "top" (vbox (checkbox (_ "Success") name "fo_success" (when changed (form-update-value "fo_failed" #f))) (checkbox (_ "Failed") name "fo_failed" (when changed (form-update-value "fo_success" #f))) (checkbox (_ "Summary") name "fo_summary") (checkbox (_ "Interplet") name "fo_interplet" value #t)) (checkbox (_ "time") name "fo_time" (when changed (show_time))) ) ) (spacer) (gridbox columns "0;100" align "top" (label (_ "Name")) (edit name "name") (label (_ "Report")) (combobox name "report") (label (_ "Search")) (edit name "search_param") (label (_ "Start Time") visibility (form-value "fo_time") name "label_start_time" ) (combobox name "start_time" visibility (form-value "fo_time") (when changed (visible_start_time))) (dateedit name "s_date" visibility #f) (timeedit name "s_time" visibility #f stop #t) (label (_ "End Time") visibility (form-value "fo_time") name "label_end_time") (combobox name "end_time" visibility (form-value "fo_time") (when changed (visible_end_time))) (dateedit name "e_date" visibility #f) (timeedit name "e_time" visibility #f stop #t) ) (spacer) (spacer) (hbox (button (_"Add") (when clicked (change_filter "save"))) (button (_"Delete") (when clicked (change_filter "del"))) (button (_"Change") (when clicked (change_filter "chan")))) (spacer) (spacer) (button (_"Update") align "right" (when clicked (update-table) )) ) ) ) (document:root (when loaded (ui-init) (form-bind "rules_setting" "click" setting_rules) ) ) alterator-audit-0.3.0/ui/audit/rules/000075500000000000000000000000001230111162100174525ustar00rootroot00000000000000alterator-audit-0.3.0/ui/audit/rules/index.scm000064400000000000000000000221021230111162100212620ustar00rootroot00000000000000(document:surround "/std/frame") (define (ui-init) (catch/message (lambda() (form-update-enum "all_rules" (woo-list "/audit/list_all_rules")) (form-update-enum "rule_list" (woo-list "/audit/list_rules")) (form-update-enum "condition" (woo-list "/audit/list_all_conditions")) (form-update-enum "filters" (woo-list "/audit/list_all_filters" )) ) ) (clean) ) (define (config_rule) (clean) (if (not (equal? (rule_all current) -1)) (configure_rule))) (define (configure_rule) (let ((data (woo-read-first "/audit/config_rule" 'rule (form-value "all_rules")))) (rule_name value ( if (equal? (rule_all text) (form-value "all_rules")) "" (rule_all text) )) (form-update-value "active" (equal? (car(rule_all row-item (list (rule_all current) 1))) "on") ) (form-update-value-list '("rule_action") data) (form-update-value-list '("rule_list" "rule_syscall") data) (form-update-enum "filter_list" (woo-list "/audit/list_filters" 'rule (form-value "all_rules"))) (form-update-value-list '("perm_r" "perm_w" "perm_x" "perm_a" "check_file") data) (path_dir_file value (woo-get-option data 'path_file)) ) (dir_or_file) ) (define (clean) (let ((data (woo-read "/audit/clean_all"))) (form-update-value-list '("rule_action" "filters" "condition" "filter_val" "rule_list" "name") data) ) (fil_list rows-clear) (form-update-visibility "change_filter" #f) (form-update-visibility "delete_filter" #f) (form-update-visibility "clean_filter_list" #f) (dir_or_file) ) (define (config_filter) (form-update-value "filters" (fil_list text)) (form-update-value "condition" (car(fil_list row-item (list (fil_list current) 1)))) (fil_val value (car(fil_list row-item (list (fil_list current) 2)))) (form-update-visibility "change_filter" #t) (form-update-visibility "delete_filter" #t) (form-update-visibility "clean_filter_list" #t) ) (define (change_filter) (fil_list row-item (fil_list current) (list (fil text))) (fil_list row-item (list (fil_list current) 1) (list (fil_check text))) (fil_list row-item (list (fil_list current) 2) (fil_val text)) ) (define (add_filter) (if (and (not (equal? (fil value) "")) (not (equal? (fil_check value) "")) (not (equal? (fil_val