[PATCH v3 6/7] add aureport --uringop option

public inbox for [email protected]
 help / color / mirror / Atom feed

From: Richard Guy Briggs <[email protected]>
To: Linux-Audit Mailing List <[email protected]>
Cc: [email protected], Steve Grubb <[email protected]>,
	Richard Guy Briggs <[email protected]>
Subject: [PATCH v3 6/7] add aureport --uringop option
Date: Thu, 28 Oct 2021 15:59:38 -0400	[thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>

Signed-off-by: Richard Guy Briggs <[email protected]>
---
 docs/aureport.8        |  3 +++
 src/aureport-options.c | 19 ++++++++++++++++++-
 src/aureport-options.h |  2 +-
 src/aureport-output.c  | 37 +++++++++++++++++++++++++++++++++++++
 src/aureport-scan.c    | 26 ++++++++++++++++++++++++++
 src/aureport-scan.h    |  2 ++
 src/aureport.c         |  3 ++-
 7 files changed, 89 insertions(+), 3 deletions(-)

diff --git a/docs/aureport.8 b/docs/aureport.8
index c4ceb09e2f7d..187fd495bea7 100644
--- a/docs/aureport.8
+++ b/docs/aureport.8
@@ -90,6 +90,9 @@ Report about responses to anomaly events
 .BR \-s ,\  \-\-syscall
 Report about syscalls
 .TP
+.BR \-U ,\  \-\-uringop
+Report about uringops
+.TP
 .B \-\-success
 Only select successful events for processing in the reports. The default is both success and failed events.
 .TP
diff --git a/src/aureport-options.c b/src/aureport-options.c
index 93621e250630..b8ab55192d08 100644
--- a/src/aureport-options.c
+++ b/src/aureport-options.c
@@ -83,7 +83,7 @@ struct nv_pair {
 
 enum {  R_INFILE, R_TIME_END, R_TIME_START, R_VERSION, R_SUMMARY, R_LOG_TIMES,
 	R_CONFIGS, R_LOGINS, R_USERS, R_TERMINALS, R_HOSTS, R_EXES, R_FILES,
-	R_AVCS, R_SYSCALLS, R_PIDS, R_EVENTS, R_ACCT_MODS,  
+	R_AVCS, R_SYSCALLS, R_URINGOPS, R_PIDS, R_EVENTS, R_ACCT_MODS,
 	R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO,
 	R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS,
 	R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE,
@@ -148,6 +148,8 @@ static struct nv_pair optiontab[] = {
 	{ R_TIME_START, "-ts" },
 	{ R_TTY, "--tty" },
 	{ R_TIME_START, "--start" },
+	{ R_URINGOPS, "-U" },
+	{ R_URINGOPS, "--uringop" },
 	{ R_USERS, "-u" },
 	{ R_USERS, "--user" },
 	{ R_VERSION, "-v" },
@@ -206,6 +208,7 @@ static void usage(void)
 	"\t-tm,--terminal\t\t\tTerMinal name report\n"
 	"\t-ts,--start [start date] [start time]\tstarting data & time for reports\n"
 	"\t--tty\t\t\t\tReport about tty keystrokes\n"
+	"\t-U,--uringop\t\t\tUring op report\n"
 	"\t-u,--user\t\t\tUser name report\n"
 	"\t-v,--version\t\t\tVersion\n"
 	"\t--virt\t\t\t\tVirtualization report\n"
@@ -485,6 +488,20 @@ int check_params(int count, char *vars[])
 				}
 			}
 			break;
+		case R_URINGOPS:
+			if (set_report(RPT_URINGOP))
+				retval = -1;
+			else {
+				if (!optarg) {
+					set_detail(D_DETAILED);
+					event_comm = dummy;
+					event_loginuid = 1;
+					event_tauid = dummy;
+				} else {
+					UNIMPLEMENTED;
+				}
+			}
+			break;
 		case R_USERS:
 			if (set_report(RPT_USER))
 				retval = -1;
diff --git a/src/aureport-options.h b/src/aureport-options.h
index a559f64546be..5d9ac2ba5dbf 100644
--- a/src/aureport-options.h
+++ b/src/aureport-options.h
@@ -36,7 +36,7 @@ typedef enum { RPT_UNSET, RPT_TIME, RPT_SUMMARY, RPT_AVC, RPT_MAC,
 	RPT_ACCT_MOD, RPT_PID, RPT_SYSCALL, RPT_TERM, RPT_USER,
 	RPT_EXE, RPT_ANOMALY, RPT_RESPONSE, RPT_CRYPTO, 
 	RPT_AUTH, RPT_KEY, RPT_TTY, RPT_COMM, RPT_VIRT,
-	RPT_INTEG } report_type_t;
+	RPT_INTEG, RPT_URINGOP } report_type_t;
 
