process_file_events: Add fields euid and egid and cleanup logs

2024-11-07 01:55:20 +00:00 · 2017-12-12 17:52:27 +01:00 · 2017-12-12 17:52:27 +01:00 · 44e03bada9
commit 44e03bada9
parent 02caa95774
10 changed files with 50 additions and 22 deletions
--- a/osquery/events/linux/auditdnetlink.cpp
+++ b/osquery/events/linux/auditdnetlink.cpp
@ -1,4 +1,4 @@
-/*
+/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
@ -6,7 +6,6 @@
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
- *
 */

 #include <linux/audit.h>
@ -162,7 +161,7 @@ void AuditdNetlinkReader::start() {
      if (audit_request_status(audit_netlink_handle_) <= 0) {
        if (errno == ENOBUFS) {
          VLOG(1) << "Warning: Failed to request audit status (ENOBUFS). "
-                     "Retrying again later...";
+                     "Retrying again later";

        } else {
          VLOG(1) << "Error: Failed to request audit status. Requesting a "
@ -283,7 +282,7 @@ bool AuditdNetlinkReader::acquireMessages() noexcept {
 }

 bool AuditdNetlinkReader::configureAuditService() noexcept {
-  VLOG(1) << "Attempting to configure the audit service...";
+  VLOG(1) << "Attempting to configure the audit service";

  // Want to set a min sane buffer and maximum number of events/second min.
  // This is normally controlled through the audit config, but we must
@ -528,7 +527,7 @@ bool AuditdNetlinkReader::deleteAuditRule(

 void AuditdNetlinkReader::restoreAuditServiceConfiguration() noexcept {
  if (FLAGS_audit_debug) {
-    std::cout << "Uninstalling audit rules..." << std::endl;
+    std::cout << "Uninstalling audit rules" << std::endl;
  }

  // Remove the rules we have added
@ -543,7 +542,7 @@ void AuditdNetlinkReader::restoreAuditServiceConfiguration() noexcept {

  // Restore audit configuration defaults.
  if (FLAGS_audit_debug) {
-    std::cout << "Restoring default settings and disabling the service..."
+    std::cout << "Restoring default settings and disabling the service"
              << std::endl;
  }

--- a/osquery/events/linux/auditdnetlink.h
+++ b/osquery/events/linux/auditdnetlink.h
@ -1,4 +1,4 @@
-/*
+/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
@ -6,7 +6,6 @@
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
- *
 */

 #pragma once
--- a/osquery/events/linux/auditeventpublisher.cpp
+++ b/osquery/events/linux/auditeventpublisher.cpp
@ -1,4 +1,4 @@
-/*
+/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
@ -6,7 +6,6 @@
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
- *
 */

 #include <array>
@ -191,6 +190,14 @@ void AuditEventPublisher::ProcessEvents(
        continue;
      }

+      std::uint64_t process_euid;
+      if (!GetIntegerFieldFromMap(
+              process_euid, audit_event_record.fields, "euid")) {
+        VLOG(1) << "Missing or invalid euid field in AUDIT_SYSCALL";
+
+        continue;
+      }
+
      std::uint64_t process_gid;
      if (!GetIntegerFieldFromMap(
              process_gid, audit_event_record.fields, "gid")) {
@ -199,8 +206,18 @@ void AuditEventPublisher::ProcessEvents(
        continue;
      }

+      std::uint64_t process_egid;
+      if (!GetIntegerFieldFromMap(
+              process_egid, audit_event_record.fields, "egid")) {
+        VLOG(1) << "Missing or invalid egid field in AUDIT_SYSCALL";
+
+        continue;
+      }
+
      data.process_uid = static_cast<uid_t>(process_uid);
+      data.process_euid = static_cast<uid_t>(process_euid);
      data.process_gid = static_cast<gid_t>(process_gid);
+      data.process_egid = static_cast<gid_t>(process_egid);

      audit_event.record_list.push_back(audit_event_record);
      trace_context[audit_event_record.audit_id] = std::move(audit_event);
--- a/osquery/events/linux/auditeventpublisher.h
+++ b/osquery/events/linux/auditeventpublisher.h
@ -1,4 +1,4 @@
-/*
+/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
@ -6,7 +6,6 @@
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
- *
 */

