Rule deletion #128
Open
Rule deletion #128
+259
−35
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrewkroh
added
the
Team:Security-External Integrations
jeffmahoney
force-pushed
the
rule-deletion
branch
3 times, most recently
from
5d08e23
to
feed65b
Compare
efd6
reviewed
Apr 16, 2023
Comment on lines
+156
to
+162
| deleteAll uint8 | ||
| fileWatchFlags uint8 | ||
| addFileWatch uint8 | ||
| deleteFileWatch uint8 | ||
| syscallFlags uint8 | ||
| addSyscall uint8 | ||
| deleteSyscall uint8 |
There was a problem hiding this comment.
It feels like this should be a bitset at this point. Maybe later.
jeffmahoney
force-pushed
the
rule-deletion
branch
2 times, most recently
from
8aac899
to
64b0760
Compare
Although the implementation for AuditClient.Delete is only used to back AuditClient.DeleteAll, we'd like to be able to delete individual rules. This commit adds checking of the netlink error field and reports when the deletion has failed. When DeleteAll is called, we ignore the ENOENT return since it could've raced somewhere and we don't actually care since we're deleting all of the rules.
Rule.Build assumes that if no syscalls are specified they all are set. This is really only the case when the exit list is used since the syscall numbers aren't available in the other lists. When we assume that all of the syscalls are enabled, we end up generating wireformat rules for e.g. 'task,never' that have all of the syscall bits set. That doesn't match what is already used when 'auditctl -a task,never' is used. It may be ignored by the kernel when such a rule is added, but it would cause problems when that rule is deleted.
jeffmahoney
force-pushed
the
rule-deletion
branch
from
64b0760
to
9b6cd62
Compare
|
Thanks for the review. I've implemented your suggestions and have rebased on the current HEAD. It should be good to go. |
jeffmahoney
force-pushed
the
rule-deletion
branch
from
9b6cd62
to
57b0496
Compare
We currently don't handle the '-d' or '-W' options that would remove list rules or file watches. This commit adds support to handle those properly. rule.ToCommandLine still returns the expected result, but I've added a rule.ToCommandLineAddRemove that takes a bool indicating whether the rule would be added or removed. This was required to do testing of deletion rules.
jeffmahoney
force-pushed
the
rule-deletion
branch
from
57b0496
to
b0c2227
Compare
|
@andrewkroh This doesn't appear to be triggering the buildkite build. How do we bump it? |
|
/test |
|
/test |
💔 Build Failed
Failed CI StepsHistory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the ability to delete rules from the running system.