add exclude_comm filter, and add filename to all of the filter function parameters

Author: arstercz

config.h.in

@@ -125,7 +125,8 @@
 /* Define to 1 if `vfork' works. */
 #undef HAVE_WORKING_VFORK
 
-/* Define to the sub-directory where libtool stores uninstalled libraries. */
+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+   */
 #undef LT_OBJDIR
 
 /* Name of package */
@@ -260,6 +261,9 @@
 /* Filter chain to use */
 #undef SNOOPY_CONF_FILTER_CHAIN
 
+/* Is filter "exclude_comm" available? */
+#undef SNOOPY_CONF_FILTER_ENABLED_exclude_comm
+
 /* Is filter "exclude_spawns_of" available? */
 #undef SNOOPY_CONF_FILTER_ENABLED_exclude_spawns_of
 

configure.ac

@@ -500,6 +500,7 @@ AC_ARG_ENABLE(all-filters,
 # ==============================================================================
 SNOOPY_CONFIGURE_FILTER_ENABLE( [exclude_spawns_of], [This filter drops messages that originate for specified process trees.])
 SNOOPY_CONFIGURE_FILTER_ENABLE( [exclude_uid],       [This filter drops messages that match given UIDs.])
+SNOOPY_CONFIGURE_FILTER_ENABLE( [exclude_comm],      [This filter drops messages that match given command.])
 SNOOPY_CONFIGURE_FILTER_ENABLE( [only_root],         [This filter passes only messages generated by root.])
 SNOOPY_CONFIGURE_FILTER_ENABLE( [only_tty],          [This filter passes only messages that have a TTY != none.])
 SNOOPY_CONFIGURE_FILTER_ENABLE( [only_uid],          [This filter passes only messages that match given UIDs.])

etc/snoopy.ini.in

@@ -73,6 +73,7 @@
 ; List of available filters:
 ; - exclude_spawns_of   ; (available=@enable_filter_exclude_spawns_of@) Exclude log entries that occur in specified process trees
 ; - exclude_uid         ; (available=@enable_filter_exclude_uid@) Exclude these UIDs from logging
+; - exclude_comm        ; (available=@enable_filter_exclude_comm@) Exclude these in command from logging
 ; - only_root           ; (available=@enable_filter_only_root@) Only log root commands
 ; - only_tty            ; (available=@enable_filter_only_tty@) Only log commands associated with a TTY
 ; - only_uid            ; (available=@enable_filter_only_uid@) Only log commands executed by these UIDs
@@ -86,7 +87,8 @@
 ; - filter_chain = "exclude_uid:0"       # Log all commands, except the ones executed by root
 ; - filter_chain = "exclude_uid:1,2,3"   # Log all commands, except those executed by users with UIDs 1, 2 and 3
 ; - filter_chain = "only_uid:0"          # Log only root commands
-; - filter_chain = "exclude_spawns_of:cron,my_daemon" # Do not log commands spawned by cron or my_daemon
+; - filter_chain = "exclude_spawns_of:cron,my_daemon"   # Do not log commands spawned by cron or my_daemon
+; - filter_chain = "exclude_comm:mysql,mongo,redis-cli" # Do not log mysql, mongo and redis-cli commands
 ; - filter_chain = "filter1:arg11;filter2:arg21,arg22;filter3:arg31,32,33"
 ;
 ; Default value:
@@ -97,6 +99,7 @@
 ;filter_chain = "only_uid:0"
 ;filter_chain = "only_uid:10000"
 ;filter_chain = "exclude_uid:0"
+;filter_chain = "exclude_spawns_of:crond;exclude_comm:mysql,mongo"
 
 
 

src/filter/Makefile.am

@@ -42,6 +42,14 @@ libsnoopy_filters_all_la_SOURCES += \
 	exclude_uid.h
 endif
 
+### Filter: exclude_comm
+#
+if FILTER_ENABLED_exclude_comm
+libsnoopy_filters_all_la_SOURCES += \
+	exclude_comm.c \
+	exclude_comm.h
+endif
+
 ### Filter: only_root
 #
 if FILTER_ENABLED_only_root

