Permalink
Browse files

AuditEventPublisher: Syscall filtering was not working correctly.

The filtering logic was leaking unrequested syscalls to the
subscriber.
  • Loading branch information...
alessandrogario committed Jul 1, 2017
1 parent dbc774f commit ec57b079814692507d6dd67bebd38c9cc2c14940
Showing with 17 additions and 10 deletions.
  1. +17 −10 osquery/events/linux/audit.cpp
@@ -22,6 +22,8 @@
#include <osquery/flags.h>
#include <osquery/logger.h>
#include <iostream>
#include "osquery/core/conversions.h"
#include "osquery/events/linux/audit.h"
@@ -684,18 +686,23 @@ bool AuditEventPublisher::shouldFire(const AuditSubscriptionContextRef& sc,
return true;
}
// If this subscription (with set of rules) explicitly requested the audit
// reply type.
for (const auto& type : sc->types) {
if (type != 0 && ec->type == type) {
return true;
}
}
for (const auto& audit_event_type : sc->types) {
// Skip invalid audit event types
if (audit_event_type == 0)
continue;
// Skip audit events that do not match the requested type
if (audit_event_type != ec->type)
continue;
// Otherwise, if the set of rules included a syscall, match on that number.
for (const auto& rule : sc->rules) {
if (rule.syscall != 0 && ec->syscall == rule.syscall) {
// No further filtering needed for events that are not syscalls
if (audit_event_type != AUDIT_SYSCALL)
return true;
// We received a syscall event; we have to capture it only if the rule set contains it
for (const auto& rule : sc->rules) {
if (rule.syscall == ec->syscall)
return true;
}
}

0 comments on commit ec57b07

Please sign in to comment.