# Lists of possible ID values. # # Copyright (C) 2007 Red Hat, Inc. All rights reserved. # This copyrighted material is made available to anyone wishing to use, modify, # copy, or redistribute it subject to the terms and conditions of the GNU # General Public License v.2. This program is distributed in the hope that it # will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the # implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the GNU General Public License for more details. You should have # received a copy of the GNU General Public License along with this program; if # not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth # Floor, Boston, MA 02110-1301, USA. Any Red Hat trademarks that are # incorporated in the source code or documentation are not subject to the GNU # General Public License and may only be used or replicated with the express # permission of Red Hat, Inc. # # Red Hat Author: Miloslav Trmac <mitr@redhat.com> import stat import audit __all__ = ('field_vars', 'ids_to_names', 'ids_severities', 'ids_types', 'machines', 'machine_names', 'event_types', 'event_type_names', 'sorted_machine_names', 'sorted_event_type_names', 'sorted_file_type_names', 'syscalls') def N_(s): return s # FIXME: these lists should be available from libaudit # sed -n '/AUDIT_NEGATE/d; /Rule fields/,/These are the supported operators/s/^#define[ \t]*\([^ \t]*\)[ \t].*$/audit.\1,/p' < /usr/include/linux/audit.h field_vars = ( audit.AUDIT_PID, audit.AUDIT_UID, audit.AUDIT_EUID, audit.AUDIT_SUID, audit.AUDIT_FSUID, audit.AUDIT_GID, audit.AUDIT_EGID, audit.AUDIT_SGID, audit.AUDIT_FSGID, audit.AUDIT_LOGINUID, audit.AUDIT_PERS, audit.AUDIT_ARCH, audit.AUDIT_MSGTYPE, audit.AUDIT_SUBJ_USER, audit.AUDIT_SUBJ_ROLE, audit.AUDIT_SUBJ_TYPE, audit.AUDIT_SUBJ_SEN, audit.AUDIT_SUBJ_CLR, audit.AUDIT_PPID, audit.AUDIT_OBJ_USER, audit.AUDIT_OBJ_ROLE, audit.AUDIT_OBJ_TYPE, audit.AUDIT_OBJ_LEV_LOW, audit.AUDIT_OBJ_LEV_HIGH, audit.AUDIT_DEVMAJOR, audit.AUDIT_DEVMINOR, audit.AUDIT_INODE, audit.AUDIT_EXIT, audit.AUDIT_SUCCESS, audit.AUDIT_WATCH, audit.AUDIT_PERM, audit.AUDIT_DIR, audit.AUDIT_FILETYPE, audit.AUDIT_ARG0, audit.AUDIT_ARG1, audit.AUDIT_ARG2, audit.AUDIT_ARG3, audit.AUDIT_FILTERKEY, ) # sed -n '/S_IFMT/d; s/^# *define[ \t]*\(S_IF[^ \t]*\)[ \t].*$/stat.\1,/p' /usr/include/sys/stat.h file_types = ( stat.S_IFDIR, stat.S_IFCHR, stat.S_IFBLK, stat.S_IFREG, stat.S_IFIFO, stat.S_IFLNK, stat.S_IFSOCK, ) # sed -n '/machine type list/,/machine_t/s/^[ \t]*\(MACH_[^,=]*\)\([,=].*\)\?$/audit.\1,/p' /usr/include/libaudit.h machines = ( audit.MACH_X86, audit.MACH_86_64, audit.MACH_IA64, audit.MACH_PPC64, audit.MACH_PPC, audit.MACH_S390X, audit.MACH_S390, audit.MACH_ALPHA, ) # sed -n '/AUDIT_USER/,/AUDIT_KERNEL[^_]/s/^#define[ \t]*\([^ \t]*\)[ \t].