value)"")) ) (fil_list append-row (vector (fil text) (fil_check text) (fil_val text)) )) ) (define (activate) (rule_all row-item (list (rule_all current) 1) ( if (form-value "active") (list "on") (list "") )) (woo-call "/audit/activate_rule" 'stat (form-value "active") 'num (rule_all current)) (if (not (equal? (rule_all current) -1)) (form-update-visibility "reload" #t)) ) (define (permission) (vector (if (form-value "perm_r") "r" "") (if (form-value "perm_w") "w" "") (if (form-value "perm_x") "x" "") (if (form-value "perm_a") "a" "") ) ) (define (new_rule mode) (define (extract-text0 x) (car (vector-ref x 0))) (define (extract-text1 x) (car (vector-ref x 1))) (define (extract-text2 x) (car (vector-ref x 2))) (catch/message (lambda() (woo-write "/audit/new_rule" 'syscall (form-value "rule_syscall") 'rule (form-value "rule_list") 'action (form-value "rule_action") 'all_rules (form-value "all_rules") 'add_rule mode 'name (form-value "name") 'num (rule_all current) 'count (rule_all count) 'expert (form-value "expert_mode") 'path (path_dir_file value) 'perm (permission) 'filter_name (map extract-text0 (fil_list rows)) 'filter_val (map extract-text2 (fil_list rows)) 'filter_cond (map extract-text1 (fil_list rows)) ) ) ; (document:popup-warning (_ "msg") #t) ; (lambda(msg) (document:popup-critical (_ "msg") 'ok) #t) ) (form-update-enum "all_rules" (woo-list "/audit/list_all_rules")) ; (clean) ) (define (delete_rule) (catch/message (lambda() (woo-call "/audit/delete_rule" 'num (rule_all current) 'rule (form-value "all_rules") ) (form-update-enum "all_rules" (woo-list "/audit/list_all_rules")) (clean))) ) (define (turn_rule) (list (list (rule_all row-item (rule_all current)) (list (rule_all row-item (+(rule_all current) 1))) )) ) (define (template) (form-popup "/audit/rules/templates") (ui-init) ) (define (expert) (define mode (form-value "expert_mode")) (form-update-visibility "rule_syscall" mode) (form-update-visibility "label_syscall" mode) (form-update-visibility "label_rule" mode) (form-update-visibility "rule_list" mode) (form-update-visibility "group_filters" mode) (form-update-visibility "actions" mode) ; (form-update-visibility "move_rule" mode) (path_dir_file visibility (not mode)) (form-update-visibility "label_path" (not mode)) (form-update-visibility "group_perm" (not mode)) (form-update-visibility "check_file" (not mode)) ) (define fileselect (make-widget 'fileselect)) (define url (make-attribute 'url)) (define value (make-attribute 'value)) (define filter (make-attribute 'filter)) (define hints (make-attribute 'hints)) (define (ui-exit) (document:end)) (define (dir_or_file) (if (form-value "check_file") (path_dir_file hints "existing_file" title (_"Select file") filter "*") (path_dir_file hints "existing_file;directory;show_dirs_only" title (_"Select directory") filter "*.directory")) ) ;;; UI width 800 height 600 (gridbox columns "10;100;10" align "top" (spacer) (gridbox columns "70;5;100" align "top" (vbox (label) (checkbox (_ "Expert mode") name "expert_mode" align "left")) (spacer) (spacer) (groupbox (_ "Rules") (document:id rule_all (listbox name "all_rules" columns 2 header (vector (_ "Rule") (_ "Status")) row '#((rule . "") (check . "") ) )) (hbox align "left" (button (_ "Templates") (when clicked (template)))) ) (spacer) (vbox (gridbox columns "10;100" (label (_ "Name")) (document:id rule_name (edit name "name")) ;;///basic (checkbox (_ "(File) Path") name "check_file") (document:id path_dir_file (fileselect url "/")) ;;/// (label (_ "Rule") name "label_rule") (combobox name "rule_list") (groupbox (_ "Action") orientation "horizontal" colspan 2 name "actions" (radio text "always" name "rule_action" value "always") (radio text "newer" name "rule_action" value "newer")) (label (_ "Syscall") name "label_syscall") (edit name "rule_syscall")) ;;///basic (groupbox (_ "Permissive") name "group_perm" colspan 2 (hbox (checkbox (_ "read") name "perm_r") (checkbox (_ "execute") name "perm_x")) (hbox (checkbox (_ "write") name "perm_w") (checkbox (_ "change attribute") name "perm_a"))) ;;/// (groupbox (_ "Filters") name "group_filters" (document:id fil_list (listbox columns 3 name "filter_list" header (vector (_ "filter") (_ "check") (_ "value")) row '#((label . "") (check . "") (summary . "")) ) ) (hbox (document:id fil (combobox name "filters" align "left")) (document:id fil_check (combobox name "condition" align "left")) (document:id fil_val (edit name "filter_val" (when return-pressed (change_filter)))) ) (gridbox columns "10;3;10" (hbox align "left" (button (_ "Add filter") name "add_filter") (button (_ "Change") name "change_filter" visibility #f)) (spacer) (hbox align "right" (button (_ "Clean list") name "clean_filter_list" align "left" visibility #f (when clicked (fil_list rows-clear))) (button (_ "Delete") name "delete_filter" visibility #f (when clicked (fil_list row-remove (fil_list current)))))) ) (spacer) (checkbox (_ "Activate rule") name "active") (spacer) (hbox ; (hbox align "left" name "move_rule" visibility #f ; (label (_ "move rule in the list:")) ; (button (_ "Up") (when clicked (move_rule "up"))) ; (button (_ "Down") (when clicked (move_rule "down")))) (spacer) (hbox align "right;bottom" (button (_ "Add Rule") name "add_rule" (when clicked (new_rule "add"))) (button (_ "Change Rule") name "save_rule" (when clicked (new_rule "change") (form-update-visibility "reload" #t) )) (button (_ "Delete") name "del_rule" (when clicked (delete_rule)) )) )) (vbox (spacer) (hbox (button (_ "Back") align "left;bottom" name "cancel" (when clicked (frame:replace "/audit"))) (hbox align "center" name "reload" visibility #f (label (_ "Please reload configuration of rules ")) (button (_ "Reload") (when clicked (woo-call "/audit/reload_rules") (form-update-visibility "reload" #f)))))) ) ) ;; (document:root (when loaded (ui-init) (expert) (form-bind "all_rules" "change" config_rule) (form-bind "expert_mode" "change" config_rule) (form-bind "filter_list" "change" config_filter) (form-bind "change_filter" "click" change_filter) (form-bind "add_filter" "click" add_filter) (form-bind "expert_mode" "change" expert) (form-bind "active" "change" activate) (form-bind "check_file" "change" dir_or_file) )) alterator-audit-0.3.0/ui/audit/rules/templates/000075500000000000000000000000001230111162100214505ustar00rootroot00000000000000alterator-audit-0.3.0/ui/audit/rules/templates/index.scm000064400000000000000000000025771230111162100232760ustar00rootroot00000000000000(document:surround "/std/frame") (define (ui-read) (catch/message (lambda() (form-update-enum "all_templates" (woo-list "/audit/list_templates")) ) ) ) (define (ui-exit) (document:end) ) (define (templates data) (catch/message (lambda() (woo-write "/audit/templates" 'template (form-value "all_templates") 'name (form-value "name") 'what data 'addend "#f" ; 'addend (form-value "add") ) ) ) (ui-read) ) (gridbox columns "5;100;5" ; (spacer) ; (vbox ; (label align "center" text (_ "Rules")) ; (listbox name "rules") ; ) (spacer) (vbox (gridbox align "top" columns "10;90" (label) (label) (label (_ "Name template")) (edit name "name") (label (_ "Templates")) (combobox name "all_templates") ; (label (_ "Add to end of list")) (checkbox name "add") ) (vbox align "middle" (hbox (button (_ "Remove") align "left" (when clicked (templates "remove"))) (hbox align "right" (button (_ "Load") (when clicked (templates "load"))) (button (_ "Save") (when clicked (templates "save"))) ) )) (button align "bottom;right" text (_ "Cancel") name "cancel") ) ) (document:root (when loaded (ui-read) ; (form-bind "bridge" "change" bridge-changed) ; (form-bind "ok" "click" ui-write) (form-bind "cancel" "click" ui-exit)))