valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 09:58:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

audit: Ignore operations on PF_NETLINK sockets

Browse Source
This commit is contained in:
Alessandro Gario 2017-12-11 12:55:40 -05:00 committed by Teddy Reed
parent 8829c9f0de
commit 4a478f1ea1
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
osquery/tables/events/linux/socket_events.cpp
View File

@ -157,11 +157,16 @@ Status SocketEventSubscriber::ProcessEvents(
std::string saddr;
GetStringFieldFromMap(saddr, sockaddr_event_record->fields, "saddr");
if (saddr.size() < 4 || saddr[0] == '1') {
if (saddr.size() < 4) {
VLOG(1) << "Invalid saddr field in AUDIT_SOCKADDR: \"" << saddr << "\"";
continue;
}
// skip operations on NETLINK_ROUTE sockets
if (saddr[0] == '1' && saddr[1] == '0') {
continue;
}
CopyFieldFromMap(row, syscall_event_record->fields, "auid");
CopyFieldFromMap(row, syscall_event_record->fields, "pid");
GetStringFieldFromMap(row["fd"], syscall_event_record->fields, "a0");
@ -180,7 +185,8 @@ Status SocketEventSubscriber::ProcessEvents(
bool unix_socket;
if (!parseSockAddr(saddr, row, unix_socket)) {
VLOG(1) << "Malformed syscall event. The saddr field in the "
"AUDIT_SOCKADDR record could not be parsed";
"AUDIT_SOCKADDR record could not be parsed: \""
<< saddr << "\"";
continue;
}

2
osquery/tables/events/linux/user_events.cpp
View File

@ -16,7 +16,7 @@ namespace osquery {
FLAG(bool,
audit_allow_user_events,
false,
true,
"Allow the audit publisher to install user events-related rules");
// Depend on the external getUptime table method.