1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
use crate::constants::*;
#[derive(Debug, PartialEq, Eq, Clone)]
pub enum RuleField {
Pid(u32),
Uid(u32),
Euid(u32),
Suid(u32),
Fsuid(u32),
Gid(u32),
Egid(u32),
Sgid(u32),
Fsgid(u32),
Loginuid(u32),
Pers(u32),
Arch(u32),
Msgtype(u32),
Ppid(u32),
LoginuidSet(u32),
Sessionid(u32),
Fstype(u32),
Devmajor(u32),
Devminor(u32),
Inode(u32),
Exit(u32),
Success(u32),
Perm(u32),
Filetype(u32),
ObjUid(u32),
ObjGid(u32),
FieldCompare(u32),
Exe(u32),
Arg0(u32),
Arg1(u32),
Arg2(u32),
Arg3(u32),
Watch(String),
Dir(String),
Filterkey(String),
SubjUser(String),
SubjRole(String),
SubjType(String),
SubjSen(String),
SubjClr(String),
ObjUser(String),
ObjRole(String),
ObjType(String),
ObjLevLow(String),
ObjLevHigh(String),
}
#[derive(Copy, Debug, PartialEq, Eq, Clone)]
pub enum RuleFieldFlags {
BitMask,
BitTest,
LessThan,
GreaterThan,
NotEqual,
Equal,
LessThanOrEqual,
GreaterThanOrEqual,
None,
Unknown(u32),
}
impl From<u32> for RuleFieldFlags {
fn from(value: u32) -> Self {
use self::RuleFieldFlags::*;
match value {
AUDIT_BIT_MASK => BitMask,
AUDIT_BIT_TEST => BitTest,
AUDIT_LESS_THAN => LessThan,
AUDIT_GREATER_THAN => GreaterThan,
AUDIT_NOT_EQUAL => NotEqual,
AUDIT_EQUAL => Equal,
AUDIT_LESS_THAN_OR_EQUAL => LessThanOrEqual,
AUDIT_GREATER_THAN_OR_EQUAL => GreaterThanOrEqual,
0 => None,
_ => Unknown(value),
}
}
}
impl From<RuleFieldFlags> for u32 {
fn from(value: RuleFieldFlags) -> Self {
use self::RuleFieldFlags::*;
match value {
BitMask => AUDIT_BIT_MASK,
BitTest => AUDIT_BIT_TEST,
LessThan => AUDIT_LESS_THAN,
GreaterThan => AUDIT_GREATER_THAN,
NotEqual => AUDIT_NOT_EQUAL,
Equal => AUDIT_EQUAL,
LessThanOrEqual => AUDIT_LESS_THAN_OR_EQUAL,
GreaterThanOrEqual => AUDIT_GREATER_THAN_OR_EQUAL,
None => 0,
Unknown(value) => value,
}
}
}
