From e983e130535a4b4ff4e3ce4041015a180649a2ae Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 23 Feb 2012 18:06:38 +0100 Subject: mmaudit: added skeleton (copy of mmjsonparse) --- plugins/mmaudit/Makefile.am | 8 ++ plugins/mmaudit/mmaudit.c | 255 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 263 insertions(+) create mode 100644 plugins/mmaudit/Makefile.am create mode 100644 plugins/mmaudit/mmaudit.c (limited to 'plugins/mmaudit') diff --git a/plugins/mmaudit/Makefile.am b/plugins/mmaudit/Makefile.am new file mode 100644 index 00000000..c64d0822 --- /dev/null +++ b/plugins/mmaudit/Makefile.am @@ -0,0 +1,8 @@ +pkglib_LTLIBRARIES = mmaudit.la + +mmaudit_la_SOURCES = mmaudit.c +mmaudit_la_CPPFLAGS = $(RSRT_CFLAGS) $(PTHREADS_CFLAGS) $(LIBLOGNORM_CFLAGS) $(LIBEE_CFLAGS) +mmaudit_la_LDFLAGS = -module -avoid-version $(LIBLOGNORM_LIBS) $(LIBEE_LIBS) +mmaudit_la_LIBADD = + +EXTRA_DIST = diff --git a/plugins/mmaudit/mmaudit.c b/plugins/mmaudit/mmaudit.c new file mode 100644 index 00000000..18606230 --- /dev/null +++ b/plugins/mmaudit/mmaudit.c @@ -0,0 +1,255 @@ +/* mmaudit.c + * This is a message modification module supporting Linux audit format + * in various settings. The module tries to identify the provided + * message as being a Linux audit record and, if so, converts it into + * cee-enhanced syslog format. + * + * NOTE WELL: + * Right now, we do not do any trust checks. So it is possible that a + * malicous user emits something that looks like an audit record and + * tries to fool the system with that. Solving this trust issue is NOT + * an easy thing to do. This will be worked on, as the lumberjack effort + * continues. Please consider the module in its current state as a proof + * of concept. + * + * File begun on 2012-02-23 by RGerhards + * + * Copyright 2012 Adiscon GmbH. + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "config.h" +#include "rsyslog.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "conf.h" +#include "syslogd-types.h" +#include "template.h" +#include "module-template.h" +#include "errmsg.h" +#include "cfsysline.h" +#include "dirty.h" + +MODULE_TYPE_OUTPUT +MODULE_TYPE_NOKEEP +MODULE_CNFNAME("mmaudit") + +static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __attribute__((unused)) *pVal); + +/* static data */ +DEFobjCurrIf(errmsg); + +/* internal structures + */ +DEF_OMOD_STATIC_DATA + +typedef struct _instanceData { + ee_ctx ctxee; /**< context to be used for libee */ +} instanceData; + +typedef struct configSettings_s { + int dummy; /* remove when the first real parameter is needed */ +} configSettings_t; +static configSettings_t cs; + +BEGINinitConfVars /* (re)set config variables to default values */ +CODESTARTinitConfVars + resetConfigVariables(NULL, NULL); +ENDinitConfVars + + +BEGINcreateInstance +CODESTARTcreateInstance +ENDcreateInstance + + +BEGINisCompatibleWithFeature +CODESTARTisCompatibleWithFeature +ENDisCompatibleWithFeature + + +BEGINfreeInstance +CODESTARTfreeInstance + ee_exitCtx(pData->ctxee); +ENDfreeInstance + + +BEGINdbgPrintInstInfo +CODESTARTdbgPrintInstInfo + dbgprintf("mmaudit\n"); +ENDdbgPrintInstInfo + + +BEGINtryResume +CODESTARTtryResume +ENDtryResume + +#define