Skip to content

Commit

Permalink
Remove Audit rules on Linux when the agent gets stopped
Browse files Browse the repository at this point in the history
  • Loading branch information
@albertomn86
albertomn86 committed Jun 25, 2018
1 parent 9921148 commit 6f32911
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 8 deletions.
2 changes: 1 addition & 1 deletion src/syscheckd/run_check.c
View file
Expand Up @@ -130,7 +130,7 @@ void start_daemon()
if (audit_socket > 0) {
mdebug1("Starting Auditd events reader thread...");
audit_added_rules = W_Vector_init(10);
atexit(StopAuditThread);
atexit(clean_rules);
w_create_thread(audit_main, &audit_socket);
} else {
merror("Cannot start Audit events reader thread.");
Expand Down
2 changes: 2 additions & 0 deletions src/syscheckd/run_realtime.c
View file
Expand Up @@ -234,7 +234,9 @@ int realtime_adddir(const char *dir, __attribute__((unused)) int whodata)
merror("Error adding Audit rule for %s : %i", dir, retval);
} else {
// Save dir into saved rules list
w_mutex_lock(&syscheck_mutex);
W_Vector_insert(audit_added_rules, dir);
w_mutex_unlock(&syscheck_mutex);
}

} else {
Expand Down
3 changes: 2 additions & 1 deletion src/syscheckd/syscheck.h
View file
Expand Up @@ -77,6 +77,7 @@ const char* get_group(int gid);
int realtime_checksumfile(const char *file_name, whodata_evt *evt) __attribute__((nonnull(1)));

#ifndef WIN32

#define AUDIT_KEY "wazuh_fim"
int audit_init(void);
int check_auditd_enabled(void);
Expand All @@ -87,8 +88,8 @@ int audit_delete_rule(const char *path, const char *key);
void *audit_main(int *audit_sock);
extern W_Vector *audit_added_rules;
extern volatile int audit_thread_active;
extern pthread_mutex_t syscheck_mutex;
void clean_rules(void);
void StopAuditThread(void);
#endif

#endif
11 changes: 5 additions & 6 deletions src/syscheckd/syscheck_audit.c
View file
Expand Up @@ -37,6 +37,7 @@ static regex_t regexCompiled_cwd;
static regex_t regexCompiled_pname;
static regex_t regexCompiled_path0;
static regex_t regexCompiled_path1;
pthread_mutex_t syscheck_mutex = PTHREAD_MUTEX_INITIALIZER;


// Convert audit relative paths into absolute paths
Expand Down Expand Up @@ -665,31 +666,29 @@ void * audit_main(int * audit_sock) {
regfree(&regexCompiled_pname);
// Change Audit monitored folders to Inotify.
int i;
w_mutex_lock(&syscheck_mutex);
if (audit_added_rules) {
for (i = 0; i < W_Vector_length(audit_added_rules); i++) {
realtime_adddir(W_Vector_get(audit_added_rules, i), 0);
}
}
// Clean Audit added rules.
clean_rules();
w_mutex_unlock(&syscheck_mutex);

return NULL;
}


void StopAuditThread(void) {
audit_thread_active = 0;
}


void clean_rules(void) {
int i;

w_mutex_lock(&syscheck_mutex);
if (audit_added_rules) {
mdebug2("Deleting Audit rules...");
for (i = 0; i < W_Vector_length(audit_added_rules); i++) {
audit_delete_rule(W_Vector_get(audit_added_rules, i), AUDIT_KEY);
}
W_Vector_free(audit_added_rules);
}
w_mutex_unlock(&syscheck_mutex);
}

0 comments on commit 6f32911

Please sign in to comment.