src/filter/exclude_comm.c

@@ -0,0 +1,105 @@
+/*
+ * SNOOPY LOGGER
+ *
+ * File: snoopy/filter/exclude_comm.c
+ *
+ * Copyright (c) 2015 Datto, Inc. All rights reserved.
+ * Author: Fred Mora - [email protected]
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ *
+ * changelog:
+ *   add exclude_comm filter;
+ * arstercz
+ * 2020-10-26
+ *
+ */
+
+
+/*
+ * Includes order: from local to global
+ */
+#include "exclude_comm.h"
+#include "exclude_spawns_of.h"
+#include "snoopy.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+char* extract_comm(const char *str, const char *needle);
+
+/*
+ * SNOOPY FILTER: exclude_comm
+ *
+ * Description:
+ *     Excludes all log messages for executables that have the specified program name in their ancestors.
+ *     Strategy: We parse arg to create the "list of specified programs" (LoSP).
+ *     Then, we filter by filename from LoSP
+ *
+ * Params:
+ *     filename:   command full path filename.
+ *     logMessage: Pointer to string that contains formatted log message (may be manipulated)
+ *     arg:        Comma-separated list of program comm names for the spawns of which log messages are dropped.
+ *
+ * Return:
+ *     SNOOPY_FILTER_PASS or SNOOPY_FILTER_DROP
+ */
+int snoopy_filter_exclude_comm(const char *filename, char *msg, char const * const arg)
+{
+    char  *argDup;   // Must not alter arg
+    char **losp; // List of specified programs derived from arg
+    int is_comm_in_list = 0;
+    char *comm;
+
+    // Turn comma-separated arg into array of program name strings
+    argDup = strdup(arg);
+    losp = string_to_token_array(argDup);
+    if (losp == NULL) {
+        // If failure, we cannot filter anything, just pass the message
+        return SNOOPY_FILTER_PASS;
+    }
+
+    const char* delimiter = "/"; // path delimiter in Unix/Linux
+    comm = extract_comm(filename, delimiter); // get command name
+
+    // Check if one of the program names in losp is an ancestor
+    is_comm_in_list = find_string_in_array(comm, losp);
+    free(losp);
+    free(argDup);
+    return (is_comm_in_list == 1) ? SNOOPY_FILTER_DROP : SNOOPY_FILTER_PASS; // Error means pass
+}
+
+// get comm name from filename
+char* extract_comm(const char *str, const char *needle)
+{
+    if (*needle == '\0')
+         return (char *)str;
+
+    char *result = NULL;
+    for (;;)
+    {
+        char *p = strstr(str, needle);
+        if (p == NULL)
+            break;
+
+        result = p + 1;
+        str = p + 1;
+    }
+    return result;
+}

src/filter/exclude_comm.h

@@ -0,0 +1,34 @@
+/*
+ * SNOOPY LOGGER
+ *
+ * File: snoopy/filter/exclude_comm.h
+ *
+ * Copyright (c) 2015 Datto, Inc. All rights reserved.
+ * Author: Fred Mora - [email protected]
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * changelog:
+ *   add exclude_comm filter
+ * arstercz
+ * 2020-10-26
+ */
+
+
+
+/*
+ * SNOOPY FILTER: exclude_comm
+ */
+int snoopy_filter_exclude_comm (const char *filename, char *msg, char const * const arg);

src/filter/exclude_spawns_of.c

@@ -52,8 +52,6 @@
  * Non-public function prototypes
  */
 int find_ancestor_in_list(char **name_list);
-int find_string_in_array(char *str, char **str_array);
-char **string_to_token_array(char *str);
 
 
 
@@ -67,13 +65,14 @@ char **string_to_token_array(char *str);
  *     of the LoSP.
  *
  * Params:
+ *     filename:   command full path filename.
  *     logMessage: Pointer to string that contains formatted log message (may be manipulated)
  *     arg:        Comma-separated list of program names for the spawns of which log messages are dropped.
  *
  * Return:
  *     SNOOPY_FILTER_PASS or SNOOPY_FILTER_DROP
  */
-int snoopy_filter_exclude_spawns_of(char *msg, char const * const arg)
+int snoopy_filter_exclude_spawns_of(const char *filename, char *msg, char const * const arg)
 {
     char  *argDup;   // Must not alter arg
     char **losp; // List of specified programs derived from arg

src/filter/exclude_spawns_of.h

@@ -26,4 +26,6 @@
 /*
  * SNOOPY FILTER: exclude_spawns_of
  */
-int snoopy_filter_exclude_spawns_of (char *msg, char const * const arg);
+int snoopy_filter_exclude_spawns_of (const char *filename, char *msg, char const * const arg);
+int find_string_in_array(char *str, char **str_array);
+char **string_to_token_array(char *str);

src/filter/exclude_uid.c

@@ -45,13 +45,14 @@
  *     Excludes all log messages comming from specified UIDs
  *
  * Params:
+ *     filename:   command full path filename.
  *     logMessage: pointer to string that contains formatted log message (may be manipulated)
  *     arg:        Comma-separated list of UIDs for which log messages are dropped, passed for others
  *
  * Return:
  *     SNOOPY_FILTER_PASS or SNOOPY_FILTER_DROP
  */
-int snoopy_filter_exclude_uid (char *msg, char const * const arg)
+int snoopy_filter_exclude_uid (const char *filename, char *msg, char const * const arg)
 {
     uid_t  curUid;     // Actual UID of running process
     char  *argDup    = NULL;

src/filter/exclude_uid.h

@@ -25,4 +25,4 @@
 /*
  * SNOOPY FILTER: exclude_uid
  */
-int snoopy_filter_exclude_uid (char *msg, char const * const arg);
+int snoopy_filter_exclude_uid (const char *filename, char *msg, char const * const arg);