COOKIE "@cee: " +#define LEN_COOKIE (sizeof(COOKIE)-1) +BEGINdoAction + msg_t *pMsg; + uchar *buf; + struct ee_event *event; +CODESTARTdoAction + pMsg = (msg_t*) ppString[0]; + /* note that we can performance-optimize the interface, but this also + * requires changes to the libraries. For now, we accept message + * duplication. -- rgerhards, 2010-12-01 + */ + buf = getMSG(pMsg); + +dbgprintf("mmaudit: msg is '%s'\n", buf); + while(*buf && isspace(*buf)) { + ++buf; + } + + if(*buf == '\0' || strncmp((char*)buf, COOKIE, LEN_COOKIE)) { + DBGPRINTF("mmaudit: no JSON cookie: '%s'\n", buf); + FINALIZE; + } + buf += LEN_COOKIE; +dbgprintf("mmaudit: cookie found, rest of message: '%s'\n", buf); + event = ee_newEventFromJSON(pData->ctxee, (char*)buf); + if(event == NULL) { + DBGPRINTF("mmaudit: JSON parse error, assuming no " + "JSON-enhanced message: '%s'\n", buf); + FINALIZE; + } + /* TODO: in the long term, we need to think about merging & different + name spaces (probably best to add the newly-obtained event as a child to + the existing event...) + */ + if(pMsg->event != NULL) { + ee_deleteEvent(pMsg->event); + } + pMsg->event = event; + +#if 1 + /***DEBUG***/ // TODO: remove after initial testing - 2010-12-01 + { + char *cstr; + es_str_t *str; + ee_fmtEventToJSON(pMsg->event, &str); + cstr = es_str2cstr(str, NULL); + dbgprintf("mmaudit generated: %s\n", cstr); + free(cstr); + es_deleteStr(str); + } + /***END DEBUG***/ +#endif +finalize_it: +ENDdoAction + + +BEGINparseSelectorAct +CODESTARTparseSelectorAct +CODE_STD_STRING_REQUESTparseSelectorAct(1) + /* first check if this config line is actually for us */ + if(strncmp((char*) p, ":mmaudit:", sizeof(":mmaudit:") - 1)) { + ABORT_FINALIZE(RS_RET_CONFLINE_UNPROCESSED); + } + + /* ok, if we reach this point, we have something for us */ + p += sizeof(":mmaudit:") - 1; /* eat indicator sequence (-1 because of '\0'!) */ + CHKiRet(createInstance(&pData)); + + /* check if a non-standard template is to be applied */ + if(*(p-1) == ';') + --p; + /* we call the function below because we need to call it via our interface definition. However, + * the format specified (if any) is always ignored. + */ + CHKiRet(cflineParseTemplateName(&p, *ppOMSR, 0, OMSR_TPL_AS_MSG, (uchar*) "RSYSLOG_FileFormat")); + + /* finally build the instance */ + if((pData->ctxee = ee_initCtx()) == NULL) { + errmsg.LogError(0, RS_RET_NO_RULESET, "error: could not initialize libee ctx, cannot " + "activate action"); + ABORT_FINALIZE(RS_RET_ERR_LIBEE_INIT); + } +CODE_STD_FINALIZERparseSelectorAct +ENDparseSelectorAct + + +BEGINmodExit +CODESTARTmodExit + objRelease(errmsg, CORE_COMPONENT); +ENDmodExit + + +BEGINqueryEtryPt +CODESTARTqueryEtryPt +CODEqueryEtryPt_STD_OMOD_QUERIES +ENDqueryEtryPt + + + +/* Reset config variables for this module to default values. + */ +static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __attribute__((unused)) *pVal) +{ + DEFiRet; + RETiRet; +} + + +BEGINmodInit() + rsRetVal localRet; + rsRetVal (*pomsrGetSupportedTplOpts)(unsigned long *pOpts); + unsigned long opts; + int bMsgPassingSupported; +CODESTARTmodInit +INITLegCnfVars + *ipIFVersProvided = CURR_MOD_IF_VERSION; + /* we only support the current