diff options
author | Phil Sutter <phil@nwl.cc> | 2018-06-01 17:15:07 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-06-03 11:53:06 +0200 |
commit | a24552c165346f087e82a52807d134e3910387a8 (patch) | |
tree | 378f69e8fe6c10ac6fd0d111313c3b0ed14371d5 /src | |
parent | efc8a83e943d54e0ca88548a0eaff056ad2a650d (diff) |
log: Add support for audit logging
This is implemented via a pseudo log level. The kernel ignores any other
parameter, so reject those at evaluation stage. Audit logging is
therefore simply a matter of:
| log level audit
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/evaluate.c | 4 | ||||
-rw-r--r-- | src/parser_bison.y | 2 | ||||
-rw-r--r-- | src/statement.c | 7 |
3 files changed, 10 insertions, 3 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 4eb36e2d..33733c0e 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2562,6 +2562,10 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt) return stmt_error(ctx, stmt, "flags and group are mutually exclusive"); } + if (stmt->log.level == LOGLEVEL_AUDIT && + (stmt->log.flags & ~STMT_LOG_LEVEL || stmt->log.logflags)) + return stmt_error(ctx, stmt, + "log level audit doesn't support any further options"); return 0; } diff --git a/src/parser_bison.y b/src/parser_bison.y index b67dc69d..d13eaa66 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -2227,6 +2227,8 @@ level_type : string $$ = LOG_INFO; else if (!strcmp("debug", $1)) $$ = LOG_DEBUG; + else if (!strcmp("audit", $1)) + $$ = LOGLEVEL_AUDIT; else { erec_queue(error(&@1, "invalid log level"), state->msgs); diff --git a/src/statement.c b/src/statement.c index ff4c8eb6..4a646e06 100644 --- a/src/statement.c +++ b/src/statement.c @@ -220,7 +220,7 @@ struct stmt *objref_stmt_alloc(const struct location *loc) return stmt; } -static const char *syslog_level[LOG_DEBUG + 1] = { +static const char *syslog_level[LOGLEVEL_AUDIT + 1] = { [LOG_EMERG] = "emerg", [LOG_ALERT] = "alert", [LOG_CRIT] = "crit", @@ -229,11 +229,12 @@ static const char *syslog_level[LOG_DEBUG + 1] = { [LOG_NOTICE] = "notice", [LOG_INFO] = "info", [LOG_DEBUG] = "debug", + [LOGLEVEL_AUDIT] = "audit" }; const char *log_level(uint32_t level) { - if (level > LOG_DEBUG) + if (level > LOGLEVEL_AUDIT) return "unknown"; return syslog_level[level]; @@ -243,7 +244,7 @@ int log_level_parse(const char *level) { int i; - for (i = 0; i <= LOG_DEBUG; i++) { + for (i = 0; i <= LOGLEVEL_AUDIT; i++) { if (syslog_level[i] && !strcmp(level, syslog_level[i])) return i; |