in AuditRules.cpp [1531:1810]
void AuditRule::append_field(std::string& out, int idx, bool is_watch) const {
int field = ruleptr()->fields[idx] & ~AUDIT_OPERATORS;
int op = ruleptr()->fieldflags[idx] & AUDIT_OPERATORS;
auto value = ruleptr()->values[idx];
switch(field) {
case AUDIT_ARCH:
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
if (__AUDIT_ARCH_64BIT & value) {
out.append("b64");
} else {
out.append("b32");
}
break;
case AUDIT_MSGTYPE:
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
out.append(RecordTypeToName(static_cast<RecordType>(value)));
break;
case AUDIT_SUBJ_USER:
/* fallthrough */
case AUDIT_SUBJ_ROLE:
/* fallthrough */
case AUDIT_SUBJ_TYPE:
/* fallthrough */
case AUDIT_SUBJ_SEN:
/* fallthrough */
case AUDIT_SUBJ_CLR:
/* fallthrough */
case AUDIT_OBJ_USER:
/* fallthrough */
case AUDIT_OBJ_ROLE:
/* fallthrough */
case AUDIT_OBJ_TYPE:
/* fallthrough */
case AUDIT_OBJ_LEV_LOW:
/* fallthrough */
case AUDIT_OBJ_LEV_HIGH:
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
out.append(std::string(&ruleptr()->buf[_value_offsets[idx]], value));
break;
case AUDIT_INODE:
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
out.append(std::to_string(value));
break;
case AUDIT_EXIT:
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
out.append(std::to_string(static_cast<int32_t>(value)));
break;
case AUDIT_WATCH:
if (is_watch) {
if (is_delete_rule) {
out.append("-W ");
} else {
out.append("-w ");
}
} else {
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
}
out.append(std::string(&ruleptr()->buf[_value_offsets[idx]], value));
break;
case AUDIT_PERM:
if (is_watch) {
out.append(" -p ");
} else {
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
}
if (value & AUDIT_PERM_READ) {
out.append("r");
}
if (value & AUDIT_PERM_WRITE) {
out.append("w");
}
if (value & AUDIT_PERM_EXEC) {
out.append("x");
}
if (value & AUDIT_PERM_ATTR) {
out.append("a");
}
break;
case AUDIT_DIR:
if (is_watch) {
if (is_delete_rule) {
out.append("-W ");
} else {
out.append("-w ");
}
} else {
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
}
out.append(std::string(&ruleptr()->buf[_value_offsets[idx]], value));
break;
case AUDIT_FIELD_COMPARE:
out.append(" -C ");
switch (value) {
case AUDIT_COMPARE_UID_TO_OBJ_UID:
out.append("uid");
append_op(out, op);
out.append("obj_uid");
break;
case AUDIT_COMPARE_GID_TO_OBJ_GID:
out.append("gid");
append_op(out, op);
out.append("obj_gid");
break;
case AUDIT_COMPARE_EUID_TO_OBJ_UID:
out.append("euid");
append_op(out, op);
out.append("obj_uid");
break;
case AUDIT_COMPARE_EGID_TO_OBJ_GID:
out.append("egid");
append_op(out, op);
out.append("obj_gid");
break;
case AUDIT_COMPARE_AUID_TO_OBJ_UID:
out.append("auid");
append_op(out, op);
out.append("obj_uid");
break;
case AUDIT_COMPARE_SUID_TO_OBJ_UID:
out.append("suid");
append_op(out, op);
out.append("obj_uid");
break;
case AUDIT_COMPARE_SGID_TO_OBJ_GID:
out.append("sgid");
append_op(out, op);
out.append("obj_gid");
break;
case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
out.append("fsuid");
append_op(out, op);
out.append("obj_uid");
break;
case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
out.append("fsgid");
append_op(out, op);
out.append("obj_gid");
break;
case AUDIT_COMPARE_UID_TO_AUID:
out.append("uid");
append_op(out, op);
out.append("auid");
break;
case AUDIT_COMPARE_UID_TO_EUID:
out.append("uid");
append_op(out, op);
out.append("euid");
break;
case AUDIT_COMPARE_UID_TO_FSUID:
out.append("uid");
append_op(out, op);
out.append("fsuid");
break;
case AUDIT_COMPARE_UID_TO_SUID:
out.append("uid");
append_op(out, op);
out.append("suid");
break;
case AUDIT_COMPARE_AUID_TO_FSUID:
out.append("auid");
append_op(out, op);
out.append("fsuid");
break;
case AUDIT_COMPARE_AUID_TO_SUID:
out.append("auid");
append_op(out, op);
out.append("suid");
break;
case AUDIT_COMPARE_AUID_TO_EUID:
out.append("auid");
append_op(out, op);
out.append("euid");
break;
case AUDIT_COMPARE_EUID_TO_SUID:
out.append("euid");
append_op(out, op);
out.append("suid");
break;
case AUDIT_COMPARE_EUID_TO_FSUID:
out.append("euid");
append_op(out, op);
out.append("fsuid");
break;
case AUDIT_COMPARE_SUID_TO_FSUID:
out.append("suid");
append_op(out, op);
out.append("fsuid");
break;
case AUDIT_COMPARE_GID_TO_EGID:
out.append("gid");
append_op(out, op);
out.append("egid");
break;
case AUDIT_COMPARE_GID_TO_FSGID:
out.append("gid");
append_op(out, op);
out.append("fsgid");
break;
case AUDIT_COMPARE_GID_TO_SGID:
out.append("gid");
append_op(out, op);
out.append("sgid");
break;
case AUDIT_COMPARE_EGID_TO_FSGID:
out.append("egid");
append_op(out, op);
out.append("fsgid");
break;
case AUDIT_COMPARE_EGID_TO_SGID:
out.append("egid");
append_op(out, op);
out.append("sgid");
break;
case AUDIT_COMPARE_SGID_TO_FSGID:
out.append("sgid");
append_op(out, op);
out.append("fsgid");
break;
}
break;
case AUDIT_EXE:
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
out.append(std::string(&ruleptr()->buf[_value_offsets[idx]], value));
break;
case AUDIT_ARG0:
/* fallthrough */
case AUDIT_ARG1:
/* fallthrough */
case AUDIT_ARG2:
/* fallthrough */
case AUDIT_ARG3: {
char val[32];
snprintf(val, sizeof(val), "%X", value);
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
out.append("0x");
out.append(val);
break;
}
case AUDIT_FILTERKEY: {
std::string keys_str(&ruleptr()->buf[_value_offsets[idx]], value);
auto keys = split(keys_str, KEY_SEP);
for (auto& key: keys) {
if (is_watch) {
out.append(" -k ");
} else {
out.append(" -F key=");
}
out.append(key);
}
break;
}
default:
out.append(" -F ");
append_field_name(out, field);
append_op(out, op);
out.append(std::to_string(static_cast<int32_t>(value)));
break;
}
}