src/filter/noop.c

@@ -38,13 +38,14 @@
  *     Does nothing (just passes).
  *
  * Params:
- *     result: pointer to string, to write result into
- *     arg:    (ignored)
+ *     filename: command full path filename.
+ *     result:   pointer to string, to write result into
+ *     arg:      (ignored)
  *
  * Return:
  *     SNOOPY_FILTER_PASS
  */
-int snoopy_filter_noop(char *msg, char const * const arg)
+int snoopy_filter_noop(const char *filename, char *msg, char const * const arg)
 {
     return SNOOPY_FILTER_PASS;
 }

src/filter/noop.h

@@ -25,4 +25,4 @@
 /*
  * SNOOPY FILTER: noop
  */
-int snoopy_filter_noop(char *msg, char const * const arg);
+int snoopy_filter_noop(const char *filename, char *msg, char const * const arg);

src/filter/only_root.c

@@ -42,13 +42,14 @@
  *     Only logs messages from root (uid=0 actually)
  *
  * Params:
- *     msg:   pointer to string that contains formatted log message (may be manipulated)
- *     arg:   arguments passed to this filter
+ *     filename: command full path filename.
+ *     msg:      pointer to string that contains formatted log message (may be manipulated)
+ *     arg:      arguments passed to this filter
  *
  * Return:
  *     SNOOPY_FILTER_PASS or SNOOPY_FILTER_DROP
  */
-int snoopy_filter_only_root (char *msg, char const * const arg)
+int snoopy_filter_only_root (const char *filename, char *msg, char const * const arg)
 {
     if (0 == getuid()) {
         return SNOOPY_FILTER_PASS;

src/filter/only_root.h

@@ -25,4 +25,4 @@
 /*
  * SNOOPY FILTER: only_root
  */
-int snoopy_filter_only_root (char *msg, char const * const arg);
+int snoopy_filter_only_root (const char *filename, char *msg, char const * const arg);

src/filter/only_tty.c

@@ -42,13 +42,14 @@
  *     Returns TTY of current process.
  *
  * Params:
- *     result: pointer to string, to write result into
- *     arg:    (ignored)
+ *     filename: command full path filename.
+ *     msg:      pointer to string, to write result into
+ *     arg:      (ignored)
  *
  * Return:
  *     number of characters in the returned string, or SNOOPY_DATASOURCE_FAILURE
  */
-int snoopy_filter_only_tty(char *msg, char const * const arg)
+int snoopy_filter_only_tty(const char *filename, char *msg, char const * const arg)
 {
     char    ttyPath[SNOOPY_DATASOURCE_TTY_sizeMaxWithNull];
     size_t  ttyPathLen = SNOOPY_DATASOURCE_TTY_sizeMaxWithoutNull;

src/filter/only_tty.h

@@ -34,4 +34,4 @@
 /*
  * SNOOPY FILTER: only_tty
  */
-int snoopy_filter_only_tty(char *msg, char const * const arg);
+int snoopy_filter_only_tty(const char *filename, char *msg, char const * const arg);

src/filter/only_uid.c

@@ -45,13 +45,14 @@
  *     Excludes all log messages not comming from specific UID
  *
  * Params:
+ *     filename:   command full path filename.
  *     logMessage: pointer to string that contains formatted log message (may be manipulated)
  *     arg:        Comma-separated list of UIDs for which log message is passed on, dropped for all others
  *
  * Return:
  *     SNOOPY_FILTER_PASS or SNOOPY_FILTER_DROP
  */
-int snoopy_filter_only_uid (char *msg, char const * const arg)
+int snoopy_filter_only_uid (const char *filename, char *msg, char const * const arg)
 {
     uid_t  curUid;     // Actual UID of running process
     char  *argDup    = NULL;

src/filter/only_uid.h

@@ -25,4 +25,4 @@
 /*
  * SNOOPY FILTER: only_uid
  */
-int snoopy_filter_only_uid (char *msg, char const * const arg);
+int snoopy_filter_only_uid (const char *filename, char *msg, char const * const arg);

src/filtering.c

@@ -55,6 +55,7 @@
  *     SNOOPY_FILTER_PASS or SNOOPY_FILTER_DROP
  */
 int snoopy_filtering_check_chain (
+    const char *filename,
     char *logMessage,
     char *filterChain
 ) {
@@ -112,7 +113,7 @@ int snoopy_filtering_check_chain (
         }
 
         // Consult the filter, and return immediately if message should be dropped
-        if (SNOOPY_FILTER_DROP == snoopy_filterregistry_callByName(filterNamePtr, logMessage, filterArgPtr)) {
+        if (SNOOPY_FILTER_DROP == snoopy_filterregistry_callByName(filterNamePtr, filename, logMessage, filterArgPtr)) {
             return SNOOPY_FILTER_DROP;
         }
     }

src/filtering.h

@@ -23,6 +23,7 @@
 
 
 int snoopy_filtering_check_chain (
+    const char *filename,
     char *logMessage,
     char *chain
 );