Home Explore Help
Sign In
Troglodyne
/
audit-log-perl
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix #1 - expose comm/exe

George Baugh 3 years ago
parent
c7a057e347
commit
4de65d3d66
2 changed files with 20 additions and 2 deletions
Unified View Show Diff Stats
  1. 15 1
      lib/Audit/Log.pm
  2. 5 1
      t/Audit-Log.t

+ 15 - 1
lib/Audit/Log.pm
View File 

@@ -105,6 +105,14 @@ As such, you can build full paths like so:
 
     my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i );
 
     my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i );
 
     my @full_paths = map { "$_->{cwd}/$_->{name}" } @$rows;
 
     my @full_paths = map { "$_->{cwd}/$_->{name}" } @$rows;
 
 
 
+=head3 Filtering by command
 
+
 
+SYSCALL records store the command which executed the call.  This is exposed as part of the parse for each child record, such as PATH or DAEMON_* records.
 
+Example of getting all the commands run which triggered audit events:
 
+
 
+    my $parser = Audit::Log->new(undef, 'exe')
 
+    my $rows = $parser->search();
 
+
 
 =cut
 
 =cut
 
 
 
 sub search {
 
 sub search {
 
@@ -113,7 +121,7 @@ sub search {
 
     my $ret = [];
 
     my $ret = [];
 
     my $in_block = 1;
 
     my $in_block = 1;
 
     my $line = -1;
 
     my $line = -1;
 
-    my $cwd = '';
 
+    my ($cwd, $exe, $comm) = ('','','');
 
     open(my $fh, '<', $self->{path});
 
     open(my $fh, '<', $self->{path});
 
     LINE: while (<$fh>) {
 
     LINE: while (<$fh>) {
 
         next if index( $_, 'SYSCALL') < 0 && !$in_block;
 
         next if index( $_, 'SYSCALL') < 0 && !$in_block;
 
@@ -130,6 +138,8 @@ sub search {
 
             my $cwd_start = index($_, 'cwd="') + 5;
 
             my $cwd_start = index($_, 'cwd="') + 5;
 
             my $cwd_end   = index($_, "\n") - 1;
 
             my $cwd_end   = index($_, "\n") - 1;
 
             $cwd = substr($_, $cwd_start, $cwd_end - $cwd_start);
 
             $cwd = substr($_, $cwd_start, $cwd_end - $cwd_start);
 
+            $line++;
 
+            next;
 
         }
 
         }
 
 
 
         # Replace GROUP SEPARATOR usage with simple spaces
 
         # Replace GROUP SEPARATOR usage with simple spaces
 
@@ -149,9 +159,13 @@ sub search {
 
         $parsed{line}      = $line;
 
         $parsed{line}      = $line;
 
         $parsed{timestamp} = $timestamp;
 
         $parsed{timestamp} = $timestamp;
 
         $parsed{cwd}       = $cwd;
 
         $parsed{cwd}       = $cwd;
 
+        $parsed{exe}       //= $exe;
 
+        $parsed{comm}      //= $comm;
 
 
 
         if (exists $options{key} && $parsed{type} eq 'SYSCALL') {
 
         if (exists $options{key} && $parsed{type} eq 'SYSCALL') {
 
             $in_block = $parsed{key} =~ $options{key};
 
             $in_block = $parsed{key} =~ $options{key};
 
+            $exe = $parsed{exe};
 
+            $comm = $parsed{comm};
 
             $cwd = '';
 
             $cwd = '';
 
             next unless $in_block;
 
             next unless $in_block;
 
         }
 
         }

+ 5 - 1
t/Audit-Log.t
View File 

@@ -8,7 +8,7 @@ use Test::Deep;
 
 use Audit::Log;
 
 use Audit::Log;
 
 use List::Util 1.45 qw{uniq};
 
 use List::Util 1.45 qw{uniq};
 
 
 
-my $parser = Audit::Log->new('t/audit.log','name','type','nametype','line','timestamp', 'cwd');
 
+my $parser = Audit::Log->new('t/audit.log','name','type','nametype','line','timestamp', 'cwd', 'exe', 'comm');
 
 my $rows = $parser->search( type => qr/path/i, nametype => qr/create|delete/i, name => qr/^backups\/[^\.]/, key => qr/backupwatch/, older => 1642448670, newer => 1642441403 );
 
 my $rows = $parser->search( type => qr/path/i, nametype => qr/create|delete/i, name => qr/^backups\/[^\.]/, key => qr/backupwatch/, older => 1642448670, newer => 1642441403 );
 
 
 
 my $expected = [
 
 my $expected = [
 
@@ -19,6 +19,8 @@ my $expected = [
 
     'nametype' => 'CREATE',
 
     'nametype' => 'CREATE',
 
     'name' => 'backups/test.txt',
 
     'name' => 'backups/test.txt',
 
     'cwd'  => '/testpath',
 
     'cwd'  => '/testpath',
 
+    'exe'  => '/usr/bin/touch',
 
+    'comm' => 'touch',
 
   },
 
   },
 
   {
 
   {
 
     'type' => 'PATH',
 
     'type' => 'PATH',
 
@@ -27,6 +29,8 @@ my $expected = [
 
     'name' => 'backups/testme.txt',
 
     'name' => 'backups/testme.txt',
 
     'nametype' => 'DELETE',
 
     'nametype' => 'DELETE',
 
     'cwd'      => '/testpath',
 
     'cwd'      => '/testpath',
 
+    'exe'      => '/usr/bin/rm',
 
+    'comm'     => 'rm',
 
   }
 
   }
 
 ];
 
 ];