Skip to content

Commit

Permalink
Add option to drop translated UID/GID values if theyy are translated
Browse files Browse the repository at this point in the history 
Close #157
  • Loading branch information
@hillu
hillu committed Nov 7, 2023
1 parent 8cb97ac commit d1fd83b
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 0 deletions.
2 changes: 2 additions & 0 deletions etc/laurel/config.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ execve-argv = [ "array" ]
universal = false
# UID, GID values
user-db = false
# Drop raw (numeric) UID, GID values if they are translated
drop-raw = false

[enrich]

Expand Down
2 changes: 2 additions & 0 deletions man/laurel.8.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,8 @@ does when configured with `log_format=ENRICHED`.
- `userdb`: Add translations for `uid` and `gid` fields. Default: false
- `universal`: Add translations for everything else: `SYSCALL.arch`,
`SYSCALL.syscall`, `SOCKADDR.saddr`
- `drop-raw`: Drop raw (numeric) UID, GID values if they are
translated. Default: false

## `[enrich]` section

Expand Down
37 changes: 37 additions & 0 deletions src/coalesce.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ pub struct Settings<'a> {

pub translate_universal: bool,
pub translate_userdb: bool,
pub drop_translated: bool,

pub label_exe: Option<&'a LabelMatcher>,
pub unlabel_exe: Option<&'a LabelMatcher>,
Expand All @@ -60,6 +61,7 @@ impl Default for Settings<'_> {
proc_propagate_labels: HashSet::new(),
translate_universal: false,
translate_userdb: false,
drop_translated: false,
label_exe: None,
unlabel_exe: None,
label_script: None,
Expand Down Expand Up @@ -521,6 +523,9 @@ impl<'a> Coalesce<'a> {
_ => {
if let Some((k, v)) = self.translate_userdb(&mut nrv, k, v) {
nrv.elems.push((k, v));
if self.settings.drop_translated {
continue;
}
}
}
};
Expand Down Expand Up @@ -820,6 +825,9 @@ impl<'a> Coalesce<'a> {
for (k, v) in &rv.elems {
if let Some((k, v)) = self.translate_userdb(&mut nrv, k, v) {
nrv.elems.push((k, v));
if self.settings.drop_translated {
continue;
}
} else if let Some((k, v)) = self.enrich_generic_pid(&mut nrv, k, v) {
nrv.elems.push((k, v));
}
Expand All @@ -832,6 +840,9 @@ impl<'a> Coalesce<'a> {
for (k, v) in &rv.elems {
if let Some((k, v)) = self.translate_userdb(&mut nrv, k, v) {
nrv.elems.push((k, v));
if self.settings.drop_translated {
continue;
}
} else if let Some((k, v)) = self.enrich_generic_pid(&mut nrv, k, v) {
nrv.elems.push((k, v));
}
Expand Down Expand Up @@ -1175,6 +1186,32 @@ mod test {
process_record(&mut c, include_bytes!("testdata/record-adjntpval.txt"))?;
process_record(&mut c, include_bytes!("testdata/record-avc-apparmor.txt"))?;

let mut c = Coalesce::new(mk_emit_vec(&ec));
c.settings.translate_userdb = true;
c.settings.drop_translated = true;
process_record(
&mut c,
strip_enriched(include_bytes!("testdata/record-execve.txt")),
)?;
let output = event_to_json(ec.borrow().last().unwrap());
println!("{}", output);
assert!(
output.contains(r#""UID":"root","#),
"output contains translated UID"
);
assert!(
output.contains(r#""EGID":"root","#),
"output contains translated EGID"
);
assert!(
!output.contains(r#""uid":"0,"#),
"output does not contain raw uid"
);
assert!(
!output.contains(r#""egid":0,"#),
"output does not contain raw egid"
);

Ok(())
}

Expand Down
3 changes: 3 additions & 0 deletions src/config.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,8 @@ pub struct Translate {
pub universal: bool,
#[serde(default, rename = "user-db")]
pub userdb: bool,
#[serde(default, rename = "drop-raw")]
pub drop_raw: bool,
}

fn execve_env_default() -> HashSet<String> {
Expand Down Expand Up @@ -306,6 +308,7 @@ impl Config {
.collect(),
translate_universal: self.translate.universal,
translate_userdb: self.translate.userdb,
drop_translated: self.translate.drop_raw,
label_exe: self.label_process.label_exe.as_ref(),
unlabel_exe: self.label_process.unlabel_exe.as_ref(),
label_script: self.label_process.label_script.as_ref(),
Expand Down

0 comments on commit d1fd83b

Please sign in to comment.