 typedef enum { D_UNSET, D_SUM, D_DETAILED, D_SPECIFIC } report_det_t;
 
diff --git a/src/aureport-output.c b/src/aureport-output.c
index a635d536f8b3..7e92c5fab1a5 100644
--- a/src/aureport-output.c
+++ b/src/aureport-output.c
@@ -160,6 +160,12 @@ static void print_title_summary(void)
 			printf("total  terminal\n");
 			printf("===============================\n");
 			break;
+		case RPT_URINGOP:
+			printf("IO URING ops Summary Report\n");
+			printf("==========================\n");
+			printf("total  uringop\n");
+			printf("==========================\n");
+			break;
 		case RPT_USER:
 			printf("User Summary Report\n");
 			printf("===========================\n");
@@ -338,6 +344,21 @@ static void print_title_detailed(void)
 				printf("========================\n");
 			}
 			break;
+		case RPT_URINGOP:
+			if (report_detail == D_DETAILED) {
+				printf("URING op Report\n");
+				printf(
+				  "=======================================\n");
+				printf(
+				  //"# date time uringop pid comm auid event\n");
+				  "# date time syscall pid auid event\n");
+				printf(
+				  "=======================================\n");
+			} else {
+				printf("Specific Uring op Report\n");
+				printf("=======================\n");
+			}
+			break;
 		case RPT_USER:
 			if (report_detail == D_DETAILED) {
 				printf("User ID Report\n");
@@ -636,6 +657,17 @@ void print_per_event_item(llist *l)
 				sizeof(name)), 0);
 			printf(" %lu\n", l->e.serial);
 			break;
+		case RPT_URINGOP:	// report_detail == D_DETAILED
+			// uringop, pid, comm, who, event
+			// uringop, pid, who, event
+			printf("%s %u ", aulookup_uringop(l,buf,sizeof(buf)),
+				l->s.pid);
+			//safe_print_string(l->s.comm ? l->s.comm : "?", 0);
+			//putchar(' ');
+			safe_print_string(aulookup_uid(l->s.loginuid, name,
+				sizeof(name)), 0);
+			printf(" %lu\n", l->e.serial);
+			break;
 		case RPT_USER:	// report_detail == D_DETAILED
 			// who, terminal, host, exe, event
 			safe_print_string(aulookup_uid(l->s.loginuid, name,
@@ -807,6 +839,10 @@ void print_wrap_up(void)
 			slist_sort_by_hits(&sd.terms);
 			do_string_summary_output(&sd.terms);
 			break;
+		case RPT_URINGOP:
+			slist_sort_by_hits(&sd.uringop_list);
+			do_syscall_summary_output(&sd.uringop_list);
+			break;
 		case RPT_USER:
 			slist_sort_by_hits(&sd.users);
 			do_user_summary_output(&sd.users);
@@ -918,6 +954,7 @@ static void do_summary_output(void)
 	printf("Number of AVC's: %lu\n", sd.avcs);
 	printf("Number of MAC events: %lu\n", sd.mac);
 	printf("Number of failed syscalls: %lu\n", sd.failed_syscalls);
+	printf("Number of failed uring ops: %lu\n", sd.failed_uringops);
 	printf("Number of anomaly events: %lu\n", sd.anomalies);
 	printf("Number of responses to anomaly events: %lu\n", sd.responses);
 	printf("Number of crypto events: %lu\n", sd.crypto);
diff --git a/src/aureport-scan.c b/src/aureport-scan.c
index 4095e8686a05..5b2d81047e1d 100644
--- a/src/aureport-scan.c
+++ b/src/aureport-scan.c
@@ -53,6 +53,7 @@ void reset_counters(void)
 	sd.avcs = 0UL;
 	sd.mac = 0UL;
 	sd.failed_syscalls = 0UL;
+	sd.failed_uringops = 0UL;
 	sd.anomalies = 0UL;
 	sd.responses = 0UL;
 	sd.virt = 0UL;
@@ -67,6 +68,7 @@ void reset_counters(void)
 	slist_create(&sd.keys);
 	ilist_create(&sd.pids);
 	slist_create(&sd.sys_list);
+	slist_create(&sd.uringop_list);
 	ilist_create(&sd.anom_list);
 	ilist_create(&sd.mac_list);
 	ilist_create(&sd.resp_list);
@@ -89,6 +91,7 @@ void destroy_counters(void)
 	sd.avcs = 0UL;
 	sd.mac = 0UL;
 	sd.failed_syscalls = 0UL;
+	sd.failed_uringops = 0UL;
 	sd.anomalies = 0UL;
 	sd.responses = 0UL;
 	sd.virt = 0UL;
@@ -103,6 +106,7 @@ void destroy_counters(void)
 	slist_clear(&sd.keys);
 	ilist_clear(&sd.pids);
 	slist_clear(&sd.sys_list);
+	slist_clear(&sd.uringop_list);
 	ilist_clear(&sd.anom_list);
 	ilist_create(&sd.mac_list);
 	ilist_clear(&sd.resp_list);
@@ -430,6 +434,13 @@ static int per_event_summary(llist *l)
 			if (l->s.terminal)
 				slist_add_if_uniq(&sd.terms, l->s.terminal);
 			break;
+		case RPT_URINGOP:
+			if (l->s.uringop > 0) {
+				char tmp[32];
+				aulookup_uringop(l, tmp, 32);
+				slist_add_if_uniq(&sd.uringop_list, tmp);
+			}
+			break;
 		case RPT_USER:
 			if (l->s.loginuid != -2) {
 				char tmp[32];
@@ -688,6 +699,17 @@ static int per_event_detailed(llist *l)
 				UNIMPLEMENTED;
 			}
 			break;
+		case RPT_URINGOP:
+			list_first(l);
+			if (report_detail == D_DETAILED) {
+				if (l->s.uringop) {
+					print_per_event_item(l);
+					rc = 1;
+				}
+			} else { //  specific uring op report
+				UNIMPLEMENTED;
+			}
+			break;
 		case RPT_USER:
 			list_first(l);
 			if (report_detail == D_DETAILED) {
@@ -938,6 +960,10 @@ static void do_summary_total(llist *l)
 	if (l->s.success == S_FAILED && l->s.syscall > 0)
 		sd.failed_syscalls++;
 