 #pragma once
@ -34,7 +33,10 @@ struct SyscallAuditEventData final {
  pid_t parent_process_id;

  uid_t process_uid;
+  uid_t process_euid;
+
  gid_t process_gid;
+  gid_t process_egid;

  std::string executable_path;
 };
--- a/osquery/events/linux/tests/process_file_events_tests.cpp
+++ b/osquery/events/linux/tests/process_file_events_tests.cpp
@ -1,4 +1,4 @@
-/*
+/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
@ -6,7 +6,6 @@
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
- *
 */

 #include <gtest/gtest.h>
--- a/osquery/tables/events/linux/process_events.h
+++ b/osquery/tables/events/linux/process_events.h
@ -1,4 +1,4 @@
-/*
+/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
@ -6,7 +6,6 @@
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
- *
 */

 #include "osquery/events/linux/auditeventpublisher.h"
--- a/osquery/tables/events/linux/process_file_events.cpp
+++ b/osquery/tables/events/linux/process_file_events.cpp
@ -1,4 +1,4 @@
-/*
+/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
@ -6,7 +6,6 @@
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
- *
 */

 #include <asm/unistd_64.h>
@ -349,9 +348,15 @@ bool EmitRowFromSyscallContext(
  row["uid"] =
      std::to_string(static_cast<std::uint64_t>(syscall_context.process_uid));

+  row["euid"] =
+      std::to_string(static_cast<std::uint64_t>(syscall_context.process_euid));
+
  row["gid"] =
      std::to_string(static_cast<std::uint64_t>(syscall_context.process_gid));

+  row["egid"] =
+      std::to_string(static_cast<std::uint64_t>(syscall_context.process_egid));
+
  row["executable"] = syscall_context.executable_path;
  row["partial"] = (syscall_context.partial ? "true" : "false");
  row["cwd"] = syscall_context.cwd;
@ -1198,6 +1203,8 @@ Status ProcessFileEventSubscriber::ProcessEvents(
    syscall_context.parent_process_id = event_data.parent_process_id;
    syscall_context.process_uid = event_data.process_uid;
    syscall_context.process_gid = event_data.process_gid;
+    syscall_context.process_euid = event_data.process_euid;
+    syscall_context.process_egid = event_data.process_egid;
    syscall_context.executable_path = event_data.executable_path;

    const AuditEventRecord* syscall_record = nullptr;
--- a/osquery/tables/events/linux/process_file_events.h
+++ b/osquery/tables/events/linux/process_file_events.h
@ -1,4 +1,4 @@
-/*
+/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
@ -6,7 +6,6 @@
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
- *
 */

 #pragma once
@ -236,6 +235,12 @@ struct AuditdFimSyscallContext final {
  /// The process gid
  gid_t process_gid;

+  /// The process euid
+  uid_t process_euid;
+
+  /// The process egid
+  gid_t process_egid;
+
  // Path of the executable that generated the event
  std::string executable_path;

--- a/osquery/tables/events/linux/socket_events.h
+++ b/osquery/tables/events/linux/socket_events.h
@ -1,4 +1,4 @@
-/*
+/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
@ -6,7 +6,6 @@
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
- *
 */

 #include "osquery/events/linux/auditeventpublisher.h"
--- a/specs/linux/process_file_events.table
+++ b/specs/linux/process_file_events.table
@ -13,6 +13,8 @@ schema([
    Column("dest_path", TEXT, "The canonical path associated with the event"),
    Column("uid", TEXT, "The uid of the process performing the action"),
    Column("gid", TEXT, "The gid of the process performing the action"),
+    Column("euid", TEXT, "Effective user ID of the process using the file"),
+    Column("egid", TEXT, "Effective group ID of the process using the file"),
    Column("uptime", BIGINT, "Time of execution in system uptime"),
    Column("eid", TEXT, "Event ID", hidden=True),
 ])