Please sign in to comment.
AuditNetlink: Added common rules, fixed audit id parsing (see details).
Moved the audit_reply pre-processing inside the getEvents() callback. This means that the AuditNetlink class (the one that receives messages from the kernel) is now only reading from the netlink, leaving all processing to the consumer (the AuditEventPublisher, and our future class named AuditFileEventsPublisher). Those event publisher are executed in the context of an additional thread. The --audit_debug=true switch has been improved, and will now show more meaningful output. I've also converted the audit id field from unsigned int to string (see the issue list section), and we are now using audit_id + timestamp as primary key. Issues found in the original implementation: 1. The rules being added to the audit service were still being removed even if they already existed before launching osquery. 2. The audit id alone is being used as primary key and the implementation is handling subsequent records with the same id value as duplicated. This is wrong (see the attached links). This means I will probably have to add an additional field to keep supporting the "broken" implementation until we can fix it*. * We are not going to use the AuditAssembler for our new table anymore because it is too limited (so it's not an issue for us), but the existing process_events and socket_events tables are probably tossing away valid events. Links: 1. https://people.redhat.com/sgrubb/audit/audit-rt-events.txt 2. https://www.redhat.com/archives/linux-audit/2008-August/msg00115.html 3. https://github.com/torvalds/linux/blob/master/kernel/audit.c (see audit_serial) 4. https://www.redhat.com/archives/linux-audit/2006-April/msg00028.html
- Loading branch information...
Showing with 419 additions and 157 deletions.
Oops, something went wrong.