+	// add failed uring ops
+	if (l->s.success == S_FAILED && l->s.uringop > 0)
+		sd.failed_uringops++;
+
 	// add pids
 	if (l->s.pid != -1) {
 		ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
diff --git a/src/aureport-scan.h b/src/aureport-scan.h
index 76cc81874874..b974bc4d70ab 100644
--- a/src/aureport-scan.h
+++ b/src/aureport-scan.h
@@ -38,6 +38,7 @@ typedef struct sdata {
 	slist keys;
 	ilist pids;
 	slist sys_list;
+	slist uringop_list;
 	ilist anom_list;
 	ilist resp_list;
 	ilist mac_list;
@@ -55,6 +56,7 @@ typedef struct sdata {
 	unsigned long avcs;
 	unsigned long mac;
 	unsigned long failed_syscalls;
+	unsigned long failed_uringops;
 	unsigned long anomalies;
 	unsigned long responses;
 	unsigned long virt;
diff --git a/src/aureport.c b/src/aureport.c
index 22618f02346a..48d69b493f80 100644
--- a/src/aureport.c
+++ b/src/aureport.c
@@ -236,7 +236,8 @@ static void process_event(llist *entries)
 	if (scan(entries)) {
 		// If its a single event or SYSCALL load interpretations
 		if ((entries->cnt == 1) || 
-				(entries->head->type == AUDIT_SYSCALL))
+		    (entries->head->type == AUDIT_SYSCALL) ||
+		    (entries->head->type == AUDIT_URINGOP))
 			_auparse_load_interpretations(entries->head->interp);
 		// This is the per entry action item
 		if (per_event_processing(entries))
-- 
2.27.0

next prev parent reply	other threads:[~2021-10-28 20:01 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-28 19:59 [PATCH v3 0/7] Add uringop support Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 1/7] add basic support for the AUDIT_URINGOP record type Richard Guy Briggs
2021-10-28 21:19   ` Steve Grubb
2021-10-28 19:59 ` [PATCH v3 2/7] add support for the uring filter list Richard Guy Briggs
2021-10-29 18:39   ` Steve Grubb
2021-11-01 15:05     ` Richard Guy Briggs
2021-11-01 15:58       ` Steve Grubb
2021-11-02 16:32         ` Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 3/7] add support for uringop names Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 4/7] add field support for the AUDIT_URINGOP record type Richard Guy Briggs
2021-10-28 19:59 ` [PATCH v3 5/7] add ausearch --uringop option Richard Guy Briggs
2021-10-28 19:59 ` Richard Guy Briggs [this message]
2021-10-28 19:59 ` [PATCH v3 7/7] add iouring support to the normalizer Richard Guy Briggs

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c4ceb09e2f7 dfblob:187fd495bea dfblob:93621e25063
dfblob:b8ab55192d0 dfblob:a559f64546b dfblob:5d9ac2ba5db
dfblob:a635d536f8b dfblob:7e92c5fab1a dfblob:4095e8686a0
dfblob:5b2d81047e1 dfblob:76cc8187487 dfblob:b974bc4d70a
dfblob:22618f02346 dfblob:48d69b493f8 )
 OR (
bs:"[PATCH v3 6/7] add aureport --uringop option" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox