diff --git a/e4rat/src/listener.cc b/e4rat/src/listener.cc index f7f0fa1..3d367a0 100644 --- a/e4rat/src/listener.cc +++ b/e4rat/src/listener.cc @@ -149,32 +149,32 @@ void AuditListener::watchFileSystemType(long t) watch_fs_types.insert(t); } -void addSyscall(struct audit_rule_data* rule, const char* sc, int machine) +/* + * Apply audit rules to AUDIT_FILTER_EXIT filter. + * Monitor all syscalls initialize or perfrom file accesses. + */ +void AuditListener::insertAuditRules() { - int syscall_nr; - syscall_nr = audit_name_to_syscall(sc, machine); - if(syscall_nr == -1) - throw std::logic_error("Cannot convert syscall to number"); - - audit_rule_syscall_data(rule, syscall_nr); -} + if(audit_fd < 0) + { + audit_fd = audit_open(); + if (-1 == audit_fd) + throw std::logic_error("Cannot open audit socket"); + } -void AuditListener::activateRules(int machine) -{ char field[128]; struct audit_rule_data* rule = (struct audit_rule_data*) calloc(1, sizeof(audit_rule_data)); - addSyscall(rule, "execve", machine); - addSyscall(rule, "open", machine); - addSyscall(rule, "openat", machine); - addSyscall(rule, "truncate", machine); - if(machine == MACH_X86) - addSyscall(rule, "truncate64", machine); - addSyscall(rule, "creat", machine); - addSyscall(rule, "mknod", machine); - addSyscall(rule, "fork", machine); - addSyscall(rule, "vfork", machine); - addSyscall(rule, "clone", machine); + audit_rule_syscallbyname_data(rule, "execve"); + audit_rule_syscallbyname_data(rule, "open"); + audit_rule_syscallbyname_data(rule, "openat"); + audit_rule_syscallbyname_data(rule, "truncate"); + audit_rule_syscallbyname_data(rule, "truncate64"); + audit_rule_syscallbyname_data(rule, "creat"); + audit_rule_syscallbyname_data(rule, "mknod"); + audit_rule_syscallbyname_data(rule, "fork"); + audit_rule_syscallbyname_data(rule, "vfork"); + audit_rule_syscallbyname_data(rule, "clone"); #if 0 /* @@ -197,7 +197,7 @@ void AuditListener::activateRules(int machine) * Specify arch */ strcpy(field, "arch="); - strcat(field, audit_machine_to_name(machine)); + strcat(field, audit_machine_to_name(audit_detect_machine())); if(0 > audit_rule_fieldpair_data(&rule, field, AUDIT_FILTER_EXIT)) error("audit_rule_fieldpair_data failed: %s", field); @@ -211,42 +211,6 @@ void AuditListener::activateRules(int machine) rule_vec.push_back(rule); } -/* - * Apply audit rules to AUDIT_FILTER_EXIT filter. - * Monitor all syscalls initialize or perfrom file accesses. - */ -void AuditListener::insertAuditRules() -{ - if(audit_fd < 0) - { - audit_fd = audit_open(); - if (-1 == audit_fd) - throw std::logic_error("Cannot open audit socket"); - } - - struct utsname uts; - if(-1 == uname(&uts)) - throw std::logic_error(std::string("Cannot receive machine hardware name: ") + strerror(errno)); - - if(0 == strcmp(uts.machine, "x86_64")) - { - activateRules(MACH_86_64); - activateRules(MACH_X86); - } - else if(0 == strcmp(uts.machine, "ppc64")) - { - activateRules(MACH_PPC64); - activateRules(MACH_PPC); - } - else - { - int machine = audit_name_to_machine(uts.machine); - if(-1 == machine) - throw std::logic_error(std::string("Unknown machine hardware name ")+ uts.machine); - activateRules(machine); - } -} - void AuditListener::removeAuditRules() { if (audit_fd < 0) diff --git a/e4rat/src/listener.hh b/e4rat/src/listener.hh index 3426b70..91110ba 100644 --- a/e4rat/src/listener.hh +++ b/e4rat/src/listener.hh @@ -89,7 +89,6 @@ class AuditListener : public Interruptible std::string parseField(auparse_state_t*, const char*); std::string parsePathField(auparse_state_t*, const char*); private: - void activateRules(int machine); void waitForEvent(struct audit_reply* reply); auparse_state_t* initAuParse(struct audit_reply*); void parseCwdEvent(auparse_state_t*, boost::shared_ptr);