*$/audit.\1,/p' /usr/include/linux/audit.h event_types = ( audit.AUDIT_USER, audit.AUDIT_LOGIN, audit.AUDIT_WATCH_INS, audit.AUDIT_WATCH_REM, audit.AUDIT_WATCH_LIST, audit.AUDIT_SIGNAL_INFO, audit.AUDIT_ADD_RULE, audit.AUDIT_DEL_RULE, audit.AUDIT_LIST_RULES, audit.AUDIT_TRIM, audit.AUDIT_MAKE_EQUIV, audit.AUDIT_TTY_GET, audit.AUDIT_TTY_SET, audit.AUDIT_FIRST_USER_MSG, audit.AUDIT_USER_AVC, audit.AUDIT_USER_TTY, audit.AUDIT_LAST_USER_MSG, audit.AUDIT_FIRST_USER_MSG2, audit.AUDIT_LAST_USER_MSG2, audit.AUDIT_DAEMON_START, audit.AUDIT_DAEMON_END, audit.AUDIT_DAEMON_ABORT, audit.AUDIT_DAEMON_CONFIG, audit.AUDIT_SYSCALL, audit.AUDIT_PATH, audit.AUDIT_IPC, audit.AUDIT_SOCKETCALL, audit.AUDIT_CONFIG_CHANGE, audit.AUDIT_SOCKADDR, audit.AUDIT_CWD, audit.AUDIT_EXECVE, audit.AUDIT_IPC_SET_PERM, audit.AUDIT_MQ_OPEN, audit.AUDIT_MQ_SENDRECV, audit.AUDIT_MQ_NOTIFY, audit.AUDIT_MQ_GETSETATTR, audit.AUDIT_KERNEL_OTHER, audit.AUDIT_FD_PAIR, audit.AUDIT_OBJ_PID, audit.AUDIT_TTY, audit.AUDIT_EOE, audit.AUDIT_AVC, audit.AUDIT_SELINUX_ERR, audit.AUDIT_AVC_PATH, audit.AUDIT_MAC_POLICY_LOAD, audit.AUDIT_MAC_STATUS, audit.AUDIT_MAC_CONFIG_CHANGE, audit.AUDIT_MAC_UNLBL_ALLOW, audit.AUDIT_MAC_CIPSOV4_ADD, audit.AUDIT_MAC_CIPSOV4_DEL, audit.AUDIT_MAC_MAP_ADD, audit.AUDIT_MAC_MAP_DEL, audit.AUDIT_MAC_IPSEC_ADDSA, audit.AUDIT_MAC_IPSEC_DELSA, audit.AUDIT_MAC_IPSEC_ADDSPD, audit.AUDIT_MAC_IPSEC_DELSPD, audit.AUDIT_MAC_IPSEC_EVENT, audit.AUDIT_MAC_UNLBL_STCADD, audit.AUDIT_MAC_UNLBL_STCDEL, audit.AUDIT_FIRST_KERN_ANOM_MSG, audit.AUDIT_LAST_KERN_ANOM_MSG, audit.AUDIT_ANOM_PROMISCUOUS, audit.AUDIT_ANOM_ABEND, audit.AUDIT_KERNEL, ) # From code in src/auditctl.c ids_severities = (('inf', N_('Information only')), ('low', N_('Low')), ('med', N_('Medium')), ('hi', N_('High'))) # From code in src/auditctl.c ids_types = (('file', N_('File watch')), ('exec', N_('Execution watch')), ('mkexe', N_('Executable created'))) # Just a wildest possible guess. This is flexible enough to handle all machine # types. syscalls = range(audit.AUDIT_BITMASK_SIZE * 32) def ids_to_names(ids, fn): '''Convert a list of IDs to their string representations using fn. fn may return None, ignore the ID in that case. ''' possible_names = (fn(i) for i in ids) return [name for name in possible_names if name is not None] file_type_names = ids_to_names(file_types, audit.audit_ftype_to_name) event_type_names = ids_to_names(event_types, audit.audit_msg_type_to_name) machine_names = ids_to_names(machines, audit.audit_machine_to_name) sorted_event_type_names = sorted(event_type_names) sorted_file_type_names = sorted(file_type_names) sorted_machine_names = sorted(machine_names)