go-libaudit Add support to remove individual rules

Add support to remove individual rules

Open jeffmahoney opened this issue 2 years ago • 3 comments

I'm working on a project that uses go-libaudit to maintain an expected state for audit rules so that the code monitoring it can be reasonably sure the data feed is intact. In the process of implementing it, I found that I needed the ability to prohibit certain rules from being loaded even by the underlying system (e.g. -a task,never). When I put together the rule and then tried to remove it, I found that it would just fail silently. The kernel audit report showed that the rule removal failed.

This PR implements the ability to remove single file watches and audit rules. The functionality to remove rules was already in place but only as much as required to implement DeleteAll. This worked because it was using the WireFormat rules that the kernel just gave it and so they would, of course, match what the kernel's version of the rules were. In order to delete individual rules, I ended up with a few things:

Reporting missing rules during deletion. This was what got me started down this path. The deletion code doesn't check for errors and so the rule was not being removed and I was not being told. I added an exception for ErrNoSuchRule in DeleteAll so that it will continue even if there are races removing the rules.
Don't assume that audit rules missing syscalls mean all syscalls. This may be true for rules on the exit list, but e.g. rules on the task list don't care about syscalls at all. This was why my deletion of -a task,never was failing -- it had a full bitmask for syscalls when the in-kernel rule did not.
Add the ability to parse and handle deletion rules. This is mostly just flag handling and test cases.

The end result is that rule deletion works as expected in a few test cases removing rules.