interface specification */ +CODEmodInit_QueryRegCFSLineHdlr + /* check if the rsyslog core supports parameter passing code */ + bMsgPassingSupported = 0; + localRet = pHostQueryEtryPt((uchar*)"OMSRgetSupportedTplOpts", + &pomsrGetSupportedTplOpts); + if(localRet == RS_RET_OK) { + /* found entry point, so let's see if core supports msg passing */ + CHKiRet((*pomsrGetSupportedTplOpts)(&opts)); + if(opts & OMSR_TPL_AS_MSG) + bMsgPassingSupported = 1; + } else if(localRet != RS_RET_ENTRY_POINT_NOT_FOUND) { + ABORT_FINALIZE(localRet); /* Something else went wrong, not acceptable */ + } + + if(!bMsgPassingSupported) { + DBGPRINTF("mmaudit: msg-passing is not supported by rsyslog core, " + "can not continue.\n"); + ABORT_FINALIZE(RS_RET_NO_MSG_PASSING); + } + + CHKiRet(objUse(errmsg, CORE_COMPONENT)); + + CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, + resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); +ENDmodInit + +/* vi:set ai: + */ -- cgit From 25e8b15383668a09b136cd97c3ed07ca246bf099 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 24 Feb 2012 19:00:53 +0100 Subject: milestone: parsing audit message almost correct --- plugins/mmaudit/mmaudit.c | 142 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 133 insertions(+), 9 deletions(-) (limited to 'plugins/mmaudit') diff --git a/plugins/mmaudit/mmaudit.c b/plugins/mmaudit/mmaudit.c index 18606230..5c0c152e 100644 --- a/plugins/mmaudit/mmaudit.c +++ b/plugins/mmaudit/mmaudit.c @@ -107,12 +107,113 @@ BEGINtryResume CODESTARTtryResume ENDtryResume -#define COOKIE "@cee: " -#define LEN_COOKIE (sizeof(COOKIE)-1) + +static inline void +skipWhitespace(uchar **buf) +{ + while(**buf && isspace(**buf)) + ++(*buf); +} + + +static inline rsRetVal +parseName(uchar **buf, char *name, unsigned lenName) +{ + unsigned i; + skipWhitespace(buf); + --lenName; /* reserve space for '\0' */ + i = 0; + while(**buf && **buf != '=' && lenName) { +//dbgprintf("parseNAme, buf: %s\n", *buf); + name[i++] = **buf; + ++(*buf), --lenName; + } + name[i] = '\0'; + return RS_RET_OK; +} + + +static inline rsRetVal +parseValue(uchar **buf, char *val, unsigned lenval) +{ + char termc; + unsigned i; + DEFiRet; + + --lenval; /* reserve space for '\0' */ + i = 0; + if(**buf == '\0') { + FINALIZE; + } else if(**buf == '\'') { + termc = '\''; + ++(*buf); + } else if(**buf == '"') { + termc = '"'; + ++(*buf); + } else { + termc = ' '; + } + + while(**buf && **buf != termc && lenval) { +//dbgprintf("parseValue, termc '%c', buf: %s\n", termc, *buf); + val[i++] = **buf; + ++(*buf), --lenval; + } + val[i] = '\0'; + +finalize_it: + RETiRet; +} + + +/* parse the audit record and create libee structure + */ +static rsRetVal +audit_parse(instanceData *pData, uchar *buf, struct ee_event **event) +{ + struct ee_field *f; + struct ee_value *eeval; + es_str_t *estr; + char name[1024]; + char val[1024]; + DEFiRet; + + *event = ee_newEvent(pData->ctxee); + if(event == NULL) { + ABORT_FINALIZE(RS_RET_ERR); + } + (*event)->fields = ee_newFieldbucket(pData->ctxee); + + while(*buf) { +//dbgprintf("audit_parse, buf: '%s'\n", buf); + CHKiRet(parseName(&buf, name, sizeof(name))); + if(*buf != '=') { + ABORT_FINALIZE(RS_RET_ERR); + } + ++buf; + CHKiRet(parseValue(&buf, val, sizeof(val))); + + estr = es_newStrFromCStr(val, strlen(val)); + eeval = ee_newValue((*event)->ctx); + ee_setStrValue(eeval, estr); + f = ee_newFieldFromNV((*event)->ctx, name, eeval); + ee_addFieldToBucket((*event)->fields, f); +dbgprintf("mmaudit: parsed %s=%s\n", name, val); + } + + +finalize_it: + RETiRet; +} + + BEGINdoAction msg_t *pMsg; uchar *buf; + int typeID; struct ee_event *event; + int i; + char auditID[1024]; CODESTARTdoAction pMsg = (msg_t*) ppString[0]; /* note that we can performance-optimize the interface, but this also @@ -126,16 +227,39 @@ dbgprintf("mmaudit: msg is '%s'\n", buf); ++buf; } - if(*buf == '\0' || strncmp((char*)buf, COOKIE, LEN_COOKIE)) { - DBGPRINTF("mmaudit: no JSON cookie: '%s'\n", buf); + if(*buf == '\0' || strncmp((char*)buf, "type=", 5)) { + DBGPRINTF("mmaudit: type= undetected: '%s'\n", buf); + FINALIZE; + } + buf += 5; + + typeID = 0; + while(*buf && isdigit(*buf)) { + typeID = typeID * 10 + *buf - '0'; + ++buf; + } + + if(*buf == '\0' || strncmp((char*)buf, " audit(", sizeof(" audit(")-1)) { + DBGPRINTF("mmaudit: audit( header not found: %s'\n", buf); + FINALIZE; + } + buf += sizeof(" audit("); + + for(i = 0 ; i < (sizeof(auditID)-2) && *buf && *buf != ')' ; ++i) { + auditID[i] = *buf++; + } + auditID[i] = '\0'; + if(*buf != ')' || *(buf+1) != ':') { + DBGPRINTF("mmaudit: trailer '):' not found, no audit record: %s'\n", buf); FINALIZE; } - buf += LEN_COOKIE; -dbgprintf("mmaudit: cookie found, rest of message: '%s'\n", buf); - event = ee_newEventFromJSON(pData->ctxee, (char*)buf); + buf += 2; + +dbgprintf("mmaudit: cookie found, type %d, auditID '%s', rest of message: '%s'\n", typeID, auditID, buf); + audit_parse(pData, buf, &event); if(event == NULL) { - DBGPRINTF("mmaudit: JSON parse error, assuming no " - "JSON-enhanced message: '%s'\n", buf); + DBGPRINTF("mmaudit: audit parse error, assuming no " + "audit message: '%s'\n", buf); FINALIZE; } /* TODO: in the long term, we need to think about merging & different -- cgit From ce8121e0c491a773cfcf9997ae55711f6f519078 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 2 Mar 2012 12:45:49 +0100 Subject: mmauditd: moved to changed libee 0.4.2 API --- plugins/mmaudit/mmaudit.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'plugins/mmaudit') diff --git a/plugins/mmaudit/mmaudit.c b/plugins/mmaudit/mmaudit.c index 5c0c152e..6406024a 100644 --- a/plugins/mmaudit/mmaudit.c +++ b/plugins/mmaudit/mmaudit.c @@ -182,7 +182,6 @@ audit_parse(instanceData *pData, uchar *buf, struct ee_event **event) if(event == NULL) { ABORT_FINALIZE(RS_RET_ERR); } - (*event)->fields = ee_newFieldbucket(pData->ctxee); while(*buf) { //dbgprintf("audit_parse, buf: '%s'\n", buf); @@ -194,10 +193,8 @@ audit_parse(instanceData *pData, uchar *buf, struct ee_event **event) CHKiRet(parseValue(&buf, val, sizeof(val))); estr = es_newStrFromCStr(val, strlen(val)); - eeval = ee_newValue((*event)->ctx); - ee_setStrValue(eeval, estr); - f = ee_newFieldFromNV((*event)->ctx, name, eeval); - ee_addFieldToBucket((*event)->fields, f); + ee_addStrFieldToEvent(*event, name, estr); + es_deleteStr(estr); dbgprintf("mmaudit: parsed %s=%s\n", name, val); } @@ -245,7 +242,7 @@ dbgprintf("mmaudit: msg is '%s'\n", buf); } buf += sizeof(" audit("); - for(i = 0 ; i < (sizeof(auditID)-2) && *buf && *buf != ')' ; ++i) { + for(i = 0 ; i < (int) (sizeof(auditID)-2) && *buf && *buf != ')' ; ++i) { auditID[i] = *buf++; } auditID[i] = '\0'; -- cgit From 5d44a37a4bce467ce8d504ff11470570cdaa5134 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 2 Mar 2012 13:06:49 +0100 Subject: milestone: properly parsing raw audit logs --- plugins/mmaudit/mmaudit.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'plugins/mmaudit') diff --git a/plugins/mmaudit/mmaudit.c b/plugins/mmaudit/mmaudit.c index 6406024a..8f2a3f71 100644 --- a/plugins/mmaudit/mmaudit.c +++ b/plugins/mmaudit/mmaudit.c @@ -171,8 +171,6 @@ finalize_it: static rsRetVal audit_parse(instanceData *pData, uchar *buf, struct ee_event **event) { - struct ee_field *f; - struct ee_value *eeval; es_str_t *estr; char name[1024]; char val[1024]; @@ -210,6 +208,7 @@ BEGINdoAction int typeID; struct ee_event *event; int i; + es_str_t *estr; char auditID[1024]; CODESTARTdoAction pMsg = (msg_t*) ppString[0]; @@ -259,6 +258,18 @@ dbgprintf("mmaudit: cookie found, type %d, auditID '%s', rest of message: '%s'\n "audit message: '%s'\n", buf); FINALIZE; } + + /* we now need to shuffle the "outer" properties into that stream */ + estr = es_newStrFromCStr(auditID, strlen(auditID)); + ee_addStrFieldToEvent(event, "audithdr.auditid", estr); + es_deleteStr(estr); + + /* we abuse auditID a bit to save space... (TODO: change!) */ + snprintf(auditID, sizeof(auditID), "%d", typeID); + estr = es_newStrFromCStr(auditID, strlen(auditID)); + ee_addStrFieldToEvent(event, "audithdr.type", estr); + es_deleteStr(estr); + /* TODO: in the long term, we need to think about merging & different name spaces (probably best to add the newly-obtained event as a child to the existing event...) -- cgit From 66ab2a70e5bcc9637dfec89c6134abe10b96dde8 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 15 Mar 2012 17:25:26 +0100 Subject: added message property parsesuccess to indicate status of higher level parser run added message property parsesuccess to indicate if the last run higher-level parser could successfully parse the message or not (see property replacer html doc for details) --- plugins/mmaudit/mmaudit.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'plugins/mmaudit') diff --git a/plugins/mmaudit/mmaudit.c b/plugins/mmaudit/mmaudit.c index 8f2a3f71..fcefd013 100644 --- a/plugins/mmaudit/mmaudit.c +++ b/plugins/mmaudit/mmaudit.c @@ -210,6 +210,7 @@ BEGINdoAction int i; es_str_t *estr; char auditID[1024]; + int bSuccess = 0; CODESTARTdoAction pMsg = (msg_t*) ppString[0]; /* note that we can performance-optimize the interface, but this also @@ -278,6 +279,7 @@ dbgprintf("mmaudit: cookie found, type %d, auditID '%s', rest of message: '%s'\n ee_deleteEvent(pMsg->event); } pMsg->event = event; + bSuccess = 1; #if 1 /***DEBUG***/ // TODO: remove after initial testing - 2010-12-01 @@ -293,6 +295,7 @@ dbgprintf("mmaudit: cookie found, type %d, auditID '%s', rest of message: '%s'\n /***END DEBUG***/ #endif finalize_it: + MsgSetParseSuccess(pMsg, bSuccess); ENDdoAction -- cgit